[systemd-devel] InaccessibleDirectories and non-existing dirs

Reindl Harald h.reindl at thelounge.net
Wed Jan 30 08:02:24 PST 2013



Am 30.01.2013 16:51, schrieb Colin Guthrie:
> 'Twas brillig, and Reindl Harald at 30/01/13 15:34 did gyre and gimble:
>> systemd-197-1.fc18.2.x86_64
>>
>> i try to make a generic list with folders which are never
>> supposed to be access from httpd - but if you list here
>> a non-existing directory httpd.service fails completly
>> to start - as i can undersatnd this technically would
>> it be not better to check if a dir exists and if not
>> ignore the line silently?
> 
> Well I guess a problem with that approach would be if the folder doesn't
> exist when the service starts but is then created after.

that is right - but AFAIk we have two choices

* crash the service at start if a listed folder disappeared
* do not protect a folder if it does not exist at startup and is created later

in the second case: well, it is not perfect but i doubt that perfect is
possible in this context and not refuse starting httpd for me would
be more perfect

> An administrator would be forgiven for expecting the service not to be
> able to access this folder when reading the service, but AFAIUI, this
> would actually not be the case.
> 
> I could be wrong of course and even if not it's maybe still acceptable
> behaviour

i would propose here "InaccessibleDirectories=-/data/backups"
the same way as for EnvFiles, this even works in context not failing
to start the service BUT if the folder exists it's not locked

HTTP 403:
InaccessibleDirectories=/Volumes/dune/www-servers

HTTP 200:
InaccessibleDirectories=-/Volumes/dune/www-servers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130130/054edd93/attachment.pgp>


More information about the systemd-devel mailing list