[systemd-devel] Trusting systemd vs. trusting daemons
Aaron Faanes
dafrito at gmail.com
Thu May 16 23:39:51 PDT 2013
Hello!
First of all, I love systemd. It's a great tool to use and it's been a
pleasure to work with.
Anyway, I was writing up a socket-activated systemd service for a
public read-only rsync server. When the rsync daemon serves a share,
it chroots into the share's directory by default. Of course, the
chroot requires rsync to run as root.
On the other hand, systemd provides its own capability to chroot
rsync, which would allow me to run rsync as non-root. I could also use
ReadOnlyDirectories to provide further assurance that no nonsense
could occur from the daemon.
So my question, simply, is this: Should I prefer running a process as
root knowing that it chroots itself, or should I run it as non-root
and chroot it via systemd?
While I'm at it, one thing I'd like to do is construct a whitelist like this:
InaccessibleDirectories=/
ReadOnlyDirectories=<stuff I'm serving>
Is this possible?
Honest disclaimer: Due to the relatively benign nature of this
scenario and the ubiquity of rsync, my assumption is that I'm
generally safe with either option. I also acknowledge that chroot() is
not a panacea; I would run this service using systemd-nspawn if I
wanted to maximize security at the cost of simplicity. In other words,
I apologize that this question is a bit academic. :)
Thanks in advance,
-- Aaron
--
Aaron Faanes <dafrito at gmail.com>
More information about the systemd-devel
mailing list