[systemd-devel] Trusting systemd vs. trusting daemons
Cristian Rodríguez
crrodriguez at opensuse.org
Fri May 17 10:01:03 PDT 2013
El 17/05/13 02:39, Aaron Faanes escribió:
> So my question, simply, is this: Should I prefer running a process as
> root knowing that it chroots itself, or should I run it as non-root
> and chroot it via systemd?
Well, systemd enforces restrictions at the kernel level, while other
software usually do it with whitelists or pam modules.
>
> While I'm at it, one thing I'd like to do is construct a whitelist like this:
>
> InaccessibleDirectories=/
> ReadOnlyDirectories=<stuff I'm serving>
>
> Is this possible?
Yes, but you are doing it wrong.
InaccessibleDirectories=/
Will usually not work, applications need to access more than what think,
generally you at least need access to the nscd socket, /dev/null,
/dev/urandom, /tmp, some files in /etc, /usr/lib64.. etc..
More information about the systemd-devel
mailing list