[systemd-devel] PrivateNetwork for user sessions?

Mantas Mikulėnas grawity at gmail.com
Mon Aug 25 04:20:56 PDT 2014

On Mon, Aug 25, 2014 at 12:58 PM, Yarny <Yarny at public-files.de> wrote:
> I recently discovered the PrivateNetwork
> option in systemd.exec(5), and I was wondering:
> Is it also possible to restrict user sessions with this option?
> I'd like to prevent a certain user's group from
> accessing the network configuration of my machine
> (they should even be forbidden to see the IP address).
> To this end, I tried editing files like
> /etc/systemd/system/user at 1234.service,
> but it didn't have any effect (openSUSE 13.1 with systemd 208).

At the moment, "user at .service" does not manage your session at all --
it merely runs various 'background' services that you might have added
(cronjobs, tmux, mpd...) The interactive sessions, meanwhile, are
launched directly (by /bin/login or GDM or sshd).

Even though GNOME seems to have plans to migrate the user session
startup to user@, it's not going to help much, as it won't affect
console logins, SSH logins, and so on.

Instead, you should check if someone has written a PAM 'session'
module which could do this. (There's one for mount namespaces.) If
not, one should be easy to write, and it'll protect *all* login

Mantas Mikulėnas <grawity at gmail.com>

More information about the systemd-devel mailing list