[systemd-devel] PrivateDevices=true blocks use of ttys?

Lennart Poettering lennart at poettering.net
Fri Dec 26 15:41:53 PST 2014

On Sat, 27.12.14 01:38, Ivan Shapovalov (intelfx100 at gmail.com) wrote:

> On Friday 26 December 2014 at 13:37:58, Alison Chaiken wrote:	
> > On Fedora 21, I created a unit file in which I included
> > 'PrivateDevices=true'.    When I attempt to start the unit from the text
> > console, the unit fails, and 'systemctl status -l' reports:
> > 
> > startx[2754]: (EE) xf86OpenConsole: Cannot open /dev/tty0 (No such file or
> > directory)
> > 
> > 
> > When I take 'PrivateDevices=true' out of the unit file, it works fine.
> > The man page for systemd.exec reads
> > 
> > PrivateDevices=
> > Takes a boolean argument. If true, sets up a new /dev namespace for the
> > executed processes and only adds API pseudo devices such as /dev/null,
> > /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but
> > no physical devices such as /dev/sda.
> > 
> > 
> > Isn't /dev/tty0 a pseudo TTY?   Shouldn't a service that has
> > 'PrivateDevices=true' be able to access /dev/tty0?   I'm willing to
> > investigate further to see if there's a bug, but want to make sure that I
> > understand the expected behavior first
> The TTY may be a pseudo-device, but to the kernel it's still a
> device, and it

/dev/tty0 is not a pseudo tty by the definition of "pseudo tty" on
Unix. It is an alias for the current VT, but "alias" and "pseudo" are
two different things...

> has its own dynamically created device node in /dev. So, if the unit has
> `PrivateDevices=true`, it basically gets its own /dev with only a few files
> inside, and ttys aren't among these files.
> At least, that's how I understand it. Maybe you can do an mknod from ExecStartPre=,
> if you know the major:minor (4:0 for /dev/tty0) beforehand?

This will not work. Please have a look at the documentation in
systemd.exec(5). PrivateDevices= also removes CAP_MKNOD from your
process and sets DevicePolicy=closed. This means mknod privileges are
explicitly taken away from you.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list