[systemd-devel] Users and system namespaces
Lennart Poettering
lennart at poettering.net
Fri Jan 24 02:07:18 PST 2014
On Thu, 23.01.14 13:54, Ben Boeckel (mathstuf at gmail.com) wrote:
> Hi,
>
> As I mused on LWN[1] recently, I was wondering whether it was possible
> to have user units be able to hook into namespaces (namely the
> PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other
> namespacing options are added in the future).
WHat to you mean by "user units"? THose run off an unprivileged "systemd
--user" instance? Or those run off PID 1 but with User= set?
Note that the whole namespacing thing is only available from systemd
instances that themesleves are privileged, i.e. only from PID 1...
> - ability for a system service to expose what namespace it just
> created (to avoid the set-environment hackery above);
> - a directive to list users and groups allowed to enter into
> namespaces created in a unit (something like
> "ExposeNamespaceToUsers=group:vpn,wheel" maybe?); and
> - a way for a systemd --user to get namespace file descriptors from
> PID 1.
The privileges thing is quite limiting. Joining namespces from
unprivileged code is hard... You need some kind of setuid binary
transition there, but I wouldn't see how you would make that
happen... And the complexity gives me headaches...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list