[systemd-devel] Users and system namespaces
Ben Boeckel
mathstuf at gmail.com
Fri Jan 24 08:27:27 PST 2014
On Fri, Jan 24, 2014 at 11:07:18 +0100, Lennart Poettering wrote:
> On Thu, 23.01.14 13:54, Ben Boeckel (mathstuf at gmail.com) wrote:
> > As I mused on LWN[1] recently, I was wondering whether it was possible
> > to have user units be able to hook into namespaces (namely the
> > PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other
> > namespacing options are added in the future).
>
> WHat to you mean by "user units"? THose run off an unprivileged "systemd
> --user" instance? Or those run off PID 1 but with User= set?
systemd --user. Would it be possible to use User= to do this though from
a system service?
> Note that the whole namespacing thing is only available from systemd
> instances that themesleves are privileged, i.e. only from PID 1...
Hrm, true.
> The privileges thing is quite limiting. Joining namespces from
> unprivileged code is hard... You need some kind of setuid binary
> transition there, but I wouldn't see how you would make that
> happen...
Probably some systemd-setns helper or whatever to shim in before the
exec.
> And the complexity gives me headaches...
Agreed, but I was thinking that it'd be simpler to leverage systemd here
than start up a container and make it "seamless" to the user session.
Maybe there's a better approach available?
--Ben
More information about the systemd-devel
mailing list