[systemd-devel] SocketUser and SocketGroup?
Dave Reisner
d at falconindy.com
Sat Jan 25 13:05:06 PST 2014
On Sat, Jan 25, 2014 at 12:58:55PM -0800, Josh Triplett wrote:
> Some daemons provide an access-controlled service via UNIX domain
> sockets that have a specified user or group, and a mode like 0660. For
> instance, clamd does this. systemd .socket units don't support setting
> the user or group; systemd always creates sockets as root:root. This
> prevents replacing the socket setup code in such daemons with socket
> activation, or requires workarounds such as shelling out to chown.
>
> Commit aea54018a5e66a41318afb6c6be745b6aef48d9e
> (http://cgit.freedesktop.org/systemd/systemd/commit/?id=aea54018a5e66a41318afb6c6be745b6aef48d9e)
> added support for SocketUser and SocketGroup options, to set the
> user and group for a UNIX domain socket or FIFO. However, commit
> e4f44e734c4f397ee5e7ba3270e014a8ae0043dd
> (http://cgit.freedesktop.org/systemd/systemd/commit/?id=e4f44e734c4f397ee5e7ba3270e014a8ae0043dd)
> shortly afterward reverted that, removing the new options.
>
> Is this due to the issues with touching NSS from PID 1?
Yep.
> What might it take to add those options back?
There was a recent discussion about joining namespaces from PID 1 which
brought up the idea of forking off a small process from PID 1 to do that
job instead. The same sort of logic would allow doing NSS calls from PID 1.
d
More information about the systemd-devel
mailing list