[systemd-devel] Behavior regarding ReadWriteDirectories= and otheres
Jan Janssen
medhefgo at web.de
Sun Jun 15 00:52:33 PDT 2014
Hi,
while booting this morning I noticed that a service I wrote which had a
very paranoid
PrivateTmp=yes
ReadOnlyDirectories=/
ReadWriteDirectories=/var/cache/something
which used to work quite nicely was failing to start. It seems that ever
since the recent changes with the addition of ProtectSystem=, this
particular service doesn't get access to its /tmp (or /var/tmp) because
ReadOnlyDirectories is applied recursively. Even adding /tmp to the
ReadWriteDirectories will not fix this.
I do know about ProtectSystem and ProtectHome, but I would argue that
for a service that can handle it, a more paranoid setting like the above
would be superior and should be available and supported. Is this
intentionally not supported (any more)?
Jan
A simple service to test this:
[Unit]
Description=Testing access
[Service]
ExecStart=/usr/bin/touch /tmp/access-test
PrivateTmp=true
ReadOnlyDirectories=/
ReadWriteDirectories=/tmp # will not help here
More information about the systemd-devel
mailing list