[systemd-devel] [RFC 1/6] proxy-discoveryd: Basic core added
Tomasz Bursztyka
tomasz.bursztyka at linux.intel.com
Mon Apr 13 03:11:55 PDT 2015
Hi Zbigniew,
>> +
>> +[Service]
>> +Restart=on-failure
>> +ExecStart=@rootlibexecdir@/systemd-proxy-discoveryd
>> +StandardOutput=null
> What privileges does this daemon require? I'd guess it can run as normal
> user at least... Since this is supposed to be executing untrusted javascript
> code, let's lock it down heavily from the start.
I agree. It only requires to get access to dbus and netlink, so nothing
specific to root.
And yes for the JS engine itself there should be more to be done: all JS
context
should be fully contained. PAC files can be anything which sounds scary.
Tomasz
More information about the systemd-devel
mailing list