[systemd-devel] grant users access to certain services only

Dominick Grift dac.override at gmail.com
Fri Aug 21 03:29:33 PDT 2015


On Fri, Aug 21, 2015 at 01:10:51PM +0300, Mantas Mikulėnas wrote:
<snip>

> >
> > i think it kind of sucks that systemctl --user list-units can be used to
> > determine who is currently logged in. ( it shows active mount units for
> > XDG_RUNTIME_DIR and since those have UID as name you can see who is
> > logged in.
> >
> 
> Hmm, and `findmnt` doesn't?

unpriv users do not have access to mount or findmount in my system, and
for example df -h does not list them because the user is not allowed to
get attributes of tmpfs file systems. So /run/user mounts do not show up
in df -h

> 
> `systemd --user` runs with the same privileges as the user, anyway. So if
> your SELinux policy is more permissive to systemd than regular programs,
> it's a bit weird, not to mention possibly insecure.

From an SEinux policy perspective systemd-user has more permissions than
the user shell in my policy. However systemd-user will run whatever it
can run with the permissions of the user shell and not with its own
permissions.

So you cannot use systemd-user to escalate privileges (although that is
the design. I may have overlooked stuff as it is pretty complex to contain.)

I am pretty sure that some bright person can find some "holes" in my
policy but its far better than no selinux at all and its better than
Fedoras' current selinux policy for restricted users

> 
> -- 
> Mantas Mikulėnas <grawity at gmail.com>

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150821/67cf39d4/attachment.sig>


More information about the systemd-devel mailing list