[systemd-devel] grant users access to certain services only
Mantas Mikulėnas
grawity at gmail.com
Fri Aug 21 03:50:31 PDT 2015
On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift <dac.override at gmail.com>
wrote:
> On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote:
>
> >
> > Do they have access to `cat /proc/self/mounts`?
>
> Ouch yes... ok that is a dead end i suppose
Right. That was my point. Restricting individual commands like `mount` is
no good if you can't restrict the actual mechanism they all use…
Mount namespaces might help here, as long as you don't use udisks/udisks2
(which, aside from leaking the same information, wouldn't even function
correctly with per-user namespaces).
[Though I don't really understand the point of hiding logged-in UIDs at
all... Isn't hidepid=2 enough?]
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150821/d89ce03a/attachment.html>
More information about the systemd-devel
mailing list