[systemd-devel] grant users access to certain services only

Dominick Grift dac.override at gmail.com
Fri Aug 21 03:56:40 PDT 2015


On Fri, Aug 21, 2015 at 01:50:31PM +0300, Mantas Mikulėnas wrote:
> On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift <dac.override at gmail.com>
> wrote:
> 
> > On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote:
> >
> > >
> > > Do they have access to `cat /proc/self/mounts`?
> >
> > Ouch yes... ok that is a dead end i suppose
> 
> 
> Right. That was my point. Restricting individual commands like `mount` is
> no good if you can't restrict the actual mechanism they all use…
> 
> Mount namespaces might help here, as long as you don't use udisks/udisks2
> (which, aside from leaking the same information, wouldn't even function
> correctly with per-user namespaces).
> 
> [Though I don't really understand the point of hiding logged-in UIDs at
> all... Isn't hidepid=2 enough?]

Yes i agree. it is pretty solid. I suppose i wanted to see how far i
could do. This is obviously a no-go

> 
> -- 
> Mantas Mikulėnas <grawity at gmail.com>

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150821/50727f8e/attachment.sig>


More information about the systemd-devel mailing list