[systemd-devel] Is ProtectHome=not working or am I doing something wrong?
Reindl Harald
h.reindl at thelounge.net
Sun Dec 20 09:40:49 PST 2015
Am 20.12.2015 um 17:33 schrieb Michael Biebl:
> I'm using systemd v228 and tried to lock down rsyslog a bit.
>
> For that I added
>
> # /etc/systemd/system/rsyslog.service.d/override.conf
> [Unit]
> ProtectSystem=yes
> ProtectHome=yes
> CapabilityBoundingSet=~CAP_SYS_ADMIN
>
> I thought ProtectHome=yes would deny rsyslog read access to /home, but
> it seems the rsyslogd process can read /home/michael/file1 without
> problems.
>
> Am I doing something wrong or is this a bug in systemd?
looks like a bug, "yes" should take it away and "read-only" is supposed
to just take away write-access, however the unit below should work
i prefer "ReadOnlyDirectories" and "InaccessibleDirectories" in general
_____________________________
[Unit]
Description=Syslog Service
After=network.service systemd-networkd.service network-online.target
mysqld.service mysqld-dbmail.service
[Service]
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
Sockets=syslog.socket
StandardOutput=null
Restart=always
RestartSec=5
TimeoutStopSec=1
CapabilityBoundingSet=CAP_SYSLOG
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/run/user
[Install]
WantedBy=multi-user.target
Alias=syslog.service
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151220/718651b2/attachment.sig>
More information about the systemd-devel
mailing list