[systemd-devel] Is ProtectHome=not working or am I doing something wrong?

Sun Dec 20 10:12:18 PST 2015


Am 20.12.2015 um 19:06 schrieb Michael Biebl:
> 2015-12-20 18:40 GMT+01:00 Reindl Harald <h.reindl at thelounge.net>:
>> InaccessibleDirectories=-/home
>
> Makes no difference here. Using InaccessibleDirectories, rsyslogd can
> still monitor and read the file in /home/michael

sounds like a *serious* regression
at least "systemd-222-10.fc23.x86_64" is not affected
__________________________________________

[root at srv-rhsoft:~]$ systemctl status rsyslog.service
? rsyslog.service - Syslog Service
    Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled; vendor 
preset: enabled)
    Active: activating (auto-restart) (Result: exit-code) since So 
2015-12-20 19:11:12 CET; 3s ago
   Process: 17940 ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test 
(code=exited, status=1/FAILURE)
   Process: 17939 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS 
(code=killed, signal=TERM)
  Main PID: 17939 (code=killed, signal=TERM)
__________________________________________

[root at srv-rhsoft:~]$ cat /etc/systemd/system/rsyslog.service
[Unit]
Description=Syslog Service
After=network.service systemd-networkd.service network-online.target 
mysqld.service mysqld-dbmail.service

[Service]
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test
Sockets=syslog.socket
StandardOutput=null
Restart=always
RestartSec=5
TimeoutStopSec=1
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYSLOG
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/run/user

[Install]
WantedBy=multi-user.target
Alias=syslog.service


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151220/34b8d7bb/attachment.sig>