[systemd-devel] Mount options of /var/run/users/<pid>
Reindl Harald
h.reindl at thelounge.net
Sun Feb 15 04:36:17 PST 2015
Am 15.02.2015 um 13:31 schrieb Павел Самсонов:
> Good day, I see a new Debian jessie, and I mean, that /var/run/<pid>
> filesystems must be mounted with noexec options, so thay have user write
> access. On some installations this very important. Were I may configure
> this, or may be You change your default mount options?
> Sorry my English, best regards, Pavel, Russia
in case of services you should consider "ProtectSystem" and
"ProtectHome" which makes "/run/user" completly inaccessible
normally the serivce itself has no business to mangle around there
ProtectSystem=
Takes a boolean argument or "full". If true, mounts the /usr directory
read-only for processes invoked by this unit. If set to "full", the /etc
directory is mounted read-only, too. This setting ensures that any
modification of the vendor supplied operating system (and optionally its
configuration) is prohibited for the service. It is recommended to
enable this setting for all long-running services, unless they are
involved with system updates or need to modify the operating system in
other ways. Note however that processes retaining the CAP_SYS_ADMIN
capability can undo the effect of this setting. This setting is hence
particularly useful for daemons which have this capability removed, for
example with CapabilityBoundingSet=. Defaults to off.
ProtectHome=
Takes a boolean argument or "read-only". If true, the directories /home
and /run/user are made inaccessible and empty for processes invoked by
this unit. If set to "read-only", the two directories are made read-only
instead. It is recommended to enable this setting for all long-running
services (in particular network-facing ones), to ensure they cannot get
access to private user data, unless the services actually require access
to the user's private data. Note however that processes retaining the
CAP_SYS_ADMIN capability can undo the effect of this setting. This
setting is hence particularly useful for daemons which have this
capability removed, for example with CapabilityBoundingSet=. Defaults to
off.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150215/74895f19/attachment.sig>
More information about the systemd-devel
mailing list