[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)
Reindl Harald
h.reindl at thelounge.net
Thu Mar 19 10:22:46 PDT 2015
Am 19.03.2015 um 18:04 schrieb Nusenu:
>>> That tells me that the ExecReload command (kill) is also
>>> restricted by CapabilityBoundingSet. Is this expected [..]?
>
>> recent systemd has more problems in context of systemctl and
>> restricting even PID1 itself in a way no longer be able to kill
>> processes
>
> thanks for the links. so you are saying this is just a bug and indeed
> not expected?
to be honest i don't know but i hope it's not excpected so it can go
away sonner or later - while i understand the intention restrict even
systemd pieces itself as much as possible some of this things are in the
way when you try to secure a customized service as much as possible
as example there is "PermissionsStartOnly=true" which helps to have a
"ExecStartPre" script to ensure permissions and apply User/Group only to
"ExecStart" the same don#t work for "ReadOnlyDirectories" which are
unconditionally applied *before* ExecStartPre
what i would like in some cases is to have a "ExecStartPre" script which
takes acre of owner, group, permissions and so on on folders which are
finally protected by "ReadOnlyDirectories" - in otehr words: make sure
that the service binary has read-permissions without the need of a own
root-unit ordered with Before/After beause that don't sale with
Restart/Reload
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150319/4edd5ae9/attachment.sig>
More information about the systemd-devel
mailing list