[systemd-devel] About http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html

Michael Biebl mbiebl at gmail.com
Fri Dec 9 00:56:43 UTC 2016


Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
The one linked from fdo
(http://0pointer.de/blog/projects/security.html) is pretty dated and
the systemd.exec man page is not coherent enough with regards to
security/sandboxing.

Related to that, I think it would be good if we would annotate in the
man page, which sandboxing features work for user services and which
don't. It's not always immediately obvious which feature requires root
privileges.

Michael

2016-12-09 1:46 GMT+01:00 Michael Biebl <mbiebl at gmail.com>:
> Reading Lennarts recent blog post, I just wanted to make people aware
> that the RestrictAddressFamilies= feature is currently broken on
> several architectures, including i386. So be careful for now until
> https://github.com/systemd/systemd/issues/4575
> has been fixed
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


More information about the systemd-devel mailing list