[systemd-devel] About http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html
Lennart Poettering
lennart at poettering.net
Fri Dec 9 09:50:03 UTC 2016
On Fri, 09.12.16 02:01, Reindl Harald (h.reindl at thelounge.net) wrote:
>
>
> Am 09.12.2016 um 01:56 schrieb Michael Biebl:
> > Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
> > The one linked from fdo
> > (http://0pointer.de/blog/projects/security.html) is pretty dated and
> > the systemd.exec man page is not coherent enough with regards to
> > security/sandboxing.
> >
> > Related to that, I think it would be good if we would annotate in the
> > man page, which sandboxing features work for user services and which
> > don't. It's not always immediately obvious which feature requires root
> > privileges
>
> "requires root privileges" - a question here
>
> in my understaing that features are applied *before* drop the privileges to
> "User" and "Group"
All sandboxing features should work for services run by systemd running
as PID 1, regardless if in combination with User=, or not.
Services of the systemd --user instances have a more limited
set. There pretty much only the options basedon seccomp are available,
as that's the only interface that doesn't require
privileges. Specifically that's RestrictNamespaces=,
RestrictAddressFamilies=, SystemCallArchitectures=, SystemCallFilter=.
And yes, this could use some better documentation, and there's a bug
open about it.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list