[systemd-devel] systemd-run and -p ProtectSystem=ful
Reindl Harald
h.reindl at thelounge.net
Mon Jul 25 17:48:29 UTC 2016
Am 25.07.2016 um 19:41 schrieb Lennart Poettering:
> On Mon, 25.07.16 19:26, Reindl Harald (h.reindl at thelounge.net) wrote:
>
>> just upgraded to Fedora 24
>>
>> /usr/bin/systemd-run -t --service-type=oneshot --quiet --nice=19
>> --unit=spamfilter-fetch-samples --description=spamfilter-fetch-samples -p
>> ProtectSystem=full /usr/bin/php /scripts/test.php
>>
>> don't log anything useful or return anything, calling a shellscript which is
>> using "systemd-run" don't return to the shell while journalctl pretends it
>> got executed and has finished
>>
>> removing "-p ProtectSystem=full" as in F23 works
>>
>> Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Starting
>> spamfilter-fetch-samples...
>> Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Started
>> spamfilter-fetch-samples.
>> Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Starting
>> spamfilter-fetch-samples...
>> Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Started
>> spamfilter-fetch-samples.
>
> This works fine here:
>
> # /usr/bin/systemd-run -t /bin/echo hallo
> Running as unit: run-r2d66d66cfd3f4386bd80ecdc057846ce.service
> Press ^] three times within 1s to disconnect TTY.
> hallo
>
> # sudo /usr/bin/systemd-run -t -p ProtectSystem=full /bin/echo hallo
> Running as unit: run-r0a6d313f96684ec598ee84fb483f2f48.service
> Press ^] three times within 1s to disconnect TTY.
> hallo
all that simple versions are working here too, but not if it comes to
complex scripts running as root and starting other script using "su"
the reason is simply that first permssions and so on a ensured and than
the tasks itself are fird with difefrent, low privileged users
the same still for calling "systemd-run" from a cronjob where i would
expect the typical cronmails if there is some output with or without
"-p ProtectSystem=full" while without it least works in a ssh session
> Maybe SELinux is borked for this? Does it work if you turn off SELinux
> or put it in permissive mode?
no SELinux for me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160725/34169e44/attachment-0001.sig>
More information about the systemd-devel
mailing list