[systemd-devel] systemd-run and -p ProtectSystem=ful

Reindl Harald h.reindl at thelounge.net
Mon Jul 25 17:48:29 UTC 2016 


Am 25.07.2016 um 19:41 schrieb Lennart Poettering:
> On Mon, 25.07.16 19:26, Reindl Harald (h.reindl at thelounge.net) wrote:
>
>> just upgraded to Fedora 24
>>
>> /usr/bin/systemd-run -t --service-type=oneshot --quiet --nice=19
>> --unit=spamfilter-fetch-samples --description=spamfilter-fetch-samples -p
>> ProtectSystem=full /usr/bin/php /scripts/test.php
>>
>> don't log anything useful or return anything, calling a shellscript which is
>> using "systemd-run" don't return to the shell while journalctl pretends it
>> got executed and has finished
>>
>> removing "-p ProtectSystem=full" as in F23 works
>>
>> Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Starting
>> spamfilter-fetch-samples...
>> Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Started
>> spamfilter-fetch-samples.
>> Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Starting
>> spamfilter-fetch-samples...
>> Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Started
>> spamfilter-fetch-samples.
>
> This works fine here:
>
> # /usr/bin/systemd-run -t /bin/echo hallo
> Running as unit: run-r2d66d66cfd3f4386bd80ecdc057846ce.service
> Press ^] three times within 1s to disconnect TTY.
> hallo
>
> # sudo /usr/bin/systemd-run -t -p ProtectSystem=full /bin/echo hallo
> Running as unit: run-r0a6d313f96684ec598ee84fb483f2f48.service
> Press ^] three times within 1s to disconnect TTY.
> hallo

all that simple versions are working here too, but not if it comes to 
complex scripts running as root and starting other script using "su"

the reason is simply that first permssions and so on a ensured and than 
the tasks itself are fird with difefrent, low privileged users

the same still for calling "systemd-run" from a cronjob where i would 
expect the typical cronmails if there is some output with or without 
"-p ProtectSystem=full" while without it least works in a ssh session

> Maybe SELinux is borked for this? Does it work if you turn off SELinux
> or put it in permissive mode?

no SELinux for me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160725/34169e44/attachment-0001.sig>

More information about the systemd-devel mailing list