[systemd-devel] machinectl shell vs systemd-run
Lennart Poettering
lennart at poettering.net
Fri Nov 11 14:05:11 UTC 2016
On Sat, 05.11.16 21:06, Wilhelm Schuster (ws at wilhelm.re) wrote:
> Hi,
>
> I’m trying to run a command inside a container (spawned via
> nspawn). `machinectl shell` and `systemd-run` seem like two ways
> that accomplish that in systemd. Machinectl’s man page [0] states
> the following:
>
> Note that systemd-run(1) may be used in place of the shell command,
> […]. However, it is frequently more privileged than the shell
> command.
>
> I’m interested in the last part here. Specifically when does
> `systemd-run` have more privileges than `machinectl shell` and what
> are those additional privileges?
So, the difference boils down to the PolicyKit check that is
done. "systemd-run" generically creates a transient unit in
systemd. It's protected by the "org.freedesktop.systemd1.manage-units"
action, and if you grant that privilege to a user, then he or she can
create arbitrary transient units and set any property on that they
like to any value they like.
OTOH "machinectl shell" is protected by the PK actions
"org.freedesktop.machine1.shell" and
"org.freedesktop.machine1.host-shell" (the latter is used when using
it on the host itself), and you can only really execute a command,
nothing else. You cannot change arbitrary properties beyond the
command line.
The gist of this is really: if you grant a user
"org.freedesktop.machine1.shell" then she or he can connect to any
local container and get a shell, there, but they cannot fuck up the host.
Hope this makes sense?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list