[systemd-devel] Is there a reason to run systemd Units with root access?

Reindl Harald h.reindl at thelounge.net
Thu Jul 6 10:51:06 UTC 2017



Am 04.07.2017 um 22:33 schrieb Mariusz Wojcik:
> I’m just asking because of the latest “not-a-bug” [1]. As far as I know, 
> there aren’t many services that need full root access (maybe for getting 
> a low port number). Except for that I don’t see many use cases. 
> Therefore, I think it would be useful to make the decision for root 
> access more explicit, e.g. User=root is needed to start units as root. 
> Also I don’t think it is a sane default is to start any unit as 
> root when there is no valid User property. Even the security of 
> systemd would benefit because it would save people from accidentally 
> running services as root.

answer from a sysadmin:

how do you imagine that every systemd-unit out there shipped by whatever 
distribution and much more critical every unit in /etc/systemd/system/ 
would get modified (for the second case i maintain alone some hundret 
spread ver 30 or so machines)

"there aren't many services that need full root access" is simply not 
true at all, you just don't know enough software which needs to read 
certificate files which are only accessable as root (or at least should) 
and then drop privileges just as one example


More information about the systemd-devel mailing list