[systemd-devel] Antw: Re: Arbitrary restrictions (e.g. for RuntimeDirectory)

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Mon May 13 05:54:37 UTC 2019


>>> Andrei Borzenkov <arvidjaar at gmail.com> schrieb am 09.05.2019 um 16:54 in
Nachricht <399aa684-a6bf-af19-dd09-bd670ec60acf at gmail.com>:
> 09.05.2019 13:22, Ulrich Windl пишет:
>> Hi!
>> 
>> I had to subscribe to this list, even though I'm no systemd fan. Still I'll

> have to deal with it as the distribution we use switched to systemd...
>> 
>> I'm porting my LSB code to systemd, and I'm having some trouble. Cause of 
> the trouble (and possible reason for systemd's unpopularity) seems to be 
> rather arbitrary restrictions without reasoning (which is completely against

> the GNU spirit of seeking for limitless software).
>> 
>> To be concrete: Why isn't it allowed to use an absolute path for 
> RuntimeDirectory,
> 
> Wild guess - RuntimeDirectory is about security and permitting arbitrary
> path here rather contradicts this goal.

So root can run any program, but the PID of it may not be stored in a
subdirectory for security reasons???

> 
>> and wy isn't even a relative path allowed? In my case I have a 
> multi-instance daemon, where the instances can be zero to many. To avoid 
> namespace conflicts, I created a /var/run/<my_pkg> directroy
> 
> systemd does it for you.

That's irrelevant, bacause you are not allowed to use the directory, whoever
creates it.

> 
>> where all the instances put their stuff (in separate directories each)
>> 
>> Trying "RuntimeDirectory=<my_pkg>/%i" inside <my_pkg>@.service isn't
"accepted". 
> Still the instances start, can be checked and stopped, but there is a
message 
> when stopped saying
>> systemd[1]: [/usr/lib/systemd/system/<my_pkg>@.service:12] Runtime
directory 
> is not valid, ignoring assignment: <my_pkg>/%i
> 
> This works here; use of multilevel paths is even documented; granted,
> ability to use specifiers is not that obvious from manual page.

WHich version do you use, and how does your unit file look like?

> 
>> 
>> As "mkdir -p" exists for at least 25 years, I wonder what this is all
about.
>> 
> 
> I tentatively suspect that being less aggressive may actually help ...

If a program tells where I have to store my files creates frustration, and
that must go out...

> 
>> Despite of that I'm missing a "systemctl validate ..." command. That way I

> wouldn't need to execute start, status, stop, just to find out that some 
> settings are rejected.
>> 
>> Regards,
>> Ulrich
>> 
>> 
>> 
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel at lists.freedesktop.org 
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel 
>> 
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org 
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel 





More information about the systemd-devel mailing list