[systemd-devel] DynamicUser in instantiated (and socket-activated) units
Leonid Isaev
leonid.isaev at ifax.com
Tue Jan 21 15:53:10 UTC 2020
Hi,
I am trying to sandbox processes that run via instantiated units and
the DynamicUser feature seems like a nice solution. However, when I start
several such units simultaneously, the dynamic UID, while random, is the same
for all instances (see below). Is this expected behavior and is there any way
to make UID different for each instance?
For example:
-----8<-----
[root at hyena ~]# systemctl cat sleep at .service
# /etc/systemd/system/sleep at .service
[Unit]
Description=A test unit
After=network.target
[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/bin/sleep 180
[root at hyena ~]# systemctl start sleep at 1.service
[root at hyena ~]# systemctl start sleep at 2.service
[root at hyena ~]# ps auxwwn
...
65086 154271 0.0 0.0 5292 704 ? Ss 15:45 0:00 /usr/bin/sleep 180
65086 154274 0.0 0.0 5292 704 ? Ss 15:45 0:00 /usr/bin/sleep 180
^^^^^
[root at hyena ~]# journalctl | tail
...
Jan 21 15:45:53 hyena systemd[1]: Started A test unit.
Jan 21 15:45:55 hyena systemd[1]: Started A test unit.
----->8-----
Same applies to socket-activated services whose .socket unit has Accept=true.
For example:
-----8<-----
[root at hyena ~]# systemctl cat convert.socket
# /etc/systemd/system/convert.socket
[Unit]
Description=Convert Socket
Conflicts=convert.service
[Socket]
ListenStream=15000
Accept=true
[Install]
WantedBy=sockets.target
[root at hyena ~]# systemctl cat convert at .service
# /etc/systemd/system/convert at .service
[Unit]
Description=A conversion program
After=network.target
[Service]
Type=simple
DynamicUser=yes
StandardInput=socket
ExecStart=/etc/systemd/scripts/convert.sh
----->8-----
Thanks in advance,
L.
--
Leonid Isaev
More information about the systemd-devel
mailing list