[systemd-devel] AF_INET socket ownership
Matt Zagrabelny
mzagrabe at d.umn.edu
Wed Mar 4 17:16:38 UTC 2020
Greetings,
Do folks use non-root users to own AF_INET sockets to limit root exposure
in their systemd socket units?
Is it even a sensible question?
Thanks for any commentary!
FWIW, here is my .socket and .service units:
==> /etc/systemd/system/cdr-adjunct at .service <==
[Unit]
Description=Call Detail Record Adjunct Processor
[Service]
ExecStart=/opt/src/cdr-adjunct/python/cdr-adjunct.py
StandardInput=socket
User=phone
==> /etc/systemd/system/cdr-adjunct.socket <==
[Unit]
Description=Socket for Call Detail Record Adjunct Processor
[Socket]
ListenStream=9000
Accept=yes
[Install]
WantedBy=sockets.target
Cheers!
-m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20200304/57b4241f/attachment.htm>
More information about the systemd-devel
mailing list