[systemd-devel] Starting transient services securely from other service without root
Vašek Šraier
vaclav.sraier at nic.cz
Thu Apr 28 17:47:29 UTC 2022
On Thu, 2022-04-28 at 19:53 +0300, Mantas Mikulėnas wrote:
> That didn't stop many of them (including, apparently, systemd itself)
> from doing so anyway.
>
> [...]
>
> I found a bugzilla about
> this: https://bugs.freedesktop.org/show_bug.cgi?id=80921
>
Interesting. The issue also seems to be quite old meaning it's probably
not a problem in practise.
I've looked into it further and I've found another roadblock with
polkit. I don't think it is possible to write a rule, which would say
something like:
if (action == start transient service &&
invokedByUser == 'knot-resolver' &&
the service will have at most these capabilities &&
the service will run as user 'knot-resolver')
return YES
The second two quarters of the condition seem impossible. It seems that
only the unit name and a verb (start/stop/...) are provided to the
polkit rule, nothing more:
https://github.com/systemd/systemd/blob/6ef00eb846a89558ad46d2937addd8ea952b7062/src/core/dbus-util.c#L136-L139
So while the rule could allow us to start a new transient service
without root privileges, it wouldn't prevent us from running arbitrary
code as root. :(
Vašek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4672 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220428/f01074f0/attachment.bin>
More information about the systemd-devel
mailing list