[systemd-devel] Getting rid of the /run/credentials mount
Marc Haber
mh+systemd-devel at zugschlus.de
Fri Aug 26 05:39:47 UTC 2022
On Thu, Aug 25, 2022 at 11:37:12PM +0300, Topi Miettinen wrote:
> On 25.8.2022 22.42, Marc Haber wrote:
> > on the system and sends an alert if things change on the system. In the
> > Debian package, this is done from cron. I would like to move that to a
> > systemd timer and in passing use some of systemd's security features.
> > Here is my service:
> >
> > What do I do to disable the credentials mechanism in my service?
>
> You could use TemporaryFileSystem=/run together with a few BindPaths= for
> the required directories. For example, on my setup the user doesn't see all
> cruft in global /run:
> $ ls /run
> dbus/ firejail/ systemd/ udev/ user/
>
> See also
> https://github.com/systemd/systemd/pull/21748
> for some thoughts on tentative new directive PrivateRun= or something
> similar.
My intention is the opposite. I want (and need!) my process to see what
is actually in /run. Nothing should be hidden away. The process itself
doesn't use anything in /run, but I want it to be able to detect changes.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the systemd-devel
mailing list