[systemd-devel] Antw: [EXT] [systemd‑devel] jailrooting services with RootDirectory ‑ how ?

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Wed Sep 28 06:05:12 UTC 2022


And WHAT EXACTLY does not work?

>>> <brankob at avtomatika.com> schrieb am 28.09.2022 um 05:35 in Nachricht
<20220928033517.3ffbcce4@\040none\041brane_wrks>:
> I'm trying to start services within controlled jailroot. So I tried
> using RootDirectory directive as described in systemd‑exec man page.
> 
> It should be simple, but I never managed to make it work. 
> I tried to
> start simple minimalistic, statically compiled program that just prints
> "Hello world". It has no library dependencies etc.
> 
> This should be simple, but it doesn't work. Even when I bind mount just
> about every main directory in "/" into my RootDirectory=/usr/my_chroot.
> 
> I tried grepping the all available service files on my machines for
> RootDirectory to find an example that I could learn from, but I
> couldn't find any.
> 
> So i grepped the internet and couldn't find even a single example that
> uses it. But I did find some remark that its usage can screw some cases
> ( at least service types of Type=notify) due to some boondongle with
> systemd's listening socket or something. 
> But my example is totally simple of the "oneshot" type. It works great
> without RootDirectory directive.
> 
> What gives ? Has anyone tried actually using this ? Or is this one of
> of those silently obsoleted things ?
> 
> It would be great if one could use it to jail each service into its own
> private view of the filesystem on the machine in economic way, using
> not much more than dozen of bind‑mounts...
> 
> Is there a simple demo example that uses it that I could try ?
> 
> TIA





More information about the systemd-devel mailing list