[systemd-devel] jailrooting services with RootDirectory - how ?
Michael Chapman
mike at very.puzzling.org
Wed Sep 28 09:07:14 UTC 2022
On Wed, 28 Sep 2022, Branko wrote:
> OK. You have bound one path. Is the executable within it or is it
> irrelevant for the case ( and the executable is in /tmp) ?
No, the executable was in the chroot's root directory. That's why I
referred to it with:
ExecStart=/hello
You could put the executable in a subdirectory if you wanted. But if
you were to place the binary at, say:
ExecStart=/usr/bin/hello
-- again, relative to the chroot's root directory -- then using:
BindReadOnlyPaths=/usr
would not work.
But... why would you do that? I can't think of any reason for bind
mounting an ancestor of the chroot's root directory into the chroot
itself.
More information about the systemd-devel
mailing list