[systemd-devel] jailrooting services with RootDirectory - how ?

Michael Chapman mike at very.puzzling.org
Wed Sep 28 09:07:14 UTC 2022


On Wed, 28 Sep 2022, Branko wrote:
> OK. You have bound one path. Is the executable  within it or is it
> irrelevant for the case ( and the executable is in /tmp) ?

No, the executable was in the chroot's root directory. That's why I 
referred to it with:

    ExecStart=/hello

You could put the executable in a subdirectory if you wanted. But if 
you were to place the binary at, say:

    ExecStart=/usr/bin/hello

-- again, relative to the chroot's root directory -- then using:

    BindReadOnlyPaths=/usr

would not work.

But... why would you do that? I can't think of any reason for bind 
mounting an ancestor of the chroot's root directory into the chroot 
itself.


More information about the systemd-devel mailing list