[systemd-devel] jailrooting services with RootDirectory - how ?
Branko
brankob at avtomatika.com
Wed Sep 28 09:18:10 UTC 2022
On Wed, 28 Sep 2022 19:07:14 +1000 (AEST)
Michael Chapman <mike at very.puzzling.org> wrote:
ExecStart works relative to RootDirectory.
At least for me.
> On Wed, 28 Sep 2022, Branko wrote:
> > OK. You have bound one path. Is the executable within it or is it
> > irrelevant for the case ( and the executable is in /tmp) ?
>
> No, the executable was in the chroot's root directory. That's why I
> referred to it with:
>
> ExecStart=/hello
>
> You could put the executable in a subdirectory if you wanted. But if
> you were to place the binary at, say:
>
> ExecStart=/usr/bin/hello
>
> -- again, relative to the chroot's root directory -- then using:
>
> BindReadOnlyPaths=/usr
>
> would not work.
>
> But... why would you do that? I can't think of any reason for bind
> mounting an ancestor of the chroot's root directory into the chroot
> itself.
More information about the systemd-devel
mailing list