[systemd-devel] jailrooting services with RootDirectory - how ?
Branko
brankob at avtomatika.com
Wed Sep 28 09:25:02 UTC 2022
On Wed, 28 Sep 2022 19:07:14 +1000 (AEST)
Michael Chapman <mike at very.puzzling.org> wrote:
1. ExecSTart is relative to RootDirectory (at least for me).
2. I've just simpliefied my service file to equal yours - simle static
executable in RootDirectory inside /tmp. It works.
But I can't bind-mount nothing inside tmpfs, so it's kind of
pointless...
Try it with chroot somewhere on your disk, e.d. /chroots map or
something and make the service bind-mount executable there.
Like BindPaths=/abssolute/path/to/my_debug-exec:absolute path_into
chroot
and see if it works.
> On Wed, 28 Sep 2022, Branko wrote:
> > OK. You have bound one path. Is the executable within it or is it
> > irrelevant for the case ( and the executable is in /tmp) ?
>
> No, the executable was in the chroot's root directory. That's why I
> referred to it with:
>
> ExecStart=/hello
>
> You could put the executable in a subdirectory if you wanted. But if
> you were to place the binary at, say:
>
> ExecStart=/usr/bin/hello
>
> -- again, relative to the chroot's root directory -- then using:
>
> BindReadOnlyPaths=/usr
>
> would not work.
>
> But... why would you do that? I can't think of any reason for bind
> mounting an ancestor of the chroot's root directory into the chroot
> itself.
More information about the systemd-devel
mailing list