[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named
Lennart Poettering
lennart at poettering.net
Mon Jul 10 10:11:01 UTC 2023
On Mo, 10.07.23 11:37, Marc Haber (mh+systemd-devel at zugschlus.de) wrote:
> Hi Lennart,
>
> On Mon, Jul 10, 2023 at 10:28:52AM +0200, Lennart Poettering wrote:
> > On So, 09.07.23 20:14, Marc Haber (mh+systemd-devel at zugschlus.de) wrote:
> >
> > > > It should suffice bind mounting just the notify socket, not the full
> > > > dir.
> > >
> > > Is it intended behavior that an empty file is left at the "mount point"
> > > (what Where= points to) after the unit was stopped?
> >
> > We need an inode we can overmount, and given that this is in /run/
> > (hence inherently ephemeral) and a fixed path it shouldn't matter.
>
> So this is intended. Good to know. I stumbled upon that.
>
> > > If I set ProtectHome=yes, how do I give the user that bind runs as
> > > access to its homedir? Is ReadWritePaths= the solution?
> >
> > ProtectHome= is about /home/ only, i.e. regular ("human") users, not
> > about system users (i.e. uid < 1K). Your bind should *not* run as
> > regular user, but as a system user of course, hence ProtectHome= is
> > something you can just set, and don't need to be concerned about the
> > system user's home dir.
>
> In Debian, bind runs as user bind, which gets created as a system user
> (uid < 1K, yes), and with /var/cache/bind as its home directory, which
> is the directory where, for example, slave zone files get written to.
> So, the running process needs to be able to access its "home directory"
> during its operation even after dropping root.
ProtectHome= protects /home/, nothing else. Hence you can use it, and
it should not collide with bind's use of the home dir, because it's
not in /home.
>
> > > [Mount]
> > > What=/run/systemd
> > > Where=/var/local/chroot/bind/run/systemd
> > > Type=none
> > > Options=bind
> >
> > Note that /run/ should always be a tmpfs, hence unless you mount a
> > tmpfs to /var/local/chroot/bind/run/ first, the above is a bit ugly.
> >
> > Instead of this .mount unit, consider using in the .service file:
> >
> > TemporaryFileSystem=/var/local/chroot/bind/run
> > BindPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/notify
>
> Ah, of course. I obviously didn't read BindPath's documentation
> thoroughly enough. That is of course way better. Thanks for helping me
> to read the docs.
Actually, correcting myself: use ReadOnlyBindPaths= for this. clients
cann still connect to sockets on read-only fs just fine, but you take
the privs away to chmod() or chown() the inode that way. So you get
another line of defense that way.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list