[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named

Marc Haber mh+systemd-devel at zugschlus.de
Mon Jul 10 10:15:06 UTC 2023


On Mon, Jul 10, 2023 at 12:11:01PM +0200, Lennart Poettering wrote:
> ProtectHome= protects /home/, nothing else. Hence you can use it, and
> it should not collide with bind's use of the home dir, because it's
> not in /home.
> 
> Actually, correcting myself: use ReadOnlyBindPaths= for this. clients
> cann still connect to sockets on read-only fs just fine, but you take
> the privs away to chmod() or chown() the inode that way. So you get
> another line of defense that way.

Thank you, all my questions are answered for the time being. Your help
is appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


More information about the systemd-devel mailing list