[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named
Marc Haber
mh+systemd-devel at zugschlus.de
Mon Jul 10 10:15:06 UTC 2023
On Mon, Jul 10, 2023 at 12:11:01PM +0200, Lennart Poettering wrote:
> ProtectHome= protects /home/, nothing else. Hence you can use it, and
> it should not collide with bind's use of the home dir, because it's
> not in /home.
>
> Actually, correcting myself: use ReadOnlyBindPaths= for this. clients
> cann still connect to sockets on read-only fs just fine, but you take
> the privs away to chmod() or chown() the inode that way. So you get
> another line of defense that way.
Thank you, all my questions are answered for the time being. Your help
is appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the systemd-devel
mailing list