DynamicUser in instantiated (and socket-activated) units

[Leonid Isaev <leonid.isaev@xxxxxxxx>]

Hi,

	I am trying to sandbox processes that run via instantiated units and
the DynamicUser feature seems like a nice solution. However, when I start
several such units simultaneously, the dynamic UID, while random, is the same
for all instances (see below). Is this expected behavior and is there any way
to make UID different for each instance?

For example:
-----8<-----
[root@hyena ~]# systemctl cat sleep@.service
# /etc/systemd/system/sleep@.service
[Unit]
Description=A test unit
After=network.target

[Service]
Type=simple
DynamicUser=yes
ExecStart=/usr/bin/sleep 180

[root@hyena ~]# systemctl start sleep@1.service
[root@hyena ~]# systemctl start sleep@2.service
[root@hyena ~]# ps auxwwn
...
   65086  154271  0.0  0.0   5292   704 ?        Ss   15:45   0:00 /usr/bin/sleep 180
   65086  154274  0.0  0.0   5292   704 ?        Ss   15:45   0:00 /usr/bin/sleep 180
   ^^^^^

[root@hyena ~]# journalctl | tail
...
Jan 21 15:45:53 hyena systemd[1]: Started A test unit.
Jan 21 15:45:55 hyena systemd[1]: Started A test unit.
----->8-----

Same applies to socket-activated services whose .socket unit has Accept=true.
For example:
-----8<-----
[root@hyena ~]# systemctl cat convert.socket
# /etc/systemd/system/convert.socket
[Unit]
Description=Convert Socket
Conflicts=convert.service

[Socket]
ListenStream=15000
Accept=true

[Install]
WantedBy=sockets.target

[root@hyena ~]# systemctl cat convert@.service
# /etc/systemd/system/convert@.service
[Unit]
Description=A conversion program
After=network.target

[Service]
Type=simple
DynamicUser=yes
StandardInput=socket
ExecStart=/etc/systemd/scripts/convert.sh
----->8-----

Thanks in advance,
L.

-- 
Leonid Isaev
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel