Greetings,
Do folks use non-root users to own AF_INET sockets to limit root exposure in their systemd socket units?
Is it even a sensible question?
Thanks for any commentary!
FWIW, here is my .socket and .service units:
==> /etc/systemd/system/cdr-adjunct@.service <==
[Unit]
Description=Call Detail Record Adjunct Processor
[Service]
ExecStart=/opt/src/cdr-adjunct/python/cdr-adjunct.py
StandardInput=socket
User=phone
==> /etc/systemd/system/cdr-adjunct.socket <==
[Unit]
Description=Socket for Call Detail Record Adjunct Processor
[Socket]
ListenStream=9000
Accept=yes
[Install]
WantedBy=sockets.target
[Unit]
Description=Call Detail Record Adjunct Processor
[Service]
ExecStart=/opt/src/cdr-adjunct/python/cdr-adjunct.py
StandardInput=socket
User=phone
==> /etc/systemd/system/cdr-adjunct.socket <==
[Unit]
Description=Socket for Call Detail Record Adjunct Processor
[Socket]
ListenStream=9000
Accept=yes
[Install]
WantedBy=sockets.target
Cheers!
-m
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
