Re: Antw: [EXT] Re: Accpetance of Environment Variables in Attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 26.06.20 um 15:03 schrieb Colin Guthrie:
> Ulrich Windl wrote on 26/06/2020 10:43:
>>>>> Roman Odaisky <roma@xxxxxxxxxxx> schrieb am 25.06.2020 um 14:35 in
>> Nachricht
>> <2175_1593088566_5EF49A35_2175_217_1_5367023.DvuYhMxLoT@xps>:
>>>>  [Service]
>>>> User=nobody
>>>
>>> May I interject that DynamicUser=yes is generally superior to User=nobody.
>>
>> And I always thought the user is named nobody, because no process ever using
>> it (as UID to run with)...
>> Using it may have unwanted security implications.
> 
> Could be wrong, but I think it's more to do with running *multiple*
> unrelated services as nobody. They could, in theory, mess with each
> other in some cases (deleting each others temporary files, sockets etc)

with that below and specific "ReadWritePaths" they can't do anything in
that context

LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictNamespaces=yes
RestrictRealtime=yes
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux