On Thu, 2022-04-28 at 19:53 +0300, Mantas Mikulėnas wrote: > That didn't stop many of them (including, apparently, systemd itself) > from doing so anyway. > > [...] > > I found a bugzilla about > this: https://bugs.freedesktop.org/show_bug.cgi?id=80921 > Interesting. The issue also seems to be quite old meaning it's probably not a problem in practise. I've looked into it further and I've found another roadblock with polkit. I don't think it is possible to write a rule, which would say something like: if (action == start transient service && invokedByUser == 'knot-resolver' && the service will have at most these capabilities && the service will run as user 'knot-resolver') return YES The second two quarters of the condition seem impossible. It seems that only the unit name and a verb (start/stop/...) are provided to the polkit rule, nothing more: https://github.com/systemd/systemd/blob/6ef00eb846a89558ad46d2937addd8ea952b7062/src/core/dbus-util.c#L136-L139 So while the rule could allow us to start a new transient service without root privileges, it wouldn't prevent us from running arbitrary code as root. :( Vašek
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
