Re: Getting rid of the /run/credentials mount

[Marc Haber <mh+systemd-devel@xxxxxxxxxxxx>]

On Thu, Aug 25, 2022 at 11:37:12PM +0300, Topi Miettinen wrote:
> On 25.8.2022 22.42, Marc Haber wrote:
> > on the system and sends an alert if things change on the system. In the
> > Debian package, this is done from cron. I would like to move that to a
> > systemd timer and in passing use some of systemd's security features.
> > Here is my service:
> > 
> > What do I do to disable the credentials mechanism in my service?
> 
> You could use TemporaryFileSystem=/run together with a few BindPaths= for
> the required directories. For example, on my setup the user doesn't see all
> cruft in global /run:
> $ ls /run
> dbus/  firejail/  systemd/  udev/  user/
> 
> See also
> https://github.com/systemd/systemd/pull/21748
> for some thoughts on tentative new directive PrivateRun= or something
> similar.

My intention is the opposite. I want (and need!) my process to see what
is actually in /run. Nothing should be hidden away. The process itself
doesn't use anything in /run, but I want it to be able to detect changes.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421