Re: Getting rid of the /run/credentials mount

Marc Haber <mh+systemd-devel@xxxxxxxxxxxx> · Wed, 31 Aug 2022 12:23:08 +0200



On Fri, Aug 26, 2022 at 07:28:37AM +0200, Marc Haber wrote:
> On Thu, Aug 25, 2022 at 11:37:12PM +0300, Topi Miettinen wrote:
> > On 25.8.2022 22.42, Marc Haber wrote:
> > > on the system and sends an alert if things change on the system. In the
> > > Debian package, this is done from cron. I would like to move that to a
> > > systemd timer and in passing use some of systemd's security features.
> > > Here is my service:
> > > 
> > > What do I do to disable the credentials mechanism in my service?
> > 
> > You could use TemporaryFileSystem=/run together with a few BindPaths= for
> > the required directories. For example, on my setup the user doesn't see all
> > cruft in global /run:
> > $ ls /run
> > dbus/  firejail/  systemd/  udev/  user/
> > 
> > See also
> > https://github.com/systemd/systemd/pull/21748
> > for some thoughts on tentative new directive PrivateRun= or something
> > similar.
> 
> My intention is the opposite. I want (and need!) my process to see what
> is actually in /run. Nothing should be hidden away. The process itself
> doesn't use anything in /run, but I want it to be able to detect changes.

I filed an enhancement issue,
https://github.com/systemd/systemd/issues/24508

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421