On Wed, Jul 10, 2024 at 18:27:43 +0200, Kamil Jońca wrote: > [...] > Nothing? So should I understand that other services will see service > credentials? Both your services are run by root - why wouldn't you expect the creds to be visible? OTOH I see no reason for them to _be_ accesible this (direct file access) way - therefore it seems suitable and good practice for /run/credentials/<service> to be privately mounted by default. This won't change anything for root (nsenter), but might help with non-root service isolation. And prevent anyone from abusing this path. And maybe limit some other attack vectors... Yet this was apparently already considered and made as aware decision of Lennart: https://github.com/systemd/systemd/issues/15778#issuecomment-626893671 although I don't find this reasoning convincing - at least without some ProtectCredentials knob (entire Protect* family might "break" gracefuly in the same manner). -- Tomasz Pala <gotar@xxxxxxxxxxxxx>
Re: Credentials: what I am doing wrong?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Credentials: what I am doing wrong?
- From: Tomasz Pala <gotar@xxxxxxxxxx>
- Date: Sat, 13 Jul 2024 13:34:52 +0200
- In-reply-to: <87le295i0w.fsf@alfa.kjonca>
- References: <875xtlug2w.fsf@alfa.kjonca> <87le295i0w.fsf@alfa.kjonca>
- Resent-date: Sat, 13 Jul 2024 17:45:01 +0200
- Resent-from: Tomasz Pala <gotar@xxxxxxxxxx>
- Resent-message-id: <20240713154501.GA19418@xxxxxxxxxx>
- Resent-to: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- User-agent: Mutt/1.5.20 (2009-06-14)
- References:
- Credentials: what I am doing wrong?
- From: Kamil Jońca
- Re: Credentials: what I am doing wrong?
- From: Kamil Jońca
- Credentials: what I am doing wrong?
- Prev by Date: Re: Scheduling 3 periodic jobs using systemd
- Next by Date: Re: Scheduling 3 periodic jobs using systemd
- Previous by thread: Re: Credentials: what I am doing wrong?
- Next by thread: passing additional FDs to service
- Index(es):
 |