oss-sec mailing list archives
Re: systemd fails to parse user that should run service
From: Leonid Isaev <leonid.isaev () jila colorado edu>
Date: Thu, 6 Jul 2017 07:28:16 -0600
On Thu, Jul 06, 2017 at 01:17:55PM +0100, Simon McVittie wrote:
systemd units are analogous to LSB init scripts, which all start as root, and drop privileges internally if they want to.
Hmm, no, no and once again no. SystemdD units are sold as something simple and transparent, and hence *associated with a software they launch*, not a given systemD/OS version. In contrast, init scripts are specific to a distibution (would you just run init scripts from Debian on a CentOS or ArchLinux?) For example, if I maintain a backup script that drops privileges via su(1), I can use the wonderful systemD unit syntax, specify User=xxx and have my package manager install that user in post_install. The problem is that my new and shiny script won't work as intended on old systemD versions which silently ignore User= directive. This situation is far worse than a simple failure to properly parse User= config string that seems to so much excite ppl, as it obsoletes the User= directive and perhaps others too. I'm far from sysadmin culture, but is this called "sh*t hitting the fan"? So, the lesson for all developers would be to rely on systemD features as LITTLE as possible and do all important privilege stuff inside their software. SystemD units should therefore only contain Exec{Start,Stop,Restart}=. Cheers, -- Leonid Isaev
Current thread:
- Re: systemd fails to parse user that should run service, (continued)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Jeremy Stanley (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Ben Tasker (Jul 06)
- Re: systemd fails to parse user that should run service Perry E. Metzger (Jul 05)
- Re: systemd fails to parse user that should run service Robert Scheck (Jul 05)
- Re: systemd fails to parse user that should run service Patrick J. Volkerding (Jul 06)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 06)
- Re: systemd fails to parse user that should run service Leonid Isaev (Jul 06)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 06)
- Re: systemd fails to parse user that should run service Leonid Isaev (Jul 06)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 06)
- Re: systemd fails to parse user that should run service Martin Steigerwald (Jul 06)
- Re: systemd fails to parse user that should run service Martin Steigerwald (Jul 06)