diff options
author | Lennart Poettering <lennart@poettering.net> | 2019-06-24 14:20:36 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2019-06-24 14:20:36 +0200 |
commit | e0e65f7d097841630faac1f6813ec9bcf2083faa (patch) | |
tree | e88d8b4dbc8dedc64da3756c8cd8a5a00a1224ff /man | |
parent | 0d92a3088a50212f16bf72672832b2b61dfca551 (diff) | |
download | systemd-e0e65f7d097841630faac1f6813ec9bcf2083faa.tar.gz |
man: document that DynamicUser=1 implied sandboxing cannot be turned off
Fixes: #12476
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d65b842f44..f333c2c812 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -254,14 +254,15 @@ part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to these files or directories. If <varname>DynamicUser=</varname> is enabled, - <varname>RemoveIPC=</varname>, <varname>PrivateTmp=</varname> are implied. This ensures that the - lifetime of IPC objects and temporary files created by the executed processes is bound to the runtime - of the service, and hence the lifetime of the dynamic user/group. Since <filename>/tmp</filename> and - <filename>/var/tmp</filename> are usually the only world-writable directories on a system this - ensures that a unit making use of dynamic user/group allocation cannot leave files around after unit - termination. Furthermore <varname>NoNewPrivileges=</varname> and <varname>RestrictSUIDSGID=</varname> - are implicitly enabled to ensure that processes invoked cannot take benefit or create SUID/SGID files - or directories. Moreover <varname>ProtectSystem=strict</varname> and + <varname>RemoveIPC=</varname> and <varname>PrivateTmp=</varname> are implied (and cannot be turned + off). This ensures that the lifetime of IPC objects and temporary files created by the executed + processes is bound to the runtime of the service, and hence the lifetime of the dynamic + user/group. Since <filename>/tmp/</filename> and <filename>/var/tmp/</filename> are usually the only + world-writable directories on a system this ensures that a unit making use of dynamic user/group + allocation cannot leave files around after unit termination. Furthermore + <varname>NoNewPrivileges=</varname> and <varname>RestrictSUIDSGID=</varname> are implicitly enabled + (and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID + files or directories. Moreover <varname>ProtectSystem=strict</varname> and <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted using <varname>ReadWritePaths=</varname>, but care must be taken so that |