On 02/01/17 10:03, jdow wrote: > > I also found that I had no way I could find to tell systemd to bring up > a daemon as a relatively unprivileged user rather than root. Running > some services at root privileges makes me nervous even with SELinux in > place and active.
$ man systemd.exec User=, Group= Sets the Unix user or group that the processes are executed as, respectively. Takes a single user or group name or ID as argument. If no group is set, the default group of the user is chosen. Which translates to providing User=/Group= in the [service] section of a unit file. Other useful settings for hardening a service are Capabilities=, SecureBits=, PrivateTmp=, PrivateDevices=, PrivateNetwork=, ProtectSystem=, ProtectHome=, RestrictAddressFamilies=, ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories= ... all documented in systemd.exec. And then there is Restart= which is fairly useful and to get a similar behaviour to daemontools, you can look into Type=simple (which is the default if not provided). These are found in systemd.service. Getting a grip of the systemd man page hierarchy can be useful though. I generally find all the information I need when working on unit files for services in systemd.unit, systemd.service, systemd.exec and systemd.kill. That usually covers most of the life cycle of a service. -- kind regards, David Sommerseth