El 17/05/13 02:39, Aaron Faanes escribió:
So my question, simply, is this: Should I prefer running a process as
root knowing that it chroots itself, or should I run it as non-root
and chroot it via systemd?
Well, systemd enforces restrictions at the kernel level, while other
software usually do it with whitelists or pam modules.
While I'm at it, one thing I'd like to do is construct a whitelist like this:
InaccessibleDirectories=/
ReadOnlyDirectories=<stuff I'm serving>
Is this possible?
Yes, but you are doing it wrong.
InaccessibleDirectories=/
Will usually not work, applications need to access more than what think,
generally you at least need access to the nscd socket, /dev/null,
/dev/urandom, /tmp, some files in /etc, /usr/lib64.. etc..
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
