core/execute: add the magic character '!' to allow privileged execution (#3493)

This patch implements the new magic character '!'. By putting '!' in front of a command, systemd executes it with full privileges ignoring paramters such as User, Group, SupplementaryGroups, CapabilityBoundingSet, AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext, AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies. Fixes partially https://github.com/systemd/systemd/issues/3414 Related to https://github.com/coreos/rkt/issues/2482 Testing: 1. Create a user 'bob' 2. Create the unit file /etc/systemd/system/exec-perm.service (You can use the example below) 3. sudo systemctl start ext-perm.service 4. Verify that the commands starting with '!' were not executed as bob, 4.1 Looking to the output of ls -l /tmp/exec-perm 4.2 Each file contains the result of the id command. ````````````````````````````````````````````````````````````````` [Unit] Description=ext-perm [Service] Type=oneshot TimeoutStartSec=0 User=bob ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ; /usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre" ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ; !/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2" ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post" ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload" ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop" ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post" [Install] WantedBy=multi-user.target] `````````````````````````````````````````````````````````````````
author: Alessandro Puccetti <alessandro@kinvolk.io> 2016-06-10 18:19:54 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-06-10 18:19:54 +0200
commit: cf677fe6868f0565dd625cfbc2992a0f2cd3e053 (patch)
tree: 3e6d5cdbf44a06a1c48d3d6e98f3192b08ae723b /man/systemd.exec.xml
parent: a4e9499d8d205ab580b463882fdccce340c79434 (diff)
1 files changed, 15 insertions, 12 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4a3dd14c39..1c3256a662 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -146,7 +146,7 @@
         <listitem><para>Sets the Unix user or group that the processes
         are executed as, respectively. Takes a single user or group
         name or ID as argument. If no group is set, the default group
-        of the user is chosen.</para></listitem>
+        of the user is chosen. These do not affect commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -161,7 +161,7 @@
         this one will have no effect. In any way, this option does not
         override, but extends the list of supplementary groups
         configured in the system group database for the
-        user.</para></listitem>
+        user. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -795,7 +795,8 @@
         process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
         empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
         settings have no effect.  If set to <literal>~</literal> (without any further argument), the bounding set is
-        reset to the full set of available capabilities, also undoing any previous settings.</para></listitem>
+        reset to the full set of available capabilities, also undoing any previous settings. This does not affect
+        commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -824,7 +825,8 @@
         as a non-privileged user but still want to give it some capabilities.
         Note that in this case option <constant>keep-caps</constant> is
         automatically added to <varname>SecureBits=</varname> to retain the
-        capabilities over the user change.</para></listitem>
+        capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect
+        commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -840,8 +842,8 @@
         <option>noroot-locked</option>.
         This option may appear more than once, in which case the secure
         bits are ORed. If the empty string is assigned to this option,
-        the bits are reset to 0. See
-        <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        the bits are reset to 0. This does not affect commands prefixed with <literal>!</literal>.
+        See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
         for details.</para></listitem>
       </varlistentry>
 
@@ -1097,8 +1099,8 @@
         domain transition. However, the policy still needs to
         authorize the transition. This directive is ignored if SELinux
         is disabled. If prefixed by <literal>-</literal>, all errors
-        will be ignored. See
-        <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+        will be ignored. This does not affect commands prefixed with <literal>!</literal>.
+        See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
         for details.</para></listitem>
       </varlistentry>
 
@@ -1110,7 +1112,7 @@
         Profiles must already be loaded in the kernel, or the unit
         will fail. This result in a non operation if AppArmor is not
         enabled. If prefixed by <literal>-</literal>, all errors will
-        be ignored. </para></listitem>
+        be ignored. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1129,7 +1131,8 @@
 
         <para>The value may be prefixed by <literal>-</literal>, in
         which case all errors will be ignored. An empty value may be
-        specified to unset previous assignments.</para>
+        specified to unset previous assignments. This does not affect
+        commands prefixed with <literal>!</literal>.</para>
         </listitem>
       </varlistentry>
 
@@ -1180,7 +1183,7 @@
         listed explicitly. This option may be specified more than once,
         in which case the filter masks are merged. If the empty string
         is assigned, the filter is reset, all prior assignments will
-        have no effect.</para>
+        have no effect. This does not affect commands prefixed with <literal>!</literal>.</para>
 
         <para>If you specify both types of this option (i.e.
         whitelisting and blacklisting), the first encountered will
@@ -1343,7 +1346,7 @@
         family should be included in the configured whitelist as it is
         frequently used for local communication, including for
         <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        logging.</para></listitem>
+        logging. This does not affect commands prefixed with <literal>!</literal>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
author	Alessandro Puccetti <alessandro@kinvolk.io>	2016-06-10 18:19:54 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-06-10 18:19:54 +0200
commit	cf677fe6868f0565dd625cfbc2992a0f2cd3e053 (patch)
tree	3e6d5cdbf44a06a1c48d3d6e98f3192b08ae723b /man/systemd.exec.xml
parent	a4e9499d8d205ab580b463882fdccce340c79434 (diff)