diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-08-03 18:44:51 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-08-03 20:42:04 +0200 |
| commit | d251207d555a1a0d97924980e49b0ba563b9fc67 (patch) | |
| tree | 799335696454ff21312882fca3f4fbed23d5ff88 /src/core/execute.h | |
| parent | 7f5da8bd4fb1ba49ba40195a74ca76bb5d4d1f81 (diff) | |
core: add new PrivateUsers= option to service execution
This setting adds minimal user namespacing support to a service. When set the invoked
processes will run in their own user namespace. Only a trivial mapping will be
set up: the root user/group is mapped to root, and the user/group of the
service will be mapped to itself, everything else is mapped to nobody.
If this setting is used the service runs with no capabilities on the host, but
configurable capabilities within the service.
This setting is particularly useful in conjunction with RootDirectory= as the
need to synchronize /etc/passwd and /etc/group between the host and the service
OS tree is reduced, as only three UID/GIDs need to match: root, nobody and the
user of the service itself. But even outside the RootDirectory= case this
setting is useful to substantially reduce the attack surface of a service.
Example command to test this:
systemd-run -p PrivateUsers=1 -p User=foobar -t /bin/sh
This runs a shell as user "foobar". When typing "ps" only processes owned by
"root", by "foobar", and by "nobody" should be visible.
Diffstat (limited to 'src/core/execute.h')
| -rw-r--r-- | src/core/execute.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/execute.h b/src/core/execute.h index 48cc18fbb3..5fac3e85e8 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -171,6 +171,7 @@ struct ExecContext { bool private_tmp; bool private_network; bool private_devices; + bool private_users; ProtectSystem protect_system; ProtectHome protect_home; |