Trent W. Buck wrote:
> But I also noticed that "systemd-analyze security" says that PrivateTmp=yes
> will be ignored:
>
> # SYSTEMD_PAGER='grep apply' systemd-analyze security procps.service
> PrivateTmp= Service
> runs in special boot phase, option does not apply
> ProtectHome= Service
> runs in special boot phase, option does not apply
> ProtectSystem= Service
> runs in special boot phase, option does not apply
> RootDirectory=/RootImage= Service
> runs in special boot phase, option does not apply
> RemoveIPC= Service
> runs as root, option does not apply
>
> If systemd ignores PrivateTmp=yes when DefaultDependencies=no, then
> systemd SHOULD ignore the implied RequiresMountsFor= (and knock-on
> Requires=var-tmp.mount) when DefaultDependencies=no.
My earlier analysis is clearly incorrect, because
systemd-resolved.service
systemd-timesyncd.service
both use both DefaultDependencies=no and PrivateTmp=yes, and as a
result cannot start until after var-tmp.mount is done (even if
/var/tmp is stored on a remote NFS server whose name must be
DNS-resolved --- oops!)
"systemd-analyze security systemd-resolved" claims for that
PrivateTmp= "does not apply", though it clearly does.
