Am 19.03.2015 um 18:04 schrieb Nusenu:
That tells me that the ExecReload command (kill) is also restricted by CapabilityBoundingSet. Is this expected [..]?recent systemd has more problems in context of systemctl and restricting even PID1 itself in a way no longer be able to kill processesthanks for the links. so you are saying this is just a bug and indeed not expected?
to be honest i don't know but i hope it's not excpected so it can go away sonner or later - while i understand the intention restrict even systemd pieces itself as much as possible some of this things are in the way when you try to secure a customized service as much as possible
as example there is "PermissionsStartOnly=true" which helps to have a "ExecStartPre" script to ensure permissions and apply User/Group only to "ExecStart" the same don#t work for "ReadOnlyDirectories" which are unconditionally applied *before* ExecStartPre
what i would like in some cases is to have a "ExecStartPre" script which takes acre of owner, group, permissions and so on on folders which are finally protected by "ReadOnlyDirectories" - in otehr words: make sure that the service binary has read-permissions without the need of a own root-unit ordered with Before/After beause that don't sale with Restart/Reload
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
