5 systemd-analyze log-level debug
10 su
"$userid" -s /bin
/sh
-c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh
"$@"
13 runas testuser systemd-run
--wait --user --unit=test-private-users \
14 -p PrivateUsers
=yes -P echo hello
16 runas testuser systemd-run
--wait --user --unit=test-private-tmp-innerfile \
17 -p PrivateUsers
=yes -p PrivateTmp
=yes \
18 -P touch /tmp
/innerfile.txt
19 # File should not exist outside the job's tmp directory.
20 test ! -e /tmp
/innerfile.txt
22 touch /tmp
/outerfile.txt
23 # File should not appear in unit's private tmp.
24 runas testuser systemd-run
--wait --user --unit=test-private-tmp-outerfile \
25 -p PrivateUsers
=yes -p PrivateTmp
=yes \
26 -P test ! -e /tmp
/outerfile.txt
28 # Confirm that creating a file in home works
29 runas testuser systemd-run
--wait --user --unit=test-unprotected-home \
30 -P touch /home
/testuser
/works.txt
31 test -e /home
/testuser
/works.txt
33 # Confirm that creating a file in home is blocked under read-only
34 runas testuser systemd-run
--wait --user --unit=test-protect-home-read-only \
35 -p PrivateUsers
=yes -p ProtectHome
=read-only \
37 test -e /home/testuser/works.txt
38 ! touch /home/testuser/blocked.txt
40 test ! -e /home
/testuser
/blocked.txt
42 # Check that tmpfs hides the whole directory
43 runas testuser systemd-run
--wait --user --unit=test-protect-home-tmpfs \
44 -p PrivateUsers
=yes -p ProtectHome
=tmpfs \
45 -P test ! -e /home
/testuser
47 # Confirm that home, /root, and /run/user are inaccessible under "yes"
48 runas testuser systemd-run
--wait --user --unit=test-protect-home-yes \
49 -p PrivateUsers
=yes -p ProtectHome
=yes \
51 test "$(stat -c %a /home)" = "0"
52 test "$(stat -c %a /root)" = "0"
53 test "$(stat -c %a /run/user)" = "0"
56 # Confirm we cannot change groups because we only have one mapping in the user
57 # namespace (no CAP_SETGID in the parent namespace to write the additional
58 # mapping of the user supplied group and thus cannot change groups to an
60 ! runas testuser systemd-run
--wait --user --unit=test-group-fail \
61 -p PrivateUsers
=yes -p Group
=daemon \
64 systemd-analyze log-level info