git.ipfire.org Git - thirdparty/systemd.git/commit

core: add new PrivateUsers= option to service execution

This setting adds minimal user namespacing support to a service. When set the invoked
processes will run in their own user namespace. Only a trivial mapping will be
set up: the root user/group is mapped to root, and the user/group of the
service will be mapped to itself, everything else is mapped to nobody.

If this setting is used the service runs with no capabilities on the host, but
configurable capabilities within the service.

This setting is particularly useful in conjunction with RootDirectory= as the
need to synchronize /etc/passwd and /etc/group between the host and the service
OS tree is reduced, as only three UID/GIDs need to match: root, nobody and the
user of the service itself. But even outside the RootDirectory= case this
setting is useful to substantially reduce the attack surface of a service.

Example command to test this:

systemd-run -p PrivateUsers=1 -p User=foobar -t /bin/sh

This runs a shell as user "foobar". When typing "ps" only processes owned by
"root", by "foobar", and by "nobody" should be visible.

author	Lennart Poettering <lennart@poettering.net>
	Wed, 3 Aug 2016 16:44:51 +0000 (18:44 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 3 Aug 2016 18:42:04 +0000 (20:42 +0200)
commit	d251207d555a1a0d97924980e49b0ba563b9fc67
tree	799335696454ff21312882fca3f4fbed23d5ff88	tree \| snapshot
parent	7f5da8bd4fb1ba49ba40195a74ca76bb5d4d1f81	commit \| diff

man/systemd.exec.xml		diff \| blob \| blame \| history
src/core/dbus-execute.c		diff \| blob \| blame \| history
src/core/execute.c		diff \| blob \| blame \| history
src/core/execute.h		diff \| blob \| blame \| history
src/core/load-fragment-gperf.gperf.m4		diff \| blob \| blame \| history
src/shared/bus-unit-util.c		diff \| blob \| blame \| history