From: Lennart Poettering Date: Wed, 26 Apr 2023 19:23:42 +0000 (+0200) Subject: update TODO X-Git-Tag: v254-rc1~621 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f351e951d3744f20e59bcf28de09dd94f8a65693;p=thirdparty%2Fsystemd.git update TODO --- diff --git a/TODO b/TODO index ea35f3b7dba..b7d5813f177 100644 --- a/TODO +++ b/TODO @@ -129,6 +129,13 @@ Deprecations and removals: Features: +* mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a + uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar. + +* mount the root fs with MS_NOSUID by default, and then mount /usr/ without + both so that suid executables can only be placed there. Do this already in + the initrd. If /usr/ is not split out create a bind mount automatically. + * rework journalctl -M to be based on a machined method that generates a mount fd of the relevant journal dirs in the container with uidmapping applied to allow the host to read it, while making everything read-only.