Am 31.10.2014 um 18:10 schrieb Reindl Harald:
Am 31.10.2014 um 18:06 schrieb Fisher, Charles J. (Top Echelon):From: systemd-devel [mailto:systemd-devel-boun...@lists.freedesktop.org] On Behalf Of Reindl HaraldFor some reason, the iptables didn't happen. Maybe it needs to be fully qualified.yes it needs to be as any other path the documentation is very clear hereNo, [unix] user oracle doesn't have permission to run iptables.but it needs to be full qualified anywaysI either need to sudo something up, or put this elsewhere. Letting different commands run with different uids/gids would be a nice feature"PermissionsStartOnly=true" exists and so you can have helper processes as root while restrict the main process - anything else is hardly maintainable with the now clear ini-style of a unit
BTW: add such a firewall rule to a systemd-unit is a *very* bad attitude, if it is your personal service in /etc fine, but you must not do that anywhere else
ExecStartPost=iptables -I INPUT -p tcp --dport 1521 --syn -j ACCEPT * who says that it should be reachable from everywhere * who says it should be reachable on every interface * who says that not firewalld or shorewall or something else does firewall managment on the machine and that this works hence in a different environment * who configures iptables on that machine * consider what harm are you doing to that person no understanding why a port is open while not in the global firewall defined * even in your personal service it *does not* belog here it is called with every restart
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel