You are confusing a user service (which is installed in /usr/lib/systemd/user) with priviledge dropping via User=. Those are different things.
2016-12-09 2:01 GMT+01:00 Reindl Harald <h.rei...@thelounge.net>: > > > Am 09.12.2016 um 01:56 schrieb Michael Biebl: >> >> Btw, I think we are lacking a good systemd sandboxing howto/tutorial. >> The one linked from fdo >> (http://0pointer.de/blog/projects/security.html) is pretty dated and >> the systemd.exec man page is not coherent enough with regards to >> security/sandboxing. >> >> Related to that, I think it would be good if we would annotate in the >> man page, which sandboxing features work for user services and which >> don't. It's not always immediately obvious which feature requires root >> privileges > > > "requires root privileges" - a question here > > > in my understaing that features are applied *before* drop the privileges to > "User" and "Group" > > User=sa-milt > Group=sa-milt > PrivateTmp=yes > PrivateDevices=yes > NoNewPrivileges=yes > CapabilityBoundingSet=CAP_KILL > RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_PACKET AF_X25 > SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime > delete_module fanotify_init finit_module get_mempolicy init_module > io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp > kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages > open_by_handle_at perf_event_open pivot_root process_vm_readv > process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff > swapon umount2 uselib vmsplice > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel