Package: systemd Version: 215-12 Severity: normal Tags: upstream Hi,
this also affects experimental (219-5) We're trying to run multiple DHCP processes on one system. They have their data in a instance-specific configuration directory and we'd like to limit (r/w for now) filesystem access to that directory for security reasons. ==> [email protected] <== [Unit] Description=DHCP Instance %i After=syslog.target After=network.target [Service] ExecStart=/usr/sbin/dhcpd -cf /var/lib/dhcp/%i/etc/dhcpd.conf -lf /var/lib/dhcp/%i/db/dhcpd.leases -pf /var/lib/dhcp/%i/dhcpd.pid -f Type=simple Restart=on-failure CapabilityBoundingSet=CAP_NET_RAW CAP_NET_BIND_SERVICE NoNewPrivileges=true ReadOnlyDirectories=/ ReadWriteDirectories=/var/lib/dhcp/%i This does not work Apr 02 11:02:38 dns-w-neu systemd[1]: Started DHCP Instance b1peer2. Apr 02 11:02:38 dns-w-neu systemd[1]: Starting DHCP Instance b1peer2... Apr 02 11:02:38 dns-w-neu systemd[7760]: Failed at step NAMESPACE spawning /usr/sbin/dhcpd: No such file or directory Apr 02 11:02:38 dns-w-neu systemd[1]: [email protected]: main process exited, code=exited, status=226/NAMESPACE Apr 02 11:02:38 dns-w-neu systemd[1]: Unit [email protected] entered failed state. Apr 02 11:02:38 dns-w-neu systemd[1]: [email protected] failed. Apr 02 11:02:38 dns-w-neu systemd[1]: [email protected] holdoff time over, scheduling restart. The directory exists root@dns-w-neu:/var/lib/dhcp# ls -lad b1peer2 drwxr-xr-x 4 root root 4096 Apr 1 16:40 b1peer2 it works fine with either ReadWriteDirectories=/var/lib/dhcp and ReadWriteDirectories=/var/lib/dhcp/b1peer2 (which obviously won't work with other instances, but that's not the point here). So it seems that %i is not evaluated in ReadWriteDirectories (at least). Bernhard -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
