Am 16.01.2015 um 15:33 schrieb Wietse Venema:
Wietse Venema:
FreeBSD:
# mkdir -p /var/spool/postfix/var/run
# syslogd -l /var/spool/postfix/var/run/log
Linux, OpenBSD:
# mkdir -p /var/spool/postfix/dev
# syslogd -a /var/spool/postfix/dev/log
Except that on some systems systemd is taking over every service,
like the Borg ("Resistance is futile. You will be assimilated.")
on the other hand you get much more logs on recent systemd
distributions, even stdout normally not make it to the syslog is now
catched by journald
with chroot and bind-mounts you can even get important devices by just
bind-mount /dev in the new chroot without leak the complete /dev tree
and no longer need to consider each and every seperated
PrivateDevices=
Takes a boolean argument. If true, sets up a new /dev namespace for the
executed processes and only adds API pseudo devices such as /dev/null,
/dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
but no physical devices such as /dev/sda. This is useful to securely
turn off physical device access by the executed process. Defaults to
false. Enabling this option will also remove CAP_MKNOD from the
capability bounding set for the unit (see above), and set
DevicePolicy=closed (see systemd.resource-control(5) for details). Note
that using this setting will disconnect propagation of mounts from the
service to the host (propagation in the opposite direction continues to
work). This means that this setting may not be used for services which
shall be able to install mount points in the main mount namespace.
