On Fri, 21.08.15 13:29, Christian Seiler (christ...@iwakd.de) wrote:
> On 21.08.2015 12:04, Jóhann B. Guðmundsson wrote:
> > Should not the solution for this be tied to the user and group field
> > mentioned in the unit so for example the postgresql type service unit
> > contains...
> > User=postg
On 21.08.2015 12:04, Jóhann B. Guðmundsson wrote:
> Should not the solution for this be tied to the user and group field
> mentioned in the unit so for example the postgresql type service unit
> contains...
> User=postgres
> Group=postgres
>
> Which would mean that the posgres user could start,sto
On Fri, Aug 21, 2015 at 01:50:31PM +0300, Mantas Mikulėnas wrote:
> On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift
> wrote:
>
> > On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote:
> >
> > >
> > > Do they have access to `cat /proc/self/mounts`?
> >
> > Ouch yes... ok that is a dea
On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift
wrote:
> On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote:
>
> >
> > Do they have access to `cat /proc/self/mounts`?
>
> Ouch yes... ok that is a dead end i suppose
Right. That was my point. Restricting individual commands like `mo
On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote:
>
> Do they have access to `cat /proc/self/mounts`?
Ouch yes... ok that is a dead end i suppose
>
> --
> Mantas Mikulėnas
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vin
On Fri, Aug 21, 2015 at 1:29 PM, Dominick Grift
wrote:
> On Fri, Aug 21, 2015 at 01:10:51PM +0300, Mantas Mikulėnas wrote:
>
>
> > >
> > > i think it kind of sucks that systemctl --user list-units can be used
> to
> > > determine who is currently logged in. ( it shows active mount units for
> >
On Fri, Aug 21, 2015 at 08:25:56PM +1000, Daurnimator wrote:
> On 21 August 2015 at 19:57, Dominick Grift wrote:
> > i think it kind of sucks that systemctl --user list-units can be used to
> > determine who is currently logged in.
>
> You can see with `loginctl list-users` too
My restricted use
On Fri, Aug 21, 2015 at 01:10:51PM +0300, Mantas Mikulėnas wrote:
> >
> > i think it kind of sucks that systemctl --user list-units can be used to
> > determine who is currently logged in. ( it shows active mount units for
> > XDG_RUNTIME_DIR and since those have UID as name you can see who is
>
On 21 August 2015 at 19:57, Dominick Grift wrote:
> i think it kind of sucks that systemctl --user list-units can be used to
> determine who is currently logged in.
You can see with `loginctl list-users` too
I once tried to prevent getting a list of users, but it's hard... I locked out:
- `w`
On Fri, Aug 21, 2015 at 12:57 PM, Dominick Grift
wrote:
> Made a demo because i was bored:
> https://www.youtube.com/watch?v=KrK5a7D77l0
>
> In practice though this is probably not an option for you. It is very
> expensive. however it is (optionally) supported by systemd and i just
> wanted to co
On 08/20/2015 10:02 PM, Lennart Poettering wrote:
On Thu, 20.08.15 23:41, Michael Biebl (mbi...@gmail.com) wrote:
Hi,
say I wanted to grant an unprivileged userA the ability to
systemctl start/stop/restart/reload foo.service
and only grant this for foo.service.
Is there a way to achieve tha
Made a demo because i was bored: https://www.youtube.com/watch?v=KrK5a7D77l0
In practice though this is probably not an option for you. It is very
expensive. however it is (optionally) supported by systemd and i just wanted to
counter
the misinformation.
i think it kind of sucks that systemctl
systemd has a built-in extension to the SELinux MAC framework. If that,
and SELinux is enabled. Then you can use the SELinux framework and
systemd SELinux extension to configure which services may be controlled
by specified processes on a fined grained level using mandatory access control.
Policyk
On Thu, 20.08.15 23:41, Michael Biebl (mbi...@gmail.com) wrote:
> Hi,
>
> say I wanted to grant an unprivileged userA the ability to
> systemctl start/stop/restart/reload foo.service
> and only grant this for foo.service.
>
> Is there a way to achieve that without resorting to using hacks like
>
Hi,
say I wanted to grant an unprivileged userA the ability to
systemctl start/stop/restart/reload foo.service
and only grant this for foo.service.
Is there a way to achieve that without resorting to using hacks like
sudo or a suid binary? From a cursory look, the existing PolicyKit
rules are too
15 matches
Mail list logo