On Sat, Jan 25, 2014 at 12:58:55PM -0800, Josh Triplett wrote: > Some daemons provide an access-controlled service via UNIX domain > sockets that have a specified user or group, and a mode like 0660. For > instance, clamd does this. systemd .socket units don't support setting > the user or group; systemd always creates sockets as root:root. This > prevents replacing the socket setup code in such daemons with socket > activation, or requires workarounds such as shelling out to chown. > > Commit aea54018a5e66a41318afb6c6be745b6aef48d9e > (http://cgit.freedesktop.org/systemd/systemd/commit/?id=aea54018a5e66a41318afb6c6be745b6aef48d9e) > added support for SocketUser and SocketGroup options, to set the > user and group for a UNIX domain socket or FIFO. However, commit > e4f44e734c4f397ee5e7ba3270e014a8ae0043dd > (http://cgit.freedesktop.org/systemd/systemd/commit/?id=e4f44e734c4f397ee5e7ba3270e014a8ae0043dd) > shortly afterward reverted that, removing the new options. > > Is this due to the issues with touching NSS from PID 1?
Yep. > What might it take to add those options back? There was a recent discussion about joining namespaces from PID 1 which brought up the idea of forking off a small process from PID 1 to do that job instead. The same sort of logic would allow doing NSS calls from PID 1. d _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
