Hi,
while booting this morning I noticed that a service I wrote which had a
very paranoid
PrivateTmp=yes
ReadOnlyDirectories=/
ReadWriteDirectories=/var/cache/something
which used to work quite nicely was failing to start. It seems that ever
since the recent changes with the addition of ProtectSystem=, this
particular service doesn't get access to its /tmp (or /var/tmp) because
ReadOnlyDirectories is applied recursively. Even adding /tmp to the
ReadWriteDirectories will not fix this.
I do know about ProtectSystem and ProtectHome, but I would argue that
for a service that can handle it, a more paranoid setting like the above
would be superior and should be available and supported. Is this
intentionally not supported (any more)?
Jan
A simple service to test this:
[Unit]
Description=Testing access
[Service]
ExecStart=/usr/bin/touch /tmp/access-test
PrivateTmp=true
ReadOnlyDirectories=/
ReadWriteDirectories=/tmp # will not help here
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
