On Mon, Aug 25, 2014 at 12:58 PM, Yarny <ya...@public-files.de> wrote: > I recently discovered the PrivateNetwork > option in systemd.exec(5), and I was wondering: > > Is it also possible to restrict user sessions with this option? > > I'd like to prevent a certain user's group from > accessing the network configuration of my machine > (they should even be forbidden to see the IP address). > > To this end, I tried editing files like > /etc/systemd/system/user@1234.service, > but it didn't have any effect (openSUSE 13.1 with systemd 208).
At the moment, "user@.service" does not manage your session at all -- it merely runs various 'background' services that you might have added (cronjobs, tmux, mpd...) The interactive sessions, meanwhile, are launched directly (by /bin/login or GDM or sshd). Even though GNOME seems to have plans to migrate the user session startup to user@, it's not going to help much, as it won't affect console logins, SSH logins, and so on. Instead, you should check if someone has written a PAM 'session' module which could do this. (There's one for mount namespaces.) If not, one should be easy to write, and it'll protect *all* login methods. -- Mantas Mikulėnas <graw...@gmail.com> _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
