Am 15.02.2015 um 13:31 schrieb Павел Самсонов:
Good day, I see a new Debian jessie, and I mean, that /var/run/<pid> filesystems must be mounted with noexec options, so thay have user write access. On some installations this very important. Were I may configure this, or may be You change your default mount options? Sorry my English, best regards, Pavel, Russia
in case of services you should consider "ProtectSystem" and "ProtectHome" which makes "/run/user" completly inaccessible
normally the serivce itself has no business to mangle around there ProtectSystem=Takes a boolean argument or "full". If true, mounts the /usr directory read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too. This setting ensures that any modification of the vendor supplied operating system (and optionally its configuration) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. Note however that processes retaining the CAP_SYS_ADMIN capability can undo the effect of this setting. This setting is hence particularly useful for daemons which have this capability removed, for example with CapabilityBoundingSet=. Defaults to off.
ProtectHome=Takes a boolean argument or "read-only". If true, the directories /home and /run/user are made inaccessible and empty for processes invoked by this unit. If set to "read-only", the two directories are made read-only instead. It is recommended to enable this setting for all long-running services (in particular network-facing ones), to ensure they cannot get access to private user data, unless the services actually require access to the user's private data. Note however that processes retaining the CAP_SYS_ADMIN capability can undo the effect of this setting. This setting is hence particularly useful for daemons which have this capability removed, for example with CapabilityBoundingSet=. Defaults to off.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
