On 02/01/17 10:03, jdow wrote:
>
> I also found that I had no way I could find to tell systemd to bring up
> a daemon as a relatively unprivileged user rather than root. Running
> some services at root privileges makes me nervous even with SELinux in
> place and active.
$ man systemd.exec
User=, Group=
Sets the Unix user or group that the
processes are executed as,
respectively. Takes a single user or
group name or ID as argument. If no
group is set, the default group of the
user is chosen.
Which translates to providing User=/Group= in the [service] section of a
unit file.
Other useful settings for hardening a service are Capabilities=,
SecureBits=, PrivateTmp=, PrivateDevices=, PrivateNetwork=,
ProtectSystem=, ProtectHome=, RestrictAddressFamilies=,
ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories=
... all documented in systemd.exec.
And then there is Restart= which is fairly useful and to get a similar
behaviour to daemontools, you can look into Type=simple (which is the
default if not provided). These are found in systemd.service.
Getting a grip of the systemd man page hierarchy can be useful though.
I generally find all the information I need when working on unit files
for services in systemd.unit, systemd.service, systemd.exec and
systemd.kill. That usually covers most of the life cycle of a service.
--
kind regards,
David Sommerseth
|