On 02/01/17 10:03, jdow wrote:
> 
> I also found that I had no way I could find to tell systemd to bring up
> a daemon as a relatively unprivileged user rather than root. Running
> some services at root privileges makes me nervous even with SELinux in
> place and active.

$ man systemd.exec

       User=, Group=
           Sets the Unix user or group that the
           processes are executed as,
           respectively. Takes a single user or
           group name or ID as argument. If no
           group is set, the default group of the
           user is chosen.

Which translates to providing User=/Group= in the [service] section of a
unit file.

Other useful settings for hardening a service are Capabilities=,
SecureBits=, PrivateTmp=, PrivateDevices=,  PrivateNetwork=,
ProtectSystem=, ProtectHome=, RestrictAddressFamilies=,
ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories=
... all documented in systemd.exec.

And then there is Restart= which is fairly useful and to get a similar
behaviour to daemontools, you can look into Type=simple (which is the
default if not provided).  These are found in systemd.service.

Getting a grip of the systemd man page hierarchy can be useful though.
I generally find all the information I need when working on unit files
for services in systemd.unit, systemd.service, systemd.exec and
systemd.kill.  That usually covers most of the life cycle of a service.


-- 
kind regards,

David Sommerseth