LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask][log in to unmask], 16 Jan 2017 17:01:59 +0100746_US-ASCII http://scientificlinuxforum.org/index.php?showtopic=266 On 2017-01-16 16:55, John Pilkington wrote: > On 16/01/17 15:43, Charles Campbell wrote: >> Hello: >> >> With SL6 I was able to use ctrl-alt-(arrow) and move from one >> workspace >> to another. With SL7, gnome no longer changes workspaces (does >> nothing). >> With SL6 I was able to right click on the applications menu and use >> the >> resulting menu bar to add apps. No menu results from a right click, >> so >> none of those selections are available (add to panel, properties, >> delete >> this panel, new panel, help, about panels). >> [...][log in to unmask]
Date:	Mon, 2 Jan 2017 10:47:33 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (41 lines)

On 02/01/17 10:03, jdow wrote:
> 
> I also found that I had no way I could find to tell systemd to bring up
> a daemon as a relatively unprivileged user rather than root. Running
> some services at root privileges makes me nervous even with SELinux in
> place and active.

$ man systemd.exec

       User=, Group=
           Sets the Unix user or group that the
           processes are executed as,
           respectively. Takes a single user or
           group name or ID as argument. If no
           group is set, the default group of the
           user is chosen.

Which translates to providing User=/Group= in the [service] section of a
unit file.

Other useful settings for hardening a service are Capabilities=,
SecureBits=, PrivateTmp=, PrivateDevices=,  PrivateNetwork=,
ProtectSystem=, ProtectHome=, RestrictAddressFamilies=,
ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories=
... all documented in systemd.exec.

And then there is Restart= which is fairly useful and to get a similar
behaviour to daemontools, you can look into Type=simple (which is the
default if not provided).  These are found in systemd.service.

Getting a grip of the systemd man page hierarchy can be useful though.
I generally find all the information I need when working on unit files
for services in systemd.unit, systemd.service, systemd.exec and
systemd.kill.  That usually covers most of the life cycle of a service.

-- 
kind regards,

David Sommerseth

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV