LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Mon, 2 Jan 2017 03:51:13 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

On 2017-01-02 01:47, David Sommerseth wrote:
> On 02/01/17 10:03, jdow wrote:
>>
>> I also found that I had no way I could find to tell systemd to bring up
>> a daemon as a relatively unprivileged user rather than root. Running
>> some services at root privileges makes me nervous even with SELinux in
>> place and active.
>
> $ man systemd.exec
>
>        User=, Group=
>            Sets the Unix user or group that the
>            processes are executed as,
>            respectively. Takes a single user or
>            group name or ID as argument. If no
>            group is set, the default group of the
>            user is chosen.

When I tried it I seemed to get unexpected results - subversion apparently 
insisted on remaining in the root privilege level. I may not have found the 
right place to put that into the xxx.service file. I found User=/Group= but the 
application of this remained obscure. I tried it under the [Service] heading. In 
retrospect does the order of placement under one of those headers make a difference?

> Which translates to providing User=/Group= in the [service] section of a
> unit file.

"Unit" is a bit of jargon that was not apparent at first. (hyperlinks work. It 
would be nice for people to use them more in HTML documentation first use in a 
section. {^_-})

> Other useful settings for hardening a service are Capabilities=,
> SecureBits=, PrivateTmp=, PrivateDevices=,  PrivateNetwork=,
> ProtectSystem=, ProtectHome=, RestrictAddressFamilies=,
> ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories=
> ... all documented in systemd.exec.
>
> And then there is Restart= which is fairly useful and to get a similar
> behaviour to daemontools, you can look into Type=simple (which is the
> default if not provided).  These are found in systemd.service.
>
> Getting a grip of the systemd man page hierarchy can be useful though.
> I generally find all the information I need when working on unit files
> for services in systemd.unit, systemd.service, systemd.exec and
> systemd.kill.  That usually covers most of the life cycle of a service.

Systemd has a steep and long learning curve, it appears. So a good GUI manager 
for it might be helpful, especially if it had some graphical features as well as 
text representations. The old init stuff was easier for somebody not making a 
career of the whole thing. If I was paid to sysadmin I'd dig in more than I can 
now. Other things are more fun for somebody not quite retired.

{^_-}

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV