core: add '-' prefix to AmbientCapabilities= #6564
Conversation
If AmbientCapabilities= is prefixed by '-' and the ambient capability is not supported by the kernel, then the listed ambient capabilities are ignored and the commands are executed by root.
|
As far as I'm concerned, this looks good to me as it appears to fix all issues raised in previous discussions. I've closed my previous PR. I think there are three minor points:
|
|
@Siosm Thank you for the comments.
Is it necessary? The service runs with
OK. I will document it.
Hmm, the user/group setting is ignored only if |
Also this moves the location of clock file to /var/lib/systemd/timesync.
|
Updated. |
| SystemCallArchitectures=native | ||
| ReadWritePaths=/var/lib/systemd | ||
| StateDirectory=systemd/timesync | ||
| User=systemd-timesync |
There was a problem hiding this comment.
Minor personal preference: Could you move the User option near the top of the Service section and add Group option even if it is implied by the User option?
|
|
||
| * clock file is now moved to /var/lib/systemd/timesync/clock. | ||
| Distributors should change the location of the file if it is packaged. | ||
|
|
There was a problem hiding this comment.
I don't think this file is packaged with systemd. The minor issue here would happen during a restart after an upgrade as the old timesyncd would use the old path and the new timsyncd the new path thus loosing the recorded timestamp. This will also leave an used file in place.
I would suggest:
The file /var/lib/systemd/clock used by systemd-timesyncd to remember the last known good clock value has been moved to /var/lib/systemd/timesync/clock. Distributors should either remove the previous file after the service has been restarted or move the current file to the new directory once the old daemon has been stopped and before the new daemon startup.
But this may be to much of a hassle for such a minor issue / minor gain.
There was a problem hiding this comment.
Thank you for the suggestion. I will update the NEWS entry based on that.
I don't think this file is packaged with systemd.
There was a problem hiding this comment.
The %ghost directive means that the file will be removed when the package is removed/updated. But this file will be written to by systemd-timesyncd when it is stopped. Thus this is still relevant I think.
This "double" setup was also suggested to ease debugging (#6393 (comment)), but is not strictly necessary I agree. |
This patch adds two new special character prefixes to ExecStart= and
friends, in addition to the existing "-", "@" and "+":
"!" → much like "+", except with a much reduced effect as it only
disables the actual setresuid()/setresgid()/setgroups() calls, but
leaves all other security features on, including namespace
options. This is very useful in combination with
RuntimeDirectory= or DynamicUser= and similar option, as a user
is still allocated and used for the runtime directory, but the
actual UID/GID dropping is left to the daemon process itself.
This should make RuntimeDirectory= a lot more useful for daemons
which insist on doing their own privilege dropping.
"!!" → Similar to "!", but on systems supporting ambient caps this
becomes a NOP. This makes it relatively straightforward to write
unit files that make use of ambient capabilities to let systemd
drop all privs while retaining compatibility with systems that
lack ambient caps, where priv dropping is the left to the daemon
codes themselves.
This is an alternative approach to systemd#6564 and related PRs.
|
Heya, sorry for not being more responsive on the whole ambient caps/user dropping stuff. I go sidetracked by other stuff for a while. Anyway, a few weeks ago I started working on #6577 which I now filed, which tries to solve the same issue in a different way, and I think in a slightly nicer way... Any chance you can have a look at that, so that we can find some common ground we can all agree on? |
This patch adds two new special character prefixes to ExecStart= and
friends, in addition to the existing "-", "@" and "+":
"!" → much like "+", except with a much reduced effect as it only
disables the actual setresuid()/setresgid()/setgroups() calls, but
leaves all other security features on, including namespace
options. This is very useful in combination with
RuntimeDirectory= or DynamicUser= and similar option, as a user
is still allocated and used for the runtime directory, but the
actual UID/GID dropping is left to the daemon process itself.
This should make RuntimeDirectory= a lot more useful for daemons
which insist on doing their own privilege dropping.
"!!" → Similar to "!", but on systems supporting ambient caps this
becomes a NOP. This makes it relatively straightforward to write
unit files that make use of ambient capabilities to let systemd
drop all privs while retaining compatibility with systems that
lack ambient caps, where priv dropping is the left to the daemon
codes themselves.
This is an alternative approach to systemd#6564 and related PRs.
This patch adds two new special character prefixes to ExecStart= and
friends, in addition to the existing "-", "@" and "+":
"!" → much like "+", except with a much reduced effect as it only
disables the actual setresuid()/setresgid()/setgroups() calls, but
leaves all other security features on, including namespace
options. This is very useful in combination with
RuntimeDirectory= or DynamicUser= and similar option, as a user
is still allocated and used for the runtime directory, but the
actual UID/GID dropping is left to the daemon process itself.
This should make RuntimeDirectory= a lot more useful for daemons
which insist on doing their own privilege dropping.
"!!" → Similar to "!", but on systems supporting ambient caps this
becomes a NOP. This makes it relatively straightforward to write
unit files that make use of ambient capabilities to let systemd
drop all privs while retaining compatibility with systems that
lack ambient caps, where priv dropping is the left to the daemon
codes themselves.
This is an alternative approach to systemd#6564 and related PRs.
|
Closing this in favor of #6577. |
This patch adds two new special character prefixes to ExecStart= and
friends, in addition to the existing "-", "@" and "+":
"!" → much like "+", except with a much reduced effect as it only
disables the actual setresuid()/setresgid()/setgroups() calls, but
leaves all other security features on, including namespace
options. This is very useful in combination with
RuntimeDirectory= or DynamicUser= and similar option, as a user
is still allocated and used for the runtime directory, but the
actual UID/GID dropping is left to the daemon process itself.
This should make RuntimeDirectory= a lot more useful for daemons
which insist on doing their own privilege dropping.
"!!" → Similar to "!", but on systems supporting ambient caps this
becomes a NOP. This makes it relatively straightforward to write
unit files that make use of ambient capabilities to let systemd
drop all privs while retaining compatibility with systems that
lack ambient caps, where priv dropping is the left to the daemon
codes themselves.
This is an alternative approach to systemd#6564 and related PRs.
This patch adds two new special character prefixes to ExecStart= and
friends, in addition to the existing "-", "@" and "+":
"!" → much like "+", except with a much reduced effect as it only
disables the actual setresuid()/setresgid()/setgroups() calls, but
leaves all other security features on, including namespace
options. This is very useful in combination with
RuntimeDirectory= or DynamicUser= and similar option, as a user
is still allocated and used for the runtime directory, but the
actual UID/GID dropping is left to the daemon process itself.
This should make RuntimeDirectory= a lot more useful for daemons
which insist on doing their own privilege dropping.
"!!" → Similar to "!", but on systems supporting ambient caps this
becomes a NOP. This makes it relatively straightforward to write
unit files that make use of ambient capabilities to let systemd
drop all privs while retaining compatibility with systems that
lack ambient caps, where priv dropping is the left to the daemon
codes themselves.
This is an alternative approach to systemd#6564 and related PRs.
3 participants
If
AmbientCapabilities=is prefixed by '-' and the ambient capability is not supported by the kernel, then the listed ambient capabilities are ignored and the commands are executed by root.On top of the options, networkd, resolved, and timesyncd drop the capabilities in the following commits.