Hi Marco,
On 14/10/2024 06:57, Marco d'Itri wrote:
The unit that you added to 2.5.1-1+1~exp1 is very simplistic.
I have been using these units for many years and I recommend that you
start with something like it.
The sandboxing is limited enough that it should not cause any issues
when random programs are executed by the up/down scripts.
I do not think that "Before=network.target" is useful, or even correct.
I based my systemd unit on the version from Arch Linux as recommended
earlier in this bug report. I do in fact use this myself on my systems
and was confident it wasn't incorrect, though I value your suggestions.
While I would like to implement tighter security restrictions on the
[email protected] unit, the fact is we just don't know what scripts people
run from the ppp hooks. There are a number of restrictions that you
recommend that would break the scripts that I run on my own system (let
alone those of random Debian users), such as:
- ProtectKernelModules=yes would break my firewall update script which
triggers modules to load
- ProtectKernelTunables=yes prevents configuring sysctls necessary for
my links
As for Before=network.target, could you explain how this would be
incorrect please? My understanding is that, if you were to cause
[email protected] to start at boot, it would want to come up before
network.target; after all ppp is still often used to obtain connectivity
to the Internet which would be an expected component of network.target.
I welcome your thoughts.
Cheers,
Chris
--
Chris Boot
[email protected]