Hi Marco,

On 14/10/2024 06:57, Marco d'Itri wrote:
The unit that you added to 2.5.1-1+1~exp1 is very simplistic.
I have been using these units for many years and I recommend that you
start with something like it.

The sandboxing is limited enough that it should not cause any issues
when random programs are executed by the up/down scripts.

I do not think that "Before=network.target" is useful, or even correct.

I based my systemd unit on the version from Arch Linux as recommended earlier in this bug report. I do in fact use this myself on my systems and was confident it wasn't incorrect, though I value your suggestions.

While I would like to implement tighter security restrictions on the [email protected] unit, the fact is we just don't know what scripts people run from the ppp hooks. There are a number of restrictions that you recommend that would break the scripts that I run on my own system (let alone those of random Debian users), such as:

- ProtectKernelModules=yes would break my firewall update script which triggers modules to load - ProtectKernelTunables=yes prevents configuring sysctls necessary for my links

As for Before=network.target, could you explain how this would be incorrect please? My understanding is that, if you were to cause [email protected] to start at boot, it would want to come up before network.target; after all ppp is still often used to obtain connectivity to the Internet which would be an expected component of network.target.

I welcome your thoughts.

Cheers,
Chris

--
Chris Boot
[email protected]

Reply via email to