Hi Andrew, thanks for your reply. On Tue, Apr 15, 2025, at 7:22 PM, Andrew Lutomirski wrote: > So imagine that /etc/opencryptoki was > owned by root (or maybe, in a no-modes-maximalist world it was really > /etc/secret/opencryptoki and /etc/secret and everything under it was > only readable by root), and /run/opencryptoki was an idmapped mount. > Then there would be no persistent uid/gid mode bits. > /run/opencryptoki could be created by an appropriate systemd unit, and > for other cases where it's used only by a specific service, the mount > could be private to the service in question and wouldn't pollute the > global mount namespace.
Isn't this basically systemd DynamicUser=yes? -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
