Package: systemd Version: 215-5+b1 Severity: normal A few problems with using systemd-nspawn@$foo.service units on Debian:
* /var/lib/container doesn't exist, so the admin will have to make the directory in order to put containers where systemd expects to find them. If the admin does make the directory, they'll probably make it mode 755 or something. But this allows local users to do eg, hard link farming to gather suid executables to exploit later, that would otherwise not be available but might be lying around in some poorly maintained containers. So, I think the debian package should create the directory with an appropriate locked down mode like 700. (Which works fine.) * Once a nspawn unit is enabled and started, it will fail to run. This is because persistent journaling is not enabled by default, and the default for the service file is to use --link-journal=guest, which doesn't work w/o at least the journal directory existing (I don't know if it works when the directory exists but persistent journaling is otherwise disabled. Workaround: Edit the service file (or override the ExecStart line) to remove that switch after systemctl enable creates the file. It seems to me that --link-journal=auto would be a better value. -- see shy jo
signature.asc
Description: Digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
