Am 20.12.2015 um 17:33 schrieb Michael Biebl:
I'm using systemd v228 and tried to lock down rsyslog a bit. For that I added # /etc/systemd/system/rsyslog.service.d/override.conf [Unit] ProtectSystem=yes ProtectHome=yes CapabilityBoundingSet=~CAP_SYS_ADMIN I thought ProtectHome=yes would deny rsyslog read access to /home, but it seems the rsyslogd process can read /home/michael/file1 without problems. Am I doing something wrong or is this a bug in systemd?
looks like a bug, "yes" should take it away and "read-only" is supposed to just take away write-access, however the unit below should work
i prefer "ReadOnlyDirectories" and "InaccessibleDirectories" in general _____________________________ [Unit] Description=Syslog ServiceAfter=network.service systemd-networkd.service network-online.target mysqld.service mysqld-dbmail.service
[Service] EnvironmentFile=-/etc/sysconfig/rsyslog ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS Sockets=syslog.socket StandardOutput=null Restart=always RestartSec=5 TimeoutStopSec=1 CapabilityBoundingSet=CAP_SYSLOG ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=-/boot InaccessibleDirectories=-/home InaccessibleDirectories=-/media InaccessibleDirectories=-/root InaccessibleDirectories=-/run/user [Install] WantedBy=multi-user.target Alias=syslog.service
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
