Sample Header Ad - 728x90

What PrivateUsers= does exactly?

0 votes
0 answers
586 views
systemd security namespace systemd-unit sandbox
I am having a hard time understanding Manual for PrivateUsers= . It mentions a few caveats for it to fail **silently**... But I think i'm avoiding them all and still not managing to reach the manual promise of "and thus to create an effective sandbox environment." > If true, sets up a new user namespace for the executed processes and configures a minimal user and group mapping, that maps the "root" user and group as well as the unit's own user and group to themselves and everything else to the "nobody" user and group. To me, it's not clear what the manual means by "the unit's own user and group". Is it User=? I don't think so because that would make starting the process as root mapped to a local user impossible (i would have to use User=root to start the process as the namespaced root, but that would also make root the user that root maps to...). The term "own user" is never mentioned in any of the many manual pages required to understand a service unit file, only three times in the paragraph for PrivateUsers=. I set up this very simple test service 
[Unit]                                                                                                                                                                    
Description=My test
[Service]
Type=simple
PrivateUsers=yes
User=http
ExecStart=...
That is exactly the same as 
[Unit]                                                                                                                                                                    
Description=My test
[Service]
Type=simple
User=http
ExecStart=...
(without privateusers) I cannot tell any difference between these two in my tests. Both access all local users with no mapping taking place. > All files, directories, processes, IPC objects and other resources owned by users/groups not equaling "root" or the unit's own will stay visible from within the unit but appear owned by the "nobody" user and group. I see and create everything owned by the regular users inside and out of the scope. > If this mode is enabled, all unit processes are run without privileges in the host user namespace (regardless if the unit's own user/group is "root" or not). Again, not sure what it means by unit's own user. Am I expected to assume ui 0 after starting the process as another User=? > Note that the implementation of this setting might be impossible (for example if user namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security. Running unshare -U on the host works fine and creating files as root shows as a different user, as expected.
Asked by gcb (632 rep)
Aug 11, 2024, 08:09 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "systemd"
More questions tagged "security"
More questions tagged "namespace"
Footer Ad - 728x90