You are not logged in.
- Topics: Active | Unanswered
#1 2021-12-07 18:53:47
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
[SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
I would like to configure a service run run as a user with read-only access a single file in the user's home directory.
The following works:
ReadOnlyPaths=/home/user/path/to/foo
ProtectHome=read-onlybut the ReadOnlyPaths obviously does nothing here since all of home is read-only. I would expect the following to work but it doesn't:
ReadOnlyPaths=/home/user/path/to/foo
ProtectHome=trueAm I missing something or does ProtectHome=true make it impossible to access anything under home? Do I need to use a bind mount instead to achieve the desired effect (only one file readable under home)?
And is there any way to grant a dynamic user access to a single file under a real user's home directory while hiding everything else, under the assumption that only the real user has access to it under regular file permissions?
Concretely, I want to create a service template (e.g. run_script@.service) to run different scripts in a user's home directory while completely isolating everything on the system. My failed approach was to use
ReadOnlyPaths=%I
ProtectHome=read-onlyLast edited by Xyne (2021-12-08 01:35:40)
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#2 2021-12-07 19:03:15
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,293
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
Hey Xyne, people cannot respond to you in this subforum. You may want to pick another.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#3 2021-12-07 21:46:06
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
Not the first time that I've made this mistake. 
Moving...
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#4 2021-12-07 22:04:31
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,276
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
Here are the relevant sections of the systemd manpages:
...
ProtectHome=
Takes a boolean argument or the special values "read-only" or "tmpfs". If true, the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit. If
set to "read-only", the three directories are made read-only instead. If set to "tmpfs", temporary file systems are mounted on the three directories in read-only mode. The value "tmpfs" is useful
to hide home directories not relevant to the processes invoked by the unit, while still allowing necessary directories to be made visible when listed in BindPaths= or BindReadOnlyPaths=.Setting this to "yes" is mostly equivalent to set the three directories in InaccessiblePaths=. Similarly, "read-only" is mostly equivalent to ReadOnlyPaths=, and "tmpfs" is mostly equivalent to
TemporaryFileSystem= with ":ro"....
Paths listed in InaccessiblePaths= will be made inaccessible for processes inside the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
desired, because it is not possible to nest ReadWritePaths=, ReadOnlyPaths=, BindPaths=, or BindReadOnlyPaths= inside it. For a more flexible option, see TemporaryFileSystem=.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#5 2021-12-08 01:35:11
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
@progandy
Thanks. I had actually tried the different combinations of read-only, true and tmpfs with and without binds but rereading the documentation carefully to the example under TemporaryFileSystem:
TemporaryFileSystem=/var:ro
BindReadOnlyPaths=/var/lib/systemdThe equivalent didn't work with my unit but that finally led me to the real problem: an incorrect SystemCallArchitectures and UMask.
Between posting in the wrong forum, not having read the docs carefully and the error being somewhere else, I'm on a roll!
I'm marking as solved but I would still be interesting if anyone knows a way to grant the dynamic user read-only access to another user's file under a tmpfs home directory.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#6 2021-12-08 04:53:08
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,276
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
I'm marking as solved but I would still be interesting if anyone knows a way to grant the dynamic user read-only access to another user's file under a tmpfs home directory.
As far as I know, If the owner has not granted permissions sufficient for the other (non-root) user, then it is impossible without bindfs (which you packaged in the AUR), but it that is not integrated in systemd.
Edit: maybe you could run it with execstart(pre) with an exclamation mark prefix (!/bin/foo) as described in Table 1 in systemd.service
Anyways, I do not see much use for that. If you do need to run a user script as a restricted system service, you need root access to create the service anyways. Then you could also create a hardlink or copy in an accessible location.
Last edited by progandy (2021-12-08 05:08:13)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#7 2021-12-10 02:36:11
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: [SOLVED] Confusion about Systemd ProtectHome and ReadOnlyPaths
Moving back to system administration where it belongs
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline