summaryrefslogtreecommitdiffstats
path: root/man/systemd.service.xml
diff options
context:
space:
mode:
authorAlessandro Puccetti <alessandro@kinvolk.io>2016-06-10 18:19:54 +0200
committerLennart Poettering <lennart@poettering.net>2016-06-10 18:19:54 +0200
commitcf677fe6868f0565dd625cfbc2992a0f2cd3e053 (patch)
tree3e6d5cdbf44a06a1c48d3d6e98f3192b08ae723b /man/systemd.service.xml
parentrules: block - add scm block devices to whitelist (#3494) (diff)
downloadsystemd-cf677fe6868f0565dd625cfbc2992a0f2cd3e053.tar.xz
systemd-cf677fe6868f0565dd625cfbc2992a0f2cd3e053.zip
core/execute: add the magic character '!' to allow privileged execution (#3493)
This patch implements the new magic character '!'. By putting '!' in front of a command, systemd executes it with full privileges ignoring paramters such as User, Group, SupplementaryGroups, CapabilityBoundingSet, AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext, AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies. Fixes partially https://github.com/systemd/systemd/issues/3414 Related to https://github.com/coreos/rkt/issues/2482 Testing: 1. Create a user 'bob' 2. Create the unit file /etc/systemd/system/exec-perm.service (You can use the example below) 3. sudo systemctl start ext-perm.service 4. Verify that the commands starting with '!' were not executed as bob, 4.1 Looking to the output of ls -l /tmp/exec-perm 4.2 Each file contains the result of the id command. ````````````````````````````````````````````````````````````````` [Unit] Description=ext-perm [Service] Type=oneshot TimeoutStartSec=0 User=bob ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ; /usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre" ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ; !/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2" ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post" ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload" ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop" ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post" [Install] WantedBy=multi-user.target] `````````````````````````````````````````````````````````````````
Diffstat (limited to 'man/systemd.service.xml')
-rw-r--r--man/systemd.service.xml7
1 files changed, 4 insertions, 3 deletions
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 6641dfed4f..6e969abc25 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -295,9 +295,10 @@
If the absolute filename is prefixed with
<literal>-</literal>, an exit code of the command normally
considered a failure (i.e. non-zero exit status or abnormal
- exit due to signal) is ignored and considered success. If both
- <literal>-</literal> and <literal>@</literal> are used, they
- can appear in either order.</para>
+ exit due to signal) is ignored and considered success.
+ If the absolute path is prefixed with <literal>!</literal> then
+ it is executed with full privileges. <literal>-</literal>, <literal>@</literal>, and <literal>!</literal>
+ may be used together and they can appear in any order.</para>
<para>If more than one command is specified, the commands are
invoked sequentially in the order they appear in the unit