diff options
author | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-06-10 18:19:54 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-06-10 18:19:54 +0200 |
commit | cf677fe6868f0565dd625cfbc2992a0f2cd3e053 (patch) | |
tree | 3e6d5cdbf44a06a1c48d3d6e98f3192b08ae723b /man/systemd.service.xml | |
parent | rules: block - add scm block devices to whitelist (#3494) (diff) | |
download | systemd-cf677fe6868f0565dd625cfbc2992a0f2cd3e053.tar.xz systemd-cf677fe6868f0565dd625cfbc2992a0f2cd3e053.zip |
core/execute: add the magic character '!' to allow privileged execution (#3493)
This patch implements the new magic character '!'. By putting '!' in front
of a command, systemd executes it with full privileges ignoring paramters
such as User, Group, SupplementaryGroups, CapabilityBoundingSet,
AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext,
AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies.
Fixes partially https://github.com/systemd/systemd/issues/3414
Related to https://github.com/coreos/rkt/issues/2482
Testing:
1. Create a user 'bob'
2. Create the unit file /etc/systemd/system/exec-perm.service
(You can use the example below)
3. sudo systemctl start ext-perm.service
4. Verify that the commands starting with '!' were not executed as bob,
4.1 Looking to the output of ls -l /tmp/exec-perm
4.2 Each file contains the result of the id command.
`````````````````````````````````````````````````````````````````
[Unit]
Description=ext-perm
[Service]
Type=oneshot
TimeoutStartSec=0
User=bob
ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ;
/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre"
ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ;
!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2"
ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post"
ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload"
ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop"
ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post"
[Install]
WantedBy=multi-user.target]
`````````````````````````````````````````````````````````````````
Diffstat (limited to 'man/systemd.service.xml')
-rw-r--r-- | man/systemd.service.xml | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 6641dfed4f..6e969abc25 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -295,9 +295,10 @@ If the absolute filename is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal - exit due to signal) is ignored and considered success. If both - <literal>-</literal> and <literal>@</literal> are used, they - can appear in either order.</para> + exit due to signal) is ignored and considered success. + If the absolute path is prefixed with <literal>!</literal> then + it is executed with full privileges. <literal>-</literal>, <literal>@</literal>, and <literal>!</literal> + may be used together and they can appear in any order.</para> <para>If more than one command is specified, the commands are invoked sequentially in the order they appear in the unit |