systemd service everything read-only except 1 folder
Clash Royale CLAN TAG#URR8PPP
up vote
-1
down vote
favorite
I'm going to run a script I don't trust for not messing up my system.
I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.
I think I'm pretty close.
This blocks the whole thing:
sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash
This is almost what I want but since / is still rw, the rest of the home folder stays rw:
sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash
Can I have both at the same time i.e. home read-only but with a single path inside home rw?
systemd
asked Aug 31 at 16:03
Francois
31
add a comment |Â
up vote
-1
down vote
favorite
I'm going to run a script I don't trust for not messing up my system.
I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.
I think I'm pretty close.
This blocks the whole thing:
sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash
This is almost what I want but since / is still rw, the rest of the home folder stays rw:
sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash
Can I have both at the same time i.e. home read-only but with a single path inside home rw?
systemd
asked Aug 31 at 16:03
Francois
31
Hi Francois, welcome to unix & linux stack exchange. If you change/to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines ofchrootto only allow the user access to write to their home directory
– RobotJohnny
Aug 31 at 16:29
add a comment |Â
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I'm going to run a script I don't trust for not messing up my system.
I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.
I think I'm pretty close.
This blocks the whole thing:
sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash
This is almost what I want but since / is still rw, the rest of the home folder stays rw:
sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash
Can I have both at the same time i.e. home read-only but with a single path inside home rw?
systemd
asked Aug 31 at 16:03
Francois
31
I'm going to run a script I don't trust for not messing up my system.
I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.
I think I'm pretty close.
This blocks the whole thing:
sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash
This is almost what I want but since / is still rw, the rest of the home folder stays rw:
sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash
Can I have both at the same time i.e. home read-only but with a single path inside home rw?
systemd
systemd
asked Aug 31 at 16:03
Francois
31
asked Aug 31 at 16:03
Francois
31
asked Aug 31 at 16:03
Francois
31
asked Aug 31 at 16:03
Francois
31
asked Aug 31 at 16:03
Francois
31
31
Hi Francois, welcome to unix & linux stack exchange. If you change/to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines ofchrootto only allow the user access to write to their home directory
– RobotJohnny
Aug 31 at 16:29
add a comment |Â
Hi Francois, welcome to unix & linux stack exchange. If you change/to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines ofchrootto only allow the user access to write to their home directory
– RobotJohnny
Aug 31 at 16:29
Hi Francois, welcome to unix & linux stack exchange. If you change
/ to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory– RobotJohnny
Aug 31 at 16:29
Hi Francois, welcome to unix & linux stack exchange. If you change
/ to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory– RobotJohnny
Aug 31 at 16:29
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thingâ€� But ProtectHome=read-only has no effect on /, only on /home and /root.
I think this should do what you want:
sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"
If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.
answered Aug 31 at 16:53
Lucas Werkmeister
22815
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thingâ€� But ProtectHome=read-only has no effect on /, only on /home and /root.
I think this should do what you want:
sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"
If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.
answered Aug 31 at 16:53
Lucas Werkmeister
22815
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
add a comment |Â
up vote
0
down vote
accepted
In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thingâ€� But ProtectHome=read-only has no effect on /, only on /home and /root.
I think this should do what you want:
sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"
If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.
answered Aug 31 at 16:53
Lucas Werkmeister
22815
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thingâ€� But ProtectHome=read-only has no effect on /, only on /home and /root.
I think this should do what you want:
sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"
If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.
answered Aug 31 at 16:53
Lucas Werkmeister
22815
In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thingâ€� But ProtectHome=read-only has no effect on /, only on /home and /root.
I think this should do what you want:
sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"
If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.
answered Aug 31 at 16:53
Lucas Werkmeister
22815
answered Aug 31 at 16:53
Lucas Werkmeister
22815
answered Aug 31 at 16:53
Lucas Werkmeister
22815
answered Aug 31 at 16:53
Lucas Werkmeister
22815
22815
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
add a comment |Â
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
That works perfectly
– Francois
Aug 31 at 17:34
That works perfectly
– Francois
Aug 31 at 17:34
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466072%2fsystemd-service-everything-read-only-except-1-folder%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Hi Francois, welcome to unix & linux stack exchange. If you change
/to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines ofchrootto only allow the user access to write to their home directory– RobotJohnny
Aug 31 at 16:29