systemd service everything read-only except 1 folder

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
-1
down vote

favorite












I'm going to run a script I don't trust for not messing up my system.



I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.



I think I'm pretty close.



This blocks the whole thing:



sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash



This is almost what I want but since / is still rw, the rest of the home folder stays rw:



sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash



Can I have both at the same time i.e. home read-only but with a single path inside home rw?










share|improve this question





















  • Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
    – RobotJohnny
    Aug 31 at 16:29














up vote
-1
down vote

favorite












I'm going to run a script I don't trust for not messing up my system.



I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.



I think I'm pretty close.



This blocks the whole thing:



sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash



This is almost what I want but since / is still rw, the rest of the home folder stays rw:



sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash



Can I have both at the same time i.e. home read-only but with a single path inside home rw?










share|improve this question





















  • Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
    – RobotJohnny
    Aug 31 at 16:29












up vote
-1
down vote

favorite









up vote
-1
down vote

favorite











I'm going to run a script I don't trust for not messing up my system.



I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.



I think I'm pretty close.



This blocks the whole thing:



sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash



This is almost what I want but since / is still rw, the rest of the home folder stays rw:



sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash



Can I have both at the same time i.e. home read-only but with a single path inside home rw?










share|improve this question













I'm going to run a script I don't trust for not messing up my system.



I want to start a shell for which everything is read-only except the folder in my home directory which the script is supposed to act on.



I think I'm pretty close.



This blocks the whole thing:



sudo systemd-run --pty --pipe --uid=1000 --property=ProtectHome=read-only /bin/bash



This is almost what I want but since / is still rw, the rest of the home folder stays rw:



sudo systemd-run --pty --pipe --uid=1000 --property=ReadWritePaths=$(pwd) /bin/bash



Can I have both at the same time i.e. home read-only but with a single path inside home rw?







systemd






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 31 at 16:03









Francois

31




31











  • Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
    – RobotJohnny
    Aug 31 at 16:29
















  • Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
    – RobotJohnny
    Aug 31 at 16:29















Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
– RobotJohnny
Aug 31 at 16:29




Hi Francois, welcome to unix & linux stack exchange. If you change / to read only, you will run into trouble; logs won't be able to run and vital system services will crash to say the least. I think what you're looking for is something along the lines of chroot to only allow the user access to write to their home directory
– RobotJohnny
Aug 31 at 16:29










1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thing”? But ProtectHome=read-only has no effect on /, only on /home and /root.



I think this should do what you want:



sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"


If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.






share|improve this answer




















  • That works perfectly
    – Francois
    Aug 31 at 17:34










  • Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
    – sourcejedi
    Aug 31 at 21:28











  • Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
    – sourcejedi
    Aug 31 at 21:33











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466072%2fsystemd-service-everything-read-only-except-1-folder%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote



accepted










In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thing”? But ProtectHome=read-only has no effect on /, only on /home and /root.



I think this should do what you want:



sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"


If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.






share|improve this answer




















  • That works perfectly
    – Francois
    Aug 31 at 17:34










  • Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
    – sourcejedi
    Aug 31 at 21:28











  • Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
    – sourcejedi
    Aug 31 at 21:33















up vote
0
down vote



accepted










In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thing”? But ProtectHome=read-only has no effect on /, only on /home and /root.



I think this should do what you want:



sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"


If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.






share|improve this answer




















  • That works perfectly
    – Francois
    Aug 31 at 17:34










  • Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
    – sourcejedi
    Aug 31 at 21:28











  • Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
    – sourcejedi
    Aug 31 at 21:33













up vote
0
down vote



accepted







up vote
0
down vote



accepted






In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thing”? But ProtectHome=read-only has no effect on /, only on /home and /root.



I think this should do what you want:



sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"


If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.






share|improve this answer












In principle, you can combine those two directives. But I’m a bit confused by your question: you say that you want to make everything read-only instead of the user’s home directory, but also that ProtectHome=read-only “blocks the whole thing”? But ProtectHome=read-only has no effect on /, only on /home and /root.



I think this should do what you want:



sudo systemd-run --pty --pipe --uid=1000 -p ReadOnlyPaths=/ -p ReadWritePaths="$(pwd)"


If you only want the other home directories to be read-only, not the entire file system, use ProtectHome=read-only instead of ReadOnlyPaths=/.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 31 at 16:53









Lucas Werkmeister

22815




22815











  • That works perfectly
    – Francois
    Aug 31 at 17:34










  • Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
    – sourcejedi
    Aug 31 at 21:28











  • Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
    – sourcejedi
    Aug 31 at 21:33

















  • That works perfectly
    – Francois
    Aug 31 at 17:34










  • Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
    – sourcejedi
    Aug 31 at 21:28











  • Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
    – sourcejedi
    Aug 31 at 21:33
















That works perfectly
– Francois
Aug 31 at 17:34




That works perfectly
– Francois
Aug 31 at 17:34












Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28





Be aware that these do not provide a security boundary. For a long-running script, see github.com/systemd/systemd/issues/9857 And if your home directory is on NFS and you mount FUSE filesystems like sshfs underneath it, the FUSE mounts will not be protected (but this only applies to the current code in Git - the systemd releases before now e.g. v238 will simply fail to start the service if there is any such mount, which was considered even worse behaviour github.com/systemd/systemd/issues/9844).
– sourcejedi
Aug 31 at 21:28













Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33





Ideally you would want either an implementation using kernel APIs which have only been planned lore.kernel.org/lkml/20180602040434.GW30522@ZenIV.linux.org.uk , or put the script in a container along with all its requirements, something like Docker, and then only bind-mount the specific directory into the container.
– sourcejedi
Aug 31 at 21:33


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466072%2fsystemd-service-everything-read-only-except-1-folder%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?