Bug#727708: Quick upstart and systemd feature comparison
On Thu, Dec 19, 2013 at 09:57:48AM -0800, Russ Allbery wrote:
> Ian Jackson <ijackson@chiark.greenend.org.uk> writes:
> > Russ Allbery writes:
> >> * Lots of really interesting defense-in-depth security features. I
> >> particularly liked ReadWriteDirectories, ReadOnlyDirectories,
> >> InaccessibleDirectories, PrivateNetwork, and NoNewPrivileges, which
> >> provide a sort of lightweight process containment that would be much
> >> easier to use than a full-blown chroot, and in some ways more powerful.
>
> > I think that this functionality should be provided by "auxiliary verb"
> > wrapper commands, not welded into init.
>
> Why? It feels like it adds (mild) complexity without a whole lot of
> benefit. The init system (for both systemd and upstart) are already
> handling setuid, setgid, nice, OOM adjustment, system resource limits,
> etc. This stuff feels like the same type of thing.
We should have *at least* auxverb-style commands for this, because
they're often useful outside the context of the init system (for
example, a private network is useful for building packages; you can do
this kind of thing with "unshare -n" or with the LXC tools).
It's a fairly narrow judgement call whether this kind of thing should be
directly supported in the init daemon or not; I can certainly see some
being useful, although if they're already supported by auxverbs then
they would presumably be pretty trivial to add to anything that already
has direct support for things like "nice".
In the case of Upstart's "setuid" and "setgid" verbs, I think part of
the reasoning was that we had scripts that were doing it by hand in a
boilerplate fashion but of course it was important that they get it just
right, and it made sense to consolidate the code. That seems to me to
be a reasonable metric for whether this belongs in the init daemon.
--
Colin Watson [cjwatson@debian.org]
Reply to: