Bug#771625: openssh-server: Please add ProtectSystem=yes to service file

To: 771625@bugs.debian.org
Subject: Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
From: Russ Allbery <rra@debian.org>
Date: Sun, 30 Nov 2014 20:45:31 -0800
Message-id: <[🔎] 87h9xgrn9w.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 771625@bugs.debian.org
In-reply-to: <[🔎] 0DC7D3C3-EF5F-43AF-B1F1-93640517FE0C@scientia.net> (Christoph Anton Mitterer's message of "Mon, 01 Dec 2014 05:36:10 +0100")
References: <[🔎] 20141201034430.21407.89800.reportbug@muck.riseup.net> <[🔎] 87tx1groyx.fsf@hope.eyrie.org> <[🔎] 0DC7D3C3-EF5F-43AF-B1F1-93640517FE0C@scientia.net>

Christoph Anton Mitterer <calestyo@scientia.net> writes:

> Hmm, I'd have blindly guessed that all of systemd's security options
> apply only per cgroup... and the sessions which run in their own cgroup
> wouldn't inherit them... but you may be right..

That would explain Micah's results, and would certainly be a nice way to
implement it.  I wasn't sure if namespaces were per-cgroup or if those
were two separate things that had to be handled independently.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
  - From: Micah Anderson <micah@debian.org>
- Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
  - From: Russ Allbery <rra@debian.org>
- Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Next by Date: Bug#768293: Related to 764841
Previous by thread: Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Next by thread: Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Index(es):
- Date
- Thread