Discussion:
BindPaths in user service?
(too old to reply)
Mirosław Zalewski
2018-02-17 18:32:48 UTC
Permalink
Raw Message
Hi

I have a service that should run under user systemd instance. It needs
access to directory outside of it's usual paths and does not follow
symlinks, so I figured that `mount --bind` might be a way to go.

However, I can't make BindPaths= directive work in user service file.
It seems that directive is simply ignored. I can reproduce the issue
using systemd-run:

$ systemd-run -qt -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
. bus dconf gvfs klauncherJ21213.1.slave-socket ksocket-user pulse systemd
.. dbus-1 gnupg kdeinit5__0 KSMserver__0 kwallet5.socket rsnapshot

$ systemd-run -qt --user -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
. ..


Is this by design? I don't see any mention of this limitation in man
entries for systemd.mount and for systemd.exec.

If using BindPaths in user service file is not an option, can I somehow
make system service run automatically when this user service is
started?

Thanks in advance,
Mirosław Zalewski
Mantas Mikulėnas
2018-02-17 20:49:08 UTC
Permalink
Raw Message
On Sat, Feb 17, 2018, 20:42 Mirosław Zalewski <***@poczta.onet.pl>
wrote:

> Hi
>
> I have a service that should run under user systemd instance. It needs
> access to directory outside of it's usual paths and does not follow
> symlinks, so I figured that `mount --bind` might be a way to go.
>
> However, I can't make BindPaths= directive work in user service file.
> It seems that directive is simply ignored. I can reproduce the issue
> using systemd-run:
>
> $ systemd-run -qt -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/
> /bin/ls -a /tmp/bindmount/
> . bus dconf gvfs klauncherJ21213.1.slave-socket
> ksocket-user pulse systemd
> .. dbus-1 gnupg kdeinit5__0 KSMserver__0
> kwallet5.socket rsnapshot
>
> $ systemd-run -qt --user -p
> BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
> . ..
>
>
> Is this by design? I don't see any mention of this limitation in man
> entries for systemd.mount and for systemd.exec.
>

It's not a systemd limitation. Mounting is a privileged operation in Linux
and only available to root (or processes with the correct capabilities).
Your systemd instance only has the same privileges you yourself have.

> --

Mantas Mikulėnas <***@gmail.com>
Sent from my phone
Loading...