Discussion:
BindPaths in user service?
(too old to reply)
Mirosław Zalewski
2018-02-17 18:32:48 UTC
Permalink
Raw Message
Hi

I have a service that should run under user systemd instance. It needs
access to directory outside of it's usual paths and does not follow
symlinks, so I figured that `mount --bind` might be a way to go.

However, I can't make BindPaths= directive work in user service file.
It seems that directive is simply ignored. I can reproduce the issue
using systemd-run:

$ systemd-run -qt -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
. bus dconf gvfs klauncherJ21213.1.slave-socket ksocket-user pulse systemd
.. dbus-1 gnupg kdeinit5__0 KSMserver__0 kwallet5.socket rsnapshot

$ systemd-run -qt --user -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
. ..


Is this by design? I don't see any mention of this limitation in man
entries for systemd.mount and for systemd.exec.

If using BindPaths in user service file is not an option, can I somehow
make system service run automatically when this user service is
started?

Thanks in advance,
Mirosław Zalewski
Mantas Mikulėnas
2018-02-17 20:49:08 UTC
Permalink
Raw Message
Post by Mirosław Zalewski
Hi
I have a service that should run under user systemd instance. It needs
access to directory outside of it's usual paths and does not follow
symlinks, so I figured that `mount --bind` might be a way to go.
However, I can't make BindPaths= directive work in user service file.
It seems that directive is simply ignored. I can reproduce the issue
$ systemd-run -qt -p BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/
/bin/ls -a /tmp/bindmount/
. bus dconf gvfs klauncherJ21213.1.slave-socket
ksocket-user pulse systemd
.. dbus-1 gnupg kdeinit5__0 KSMserver__0
kwallet5.socket rsnapshot
$ systemd-run -qt --user -p
BindReadOnlyPaths=/run/user/1000/:/tmp/bindmount/ /bin/ls -a /tmp/bindmount/
. ..
Is this by design? I don't see any mention of this limitation in man
entries for systemd.mount and for systemd.exec.
It's not a systemd limitation. Mounting is a privileged operation in Linux
and only available to root (or processes with the correct capabilities).
Your systemd instance only has the same privileges you yourself have.
Post by Mirosław Zalewski
--
Mantas Mikulėnas <***@gmail.com>
Sent from my phone

Loading...