Post by Павел СамсоновGood day, I see a new Debian jessie, and I mean, that /var/run/<pid>
filesystems must be mounted with noexec options, so thay have user write
access. On some installations this very important. Were I may configure
this, or may be You change your default mount options?
Sorry my English, best regards, Pavel, Russia
in case of services you should consider "ProtectSystem" and
"ProtectHome" which makes "/run/user" completly inaccessible
normally the serivce itself has no business to mangle around there
ProtectSystem=
Takes a boolean argument or "full". If true, mounts the /usr directory
read-only for processes invoked by this unit. If set to "full", the /etc
directory is mounted read-only, too. This setting ensures that any
modification of the vendor supplied operating system (and optionally its
configuration) is prohibited for the service. It is recommended to
enable this setting for all long-running services, unless they are
involved with system updates or need to modify the operating system in
other ways. Note however that processes retaining the CAP_SYS_ADMIN
capability can undo the effect of this setting. This setting is hence
particularly useful for daemons which have this capability removed, for
example with CapabilityBoundingSet=. Defaults to off.
ProtectHome=
Takes a boolean argument or "read-only". If true, the directories /home
and /run/user are made inaccessible and empty for processes invoked by
this unit. If set to "read-only", the two directories are made read-only
instead. It is recommended to enable this setting for all long-running
services (in particular network-facing ones), to ensure they cannot get
access to private user data, unless the services actually require access
to the user's private data. Note however that processes retaining the
CAP_SYS_ADMIN capability can undo the effect of this setting. This
setting is hence particularly useful for daemons which have this
capability removed, for example with CapabilityBoundingSet=. Defaults to
off.