core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1

Let's make sure that services that use DynamicUser=1 cannot leave files in the file system should the system accidentally have a world-writable directory somewhere. This effectively ensures that directories need to be whitelisted rather than blacklisted for access when DynamicUser=1 is set.
2025-09-19 01:45:00 +03:00 · 2016-08-25 16:12:46 +02:00
parent 3f815163ff
commit 63bb64a056
2 changed files with 14 additions and 4 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -160,14 +160,18 @@
        use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
        as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
        users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
-        these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname> and
+        these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname>,
        <varname>PrivateTmp=</varname> are implied. This ensures that the lifetime of IPC objects and temporary files
        created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic
        user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only
        world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation
-        cannot leave files around after unit termination. Use <varname>RuntimeDirectory=</varname> (see below) in order
+        cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and
-        to assign a writable runtime directory to a service, owned by the dynamic user/group and removed automatically
+        <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file
-        when the unit is terminated. Defaults to off.</para></listitem>
+        system locations. In order to allow the service to write to certain directories, they have to be whitelisted
        using <varname>ReadWritePaths=</varname>, but care must be taken so that that UID/GID recycling doesn't
        create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see
        below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and
        removed automatically when the unit is terminated. Defaults to off.</para></listitem>
      </varlistentry>
      <varlistentry>
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3377,8 +3377,14 @@ int unit_patch_contexts(Unit *u) {
                                        return -ENOMEM;
                        }
                        /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
                         * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
                        ec->private_tmp = true;
                        ec->remove_ipc = true;
                        ec->protect_system = PROTECT_SYSTEM_STRICT;
                        if (ec->protect_home == PROTECT_HOME_NO)
                                ec->protect_home = PROTECT_HOME_READ_ONLY;
                }
        }