From d9960ebfdfb0d2e818bc417f8430d066ad60aa41 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Mon, 19 Dec 2022 17:58:49 +0100 Subject: [PATCH] units: allow systemd-userdbd to change process name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rename_process() requires CAP_SYS_RESOURCE so let's make sure it is in our permitted set after execve() by adding in to the bounding set. Previously, systemd-userdbd.service - User Database Manager Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:07:21 CET; 17min ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 1880 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.2M CPU: 244ms CGroup: /system.slice/systemd-userdbd.service ├─1880 /usr/lib/systemd/systemd-userdbd ├─2270 systemd-userwork ├─2271 systemd-userwork └─2272 systemd-userwork Now, Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:27:02 CET; 15s ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 2404 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.5M CPU: 89ms CGroup: /system.slice/systemd-userdbd.service ├─2404 /usr/lib/systemd/systemd-userdbd ├─2407 "systemd-userwork: waiting..." ├─2408 "systemd-userwork: waiting..." └─2409 "systemd-userwork: waiting..." (cherry picked from commit d5e5bc2fe9eaa4697c22b84007f18bda29756573) (cherry picked from commit 9357d2342981a8b4fcfa2d170b7749c27d364fdd) (cherry picked from commit 34f78e7e1426be8bcebf48e95d923459db55af99) --- units/systemd-userdbd.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in index 84dea04f55..b57661100c 100644 --- a/units/systemd-userdbd.service.in +++ b/units/systemd-userdbd.service.in @@ -16,7 +16,7 @@ Before=sysinit.target DefaultDependencies=no [Service] -CapabilityBoundingSet=CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd IPAddressDeny=any LimitNOFILE={{HIGH_RLIMIT_NOFILE}}