mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
b6033b7060
This adds a tmpfiles.d/ snippet for LoadCredential= style credentials directories in /etc/ and /run/. This is done primarily to ensure that the access modes for the dirs are set up properly, in the most restrictive ways. Specifically these are set to 0000, so that CAP_DAC_OVERRIDE is necessary to enumerate and read the credentials, and being UID=0 is not sufficient to do so. This creates /etc/credstore/, but leaves /run/credstore/ absent if missing, for now. Thinking is: the latter being non-persistent is created by software usually, not manually by users, and hence more likely right. But dunno, we might want to revisit this sooner or later. This is ultimately an exercise to advertise the LoadCredential= concept a bit, and do so in a reasonably secure way, underlining the safety of the concept. |
||
---|---|---|
.. | ||
credstore.conf | ||
etc.conf.in | ||
home.conf | ||
journal-nocow.conf | ||
legacy.conf.in | ||
meson.build | ||
portables.conf | ||
provision.conf | ||
README | ||
static-nodes-permissions.conf.in | ||
systemd-network.conf | ||
systemd-nologin.conf | ||
systemd-nspawn.conf | ||
systemd-pstore.conf | ||
systemd-resolve.conf | ||
systemd-tmp.conf | ||
systemd.conf.in | ||
tmp.conf | ||
var.conf.in | ||
x11.conf |
Files in this directory contain configuration for systemd-tmpfiles, a program to create, delete, and clean up volatile and temporary files and directories. See man:tmpfiles.d(5) for explanation of the configuration file format, and man:systemd-tmpfiles(8) for a description of when and how this configuration is applied. Use 'systemd-analyze cat-config tmpfiles.d' to display the effective config.