From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.1 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=altlinux.org; s=dkim; h=Subject:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:To:From:Date:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=poTPNbU3rTb4e71qlghwdD706DPfSPdMc83GU4YA3oc=; b=uiOjQsIWDhmtCfKzYTjtbUCrp7 HHmGBDPVz3f9dYX97RHprMo+X/eDiAYcEbHblP6Lkoz0H3BHiVXh+P3LwBVZYntPsoJAmlJiFdh0O 3x3gJGQZ8+bSAWiwJNOphPBOELHfE6pMzOCFkG8Ez5PHLZmWLBC3k2s9e90/DMO37jR2OiJAff8Nw /8RsJhz6rUx5FeVQZP5Yiqln9LeL17rPjpgrStKzh41Uj7I6UwkRKqN6pskfoO8e6H78h9nSSrtSO weMzbXutw9GnIS5GHSDlsoBM7u1JHUk7LUI2a2MFhD+p9GbGcKkQnbp0/dXQXs6BA0G2GLi3OSfdS V29AGuPA==; Date: Thu, 22 Apr 2021 16:51:55 +0300 From: Arseny Maslennikov To: ALT Linux Team development discussions Message-ID: References: <264ae51b-0159-8187-a94c-398461956875@altlinux.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="KgiVptLJGrOZIJsT" Content-Disposition: inline In-Reply-To: OpenPGP: url=http://grep.cs.msu.ru/~ar/pgp-key.asc X-SA-Exim-Connect-IP: 37.204.119.143 X-SA-Exim-Mail-From: arseny@altlinux.org X-SA-Exim-Version: 4.2.1 X-SA-Exim-Scanned: Yes (on mail.cs.msu.ru) Subject: Re: [devel] =?utf-8?b?UHJpdmF0ZVRtcD10cnVlINC00LvRjyDRgdC10LDQvdGB?= =?utf-8?b?0LAg0L7QsdC90L7QstC70ZHQvdC90L7Qs9C+IHA5?= X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2021 13:51:58 -0000 Archived-At: List-Archive: List-Post: --KgiVptLJGrOZIJsT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 22, 2021 at 03:26:12PM +0300, Mikhail Novosyolov wrote: >=20 > 22.04.2021 15:00, Arseny Maslennikov =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > On Thu, Apr 22, 2021 at 02:19:34PM +0300, Andrey Cherepanov wrote: > >> =D0=9A=D1=82=D0=BE-=D0=BD=D0=B8=D0=B1=D1=83=D0=B4=D1=8C =D0=B7=D0=BD= =D0=B0=D0=B5=D1=82, =D0=BA=D0=B0=D0=BA =D0=B2=D1=8B=D1=87=D0=B8=D1=81=D0=BB= =D0=B8=D1=82=D1=8C =D0=B2=D0=B8=D0=BD=D0=BE=D0=B2=D0=BD=D0=B8=D0=BA=D0=B0, = =D1=83=D1=81=D1=82=D0=B0=D0=BD=D0=B0=D0=B2=D0=BB=D0=B8=D0=B2=D0=B0=D1=8E=D1= =89=D0=B5=D0=B3=D0=BE PrivateTmp=3Dtrue > >> =D0=B4=D0=BB=D1=8F =D1=81=D0=B5=D0=B0=D0=BD=D1=81=D0=B0 =D0=BF=D0=BE= =D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8F =D0=B4=D0=BB= =D1=8F =D0=BE=D0=B1=D0=BD=D0=BE=D0=B2=D0=BB=D1=91=D0=BD=D0=BD=D0=BE=D0=B9 = =D1=81=D0=B8=D1=81=D1=82=D0=B5=D0=BC=D1=8B =D0=BD=D0=B0 p9? > > % man systemd.directives | grep -A4 PrivateTmp > > PrivateTmp=3D > > systemd.exec(5) > > > > PrivateUsers=3D > > systemd.exec(5) > > -- > > PrivateTmp > > org.freedesktop.systemd1(5) > > > > PrivateUsers > > org.freedesktop.systemd1(5) > > > > > > =D0=9A=D0=B0=D0=BA =D0=BF=D0=BE=D0=BD=D1=8F=D1=82=D1=8C =D0=B2=D1=8B=D1= =80=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5 "PrivateTmp=3Dtrue =D0=B4=D0=BB=D1= =8F =D1=81=D0=B5=D0=B0=D0=BD=D1=81=D0=B0 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0= =BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8F"? > > =D0=AD=D1=82=D0=B0 =D0=B4=D0=B8=D1=80=D0=B5=D0=BA=D1=82=D0=B8=D0=B2=D0= =B0 =D0=BC=D0=BE=D0=B6=D0=B5=D1=82 =D0=B1=D1=8B=D1=82=D1=8C =D0=BD=D0=B0=D0= =B7=D0=BD=D0=B0=D1=87=D0=B5=D0=BD=D0=B0 =D1=82=D0=BE=D0=BB=D1=8C=D0=BA=D0= =BE =D1=8E=D0=BD=D0=B8=D1=82=D1=83. > =D0=A1=D0=B5=D0=B0=D0=BD=D1=81 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2= =D0=B0=D1=82=D0=B5=D0=BB=D1=8F - user-UID.slice - =D1=8F=D0=B2=D0=BB=D1=8F= =D0=B5=D1=82=D1=81=D1=8F =D1=83=D0=BD=D0=B8=D1=82=D0=BE=D0=BC. pam_systemd = =D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=B0=D0=B5=D1=82. =D0=AF =D0=B1=D1=8B=D0=BB =D0=BD=D0=B5 =D1=81=D0=BB=D0=B8=D1=88=D0=BA=D0=BE= =D0=BC =D0=BF=D0=BE=D0=B4=D1=80=D0=BE=D0=B1=D0=B5=D0=BD. 1) =D0=9D=D0=B5 =D0=BB=D1=8E=D0=B1=D0=BE=D0=BC=D1=83 =D1=8E=D0=BD=D0=B8=D1= =82=D1=83, =D0=B0 =D1=82=D0=BE=D0=BB=D1=8C=D0=BA=D0=BE =D1=81=D0=B5=D1=80= =D0=B2=D0=B8=D1=81=D1=83, =D0=BC=D0=B0=D1=83=D0=BD=D1=82=D1=83, =D1=81=D0= =B2=D0=B0=D0=BF=D1=83 =D0=B8 (=D0=BF=D0=BE=D1=87=D0=B5=D0=BC=D1=83-=D1=82= =D0=BE) =D1=81=D0=BE=D0=BA=D0=B5=D1=82=D1=83, =D1=81=D0=BC. org.freedesktop= =2Esystemd1(5). 2) Slice =E2=80=94 =D1=8D=D1=82=D0=BE, =D0=BA=D0=BE=D0=BD=D0=B5=D1=87=D0=BD= =D0=BE, =D1=82=D0=B8=D0=BF =D1=8E=D0=BD=D0=B8=D1=82=D0=B0, =D0=BD=D0=BE =D0= =BD=D0=B5 =D1=81=D0=B5=D0=B0=D0=BD=D1=81 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0= =BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8F; =D1=81=D0=B5=D0=B0=D0=BD=D1=81=D0= =BE=D0=BC =D0=BC=D0=BE=D0=B6=D0=BD=D0=BE =D1=80=D0=B0=D0=B7=D0=B2=D0=B5 =D1=87=D1=82= =D0=BE session-$ID.scope =D0=BD=D0=B0=D0=B7=D0=B2=D0=B0=D1=82=D1=8C, =D0=BA= =D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B9 =D0=BA=D0=B0=D0=BA =D1=80=D0=B0=D0=B7 = =D0=BF=D0=BE=D1=80=D0=BE=D0=B6=D0=B4=D0=B0=D0=B5=D1=82=D1=81=D1=8F pam_systemd(8). 3) systemd.exec(5): PrivateTmp=3D Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp/ and /var/tmp/ directories inside it that are not shared by processes outside of the namespace. This is useful to secure access <...> This option is only available for system services and is not supported for services running in per-user instances of the service manager. =D0=A2. =D0=B5. =D0=B2 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1= =82=D0=B5=D0=BB=D1=8C=D1=81=D0=BA=D0=BE=D0=B9 =D0=B8=D0=BD=D0=B8=D1=82-=D0= =BF=D0=BE=D1=81=D0=BB=D0=B5=D0=B4=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C= =D0=BD=D0=BE=D1=81=D1=82=D0=B8 =D0=B4=D0=B8=D1=80=D0=B5=D0=BA=D1=82=D0=B8= =D0=B2=D0=B0 =D0=BD=D0=B5=D0=BF=D1=80=D0=B8=D0=BC=D0=B5=D0=BD=D0=B8=D0=BC= =D0=B0 (=D0=B8=D0=BD=D0=B0=D1=87=D0=B5 =D0=BD=D0=B5=D0=BA=D1=80=D0=B0=D1=81=D0=B8= =D0=B2=D0=BE =D0=BF=D0=BE=D0=BB=D1=83=D1=87=D0=B0=D0=B5=D1=82=D1=81=D1=8F: = =D1=87=D1=82=D0=BE=D0=B1=D1=8B mount namespace =D1=81=D0=B4=D0=B5=D0=BB=D0= =B0=D1=82=D1=8C, =D0=BD=D0=B0=D0=B4=D0=BE =D0=BB=D0=B8=D0=B1=D0=BE userns =D0=B3=D0=BE=D1=80=D0=BE=D0=B4=D0=B8=D1=82=D1=8C, =D0=BB=D0=B8=D0=B1= =D0=BE =D0=BF=D1=80=D0=B8=D0=B2=D0=B8=D0=BB=D0=B5=D0=B3=D0=B8=D0=B8 =D0=BF= =D0=BE=D0=B2=D1=8B=D1=88=D0=B0=D1=82=D1=8C...). =D0=9F=D0=BE =D0=BA=D0=BE=D0=BD=D0=BA=D1=80=D0=B5=D1=82=D0=BD=D0=BE=D0=BC= =D1=83 =D0=B2=D0=BE=D0=BF=D1=80=D0=BE=D1=81=D1=83 =D0=90=D0=BD=D0=B4=D1=80= =D0=B5=D1=8F =E2=80=94 =D0=BF=D0=BE=D0=B4=D0=BE=D0=B7=D1=80=D0=B5=D0=B2=D0= =B0=D1=8E, =D0=BA=D0=B0=D0=BA=D0=BE=D0=B9-=D1=82=D0=BE =D0=B5=D1=89=D1=91 p= am-=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C =D1=81=D1=82=D0=B0=D1=80=D0=B0=D0= =B5=D1=82=D1=81=D1=8F. --KgiVptLJGrOZIJsT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE56JD3UKTLEu/ddrm9dQjyAYL01AFAmCBf3YACgkQ9dQjyAYL 01BQqg//Qhhe35NHqiQGH6PHN7a6YT2b/FyDGxCSkjUiCdzAoNszFMO/4KDwsXxJ ZfwdOIFWMBG/jbaP18qJB5G9B3em1KQWTX18Lk5+2VmkNSEpZ0/z5k3UYHKoje8y e/szzLl1nvjtFV/le0kxsu8UompfgzawaLg0F4xoKxWIwaXWRtaGFu0LINQ0p03h PXZR5qIh+942KTsGWjh13LMcMNHH26ibt5uLEjatk9PcuZAKOAv4CtocsDK+b/n8 MRTBR1kc9thOzbNSFQ+XUjwKCyh7aoXB9yKR0qs9I/P9yGufKUHPOY441Rh8KnDK cUwFCrTMZpiRZlVQJdAsza7wb7Ai0na+Oa5SsLRTzxdQtZSAJ2oZnG6ygC4rdBK+ 2u8VlQh0hTUhkRR/R4Iw3+IauoMmHmDK/dLZ/4rKFBWiYSlQ6W5+s1Br8yhCM6Fd WVSp2ThBIBu91iNI3KGmEFi0npJuUQCjQBzCa7bR8rHGAr6T9gjvXfhd/BfU8x3a AFXqXMZkmLOVu+xEl4W9ZWjoPTIo3iaG90/3XXUDLmmdGIhJ8zHvYmtCdz6Uvrrx fiKpLUW6Ds/dOVduLFKR+KEe2lFh6dFWIiPHRyQuJlzCqiTN0JmsHMsmM+rAYG5t v5TW68NjYVBzlYN2lcSNSbtBZy7hm1N+VjnM2GgN4bw/l4bNeUU= =hzBE -----END PGP SIGNATURE----- --KgiVptLJGrOZIJsT--