RFC: init-d-script add optional setpriv wrapper for s-s-d.
Mark Hindley
mark at hindley.org.uk
Tue Sep 3 15:16:36 BST 2024
Hi,
I am looking for comments and opinions on the attached patch which adds a new
SETPRIV_ARGS directive to init-d-script(5). If it is set and setpriv is
available then start-stop-daemon is called via setpriv.
The background and my usage case is that unit-translator[1] has been in sid for
a couple of weeks with openrc/cron/inetd support. I am currently working on an
LSB backend[2] which uses init-d-script. However, Debian's version of
start-stop-daemon lacks support for capabilities, no-new-privs, securebits
etc. Wrapping start-stop-daemon with setpriv seems a viable solution for these
and would allow more unit sandboxing directives to be supported.
Are there any downsides here? What have I missed or failed to consider?
Maybe further restricting PATH is unnecessary?
Maybe it will be too noisy on non-Linux?
Thanks
Mark
[1] https://tracker.debian.org/pkg/unit-translator
[2] https://git.devuan.org/LeePen/unit-translator/src/branch/main/backends/
--
Mark Hindley
GPG: 506C 15A4 2B0A F5A0 A854 23EE D28A 45BF 3287 D649
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Wrap-s-s-d-with-setpriv-SETPRIV_ARGS.patch
Type: text/x-diff
Size: 2419 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/debian-init-diversity/attachments/20240903/21fd92a0/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/debian-init-diversity/attachments/20240903/21fd92a0/attachment.sig>
More information about the Debian-init-diversity
mailing list