From: "Lénaïc Huard" <lenaic@lhuard.fr>
To: git@vger.kernel.org, phillip.wood@dunelm.org.uk
Cc: "Junio C Hamano" <gitster@pobox.com>,
"Derrick Stolee" <dstolee@microsoft.com>,
"Eric Sunshine" <sunshine@sunshineco.com>,
"brian m . carlson" <sandals@crustytoothpaste.net>,
"Bagas Sanjaya" <bagasdotme@gmail.com>,
"Đoàn Trần Công Danh" <congdanhqx@gmail.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: Re: [PATCH v2 1/1] maintenance: use systemd timers on Linux
Date: Tue, 08 Jun 2021 16:55:29 +0200 [thread overview]
Message-ID: <13530009.9cuodmXfNX@coruscant.lhuard.fr> (raw)
In-Reply-To: <3fd17223-8667-24be-2e65-f1970d411bdf@gmail.com>
Hello Phillip,
Le lundi 10 mai 2021, 20:03:58 CEST Phillip Wood a écrit :
> > + unit = "# This file was created and is maintained by Git.\n"
> > + "# Any edits made in this file might be replaced in the
future\n"
> > + "# by a Git command.\n"
> > + "\n"
> > + "[Unit]\n"
> > + "Description=Optimize Git repositories data\n"
> > + "\n"
> > + "[Service]\n"
> > + "Type=oneshot\n"
> > + "ExecStart=\"%1$s/git\" --exec-path=\"%1$s\" for-each-repo
> > --config=maintenance.repo maintenance run --schedule=%%i\n" +
> > "LockPersonality=yes\n"
> > + "MemoryDenyWriteExecute=yes\n"
> > + "NoNewPrivileges=yes\n"
> > + "RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6\n"
> > + "RestrictNamespaces=yes\n"
> > + "RestrictRealtime=yes\n"
> > + "RestrictSUIDSGID=yes\n"
>
> After a quick read of the systemd.exec man page it is unclear to me if
> these Restrict... lines are needed as we already have
> NoNewPrivileges=yes - maybe they have some effect if `git maintence` is
> run as root?
I think that the only thing that `NoNewPrivileges=yes` do is to set the no new
privileges flag described in [1] on the process.
The `Restrict…` options are enabling some other sandboxing features by
blocking some syscalls through a seccomp profile.
My understanding of the systemd.exec man page is the other way round, i.e.: as
soon as there’s a `Restrict…` option, the `NoNewPrivileges=yes` is implied.
So, I would say that strictly speaking `NoNewPrivileges=yes` isn’t needed.
But `NoNewPrivileges=yes` doesn’t imply the `Restrict…` options.
But I thought that, from a security point of view, it’s better to set as many
sandboxing options as possible and be as explicit as possible.
[1] https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
next prev parent reply other threads:[~2021-06-09 6:39 UTC|newest]
Thread overview: 138+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-01 14:52 [PATCH] maintenance: use systemd timers on Linux Lénaïc Huard
2021-05-01 20:02 ` brian m. carlson
2021-05-02 5:28 ` Bagas Sanjaya
2021-05-02 6:49 ` Eric Sunshine
2021-05-02 6:45 ` Eric Sunshine
2021-05-02 14:10 ` Phillip Wood
2021-05-05 12:19 ` Đoàn Trần Công Danh
2021-05-05 14:57 ` Phillip Wood
2021-05-05 12:01 ` Ævar Arnfjörð Bjarmason
2021-05-09 22:34 ` Lénaïc Huard
2021-05-10 13:03 ` Ævar Arnfjörð Bjarmason
2021-05-02 11:12 ` Bagas Sanjaya
2021-05-03 12:04 ` Derrick Stolee
2021-05-09 21:32 ` [PATCH v2 0/1] " Lénaïc Huard
2021-05-09 21:32 ` [PATCH v2 1/1] " Lénaïc Huard
2021-05-10 1:20 ` Đoàn Trần Công Danh
2021-05-10 2:48 ` Eric Sunshine
2021-05-10 6:25 ` Junio C Hamano
2021-05-12 0:29 ` Đoàn Trần Công Danh
2021-05-12 6:59 ` Felipe Contreras
2021-05-12 13:26 ` Phillip Wood
2021-05-12 13:38 ` Phillip Wood
2021-05-12 15:41 ` Đoàn Trần Công Danh
2021-05-10 18:03 ` Phillip Wood
2021-05-10 18:25 ` Eric Sunshine
2021-05-10 20:09 ` Phillip Wood
2021-05-10 20:52 ` Eric Sunshine
2021-06-08 14:55 ` Lénaïc Huard [this message]
2021-05-10 19:15 ` Martin Ågren
2021-05-11 14:50 ` Phillip Wood
2021-05-11 17:31 ` Derrick Stolee
2021-05-20 22:13 ` [PATCH v3 0/4] " Lénaïc Huard
2021-05-20 22:13 ` [PATCH v3 1/4] cache.h: rename "xdg_config_home" to "xdg_config_home_git" Lénaïc Huard
2021-05-20 23:44 ` Đoàn Trần Công Danh
2021-05-20 22:13 ` [PATCH v3 2/4] maintenance: introduce ENABLE/DISABLE for code clarity Lénaïc Huard
2021-05-20 22:13 ` [PATCH v3 3/4] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-05-21 9:52 ` Bagas Sanjaya
2021-05-20 22:13 ` [PATCH v3 4/4] maintenance: optionally use systemd timers on Linux Lénaïc Huard
2021-05-21 9:59 ` Bagas Sanjaya
2021-05-21 16:59 ` Derrick Stolee
2021-05-22 6:57 ` Johannes Schindelin
2021-05-23 18:36 ` Felipe Contreras
2021-05-23 23:27 ` brian m. carlson
2021-05-24 1:18 ` Felipe Contreras
2021-05-24 7:03 ` Ævar Arnfjörð Bjarmason
2021-05-24 15:51 ` Junio C Hamano
2021-05-25 1:50 ` Johannes Schindelin
2021-05-25 11:13 ` Felipe Contreras
2021-05-26 10:29 ` CoC, inclusivity etc. (was "Re: [...] systemd timers on Linux") Ævar Arnfjörð Bjarmason
2021-05-26 16:05 ` Felipe Contreras
2021-05-27 14:24 ` Jeff King
2021-05-27 17:30 ` Felipe Contreras
2021-05-27 23:58 ` Junio C Hamano
2021-05-28 14:44 ` Phillip Susi
2021-05-30 21:58 ` Jeff King
2021-05-24 17:52 ` [PATCH v3 4/4] maintenance: optionally use systemd timers on Linux Felipe Contreras
2021-05-24 7:15 ` [PATCH v4 0/4] add support for " Lénaïc Huard
2021-05-24 7:15 ` [PATCH v4 1/4] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-05-24 9:33 ` Phillip Wood
2021-05-24 12:23 ` Đoàn Trần Công Danh
2021-05-24 7:15 ` [PATCH v4 2/4] maintenance: introduce ENABLE/DISABLE for code clarity Lénaïc Huard
2021-05-24 9:41 ` Phillip Wood
2021-05-24 12:36 ` Đoàn Trần Công Danh
2021-05-25 7:18 ` Lénaïc Huard
2021-05-25 8:02 ` Junio C Hamano
2021-05-24 9:47 ` Ævar Arnfjörð Bjarmason
2021-05-24 7:15 ` [PATCH v4 3/4] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-05-24 10:12 ` Phillip Wood
2021-05-30 6:39 ` Lénaïc Huard
2021-05-30 10:16 ` Phillip Wood
2021-05-24 7:15 ` [PATCH v4 4/4] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-05-24 9:55 ` Ævar Arnfjörð Bjarmason
2021-05-24 16:39 ` Eric Sunshine
2021-05-24 18:08 ` Felipe Contreras
2021-05-26 10:26 ` Phillip Wood
2021-05-24 9:04 ` [PATCH v4 0/4] " Junio C Hamano
2021-06-08 13:39 ` [PATCH v5 0/3] " Lénaïc Huard
2021-06-08 13:39 ` [PATCH v5 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-06-08 13:39 ` [PATCH v5 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-06-08 13:40 ` [PATCH v5 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-06-09 9:34 ` Jeff King
2021-06-09 15:01 ` Phillip Wood
2021-06-09 0:21 ` [PATCH v5 0/3] " Junio C Hamano
2021-06-09 14:54 ` Phillip Wood
2021-06-12 16:50 ` [PATCH v6 0/3] maintenance: " Lénaïc Huard
2021-06-12 16:50 ` [PATCH v6 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-06-12 16:50 ` [PATCH v6 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-06-14 4:36 ` Eric Sunshine
2021-06-16 18:12 ` Derrick Stolee
2021-06-17 4:11 ` Eric Sunshine
2021-06-17 14:26 ` Phillip Wood
2021-07-02 15:04 ` Lénaïc Huard
2021-06-12 16:50 ` [PATCH v6 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-07-02 14:25 ` [PATCH v7 0/3] " Lénaïc Huard
2021-07-02 14:25 ` [PATCH v7 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-07-02 14:25 ` [PATCH v7 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-07-06 19:56 ` Ævar Arnfjörð Bjarmason
2021-07-06 20:52 ` Junio C Hamano
2021-07-13 0:15 ` Jeff King
2021-07-13 2:22 ` Eric Sunshine
2021-07-13 3:56 ` Jeff King
2021-07-13 5:17 ` Eric Sunshine
2021-07-13 7:04 ` Bagas Sanjaya
2021-07-06 21:18 ` Felipe Contreras
2021-08-23 20:06 ` Lénaïc Huard
2021-08-23 22:30 ` Junio C Hamano
2021-07-02 14:25 ` [PATCH v7 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-07-06 20:03 ` Ævar Arnfjörð Bjarmason
2021-07-02 18:18 ` [PATCH v7 0/3] " Junio C Hamano
2021-07-06 13:18 ` Phillip Wood
2021-08-23 20:40 ` [PATCH v8 " Lénaïc Huard
2021-08-23 20:40 ` [PATCH v8 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-08-23 20:40 ` [PATCH v8 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-08-24 17:45 ` Derrick Stolee
2021-08-23 20:40 ` [PATCH v8 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-08-24 17:45 ` Derrick Stolee
2021-08-24 17:47 ` [PATCH v8 0/3] " Derrick Stolee
2021-08-27 21:02 ` [PATCH v9 " Lénaïc Huard
2021-08-27 21:02 ` [PATCH v9 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-08-27 21:02 ` [PATCH v9 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-08-27 23:54 ` Ramsay Jones
2021-08-27 21:02 ` [PATCH v9 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-09-04 20:54 ` [PATCH v10 0/3] " Lénaïc Huard
2021-09-04 20:54 ` [PATCH v10 1/3] cache.h: Introduce a generic "xdg_config_home_for(…)" function Lénaïc Huard
2021-09-04 20:54 ` [PATCH v10 2/3] maintenance: `git maintenance run` learned `--scheduler=<scheduler>` Lénaïc Huard
2021-09-04 20:55 ` [PATCH v10 3/3] maintenance: add support for systemd timers on Linux Lénaïc Huard
2021-09-07 16:48 ` [PATCH v10 0/3] " Derrick Stolee
2021-09-08 11:44 ` Derrick Stolee
2021-09-09 5:52 ` Lénaïc Huard
2021-09-09 19:55 ` Derrick Stolee
2021-09-27 12:50 ` Ævar Arnfjörð Bjarmason
2021-09-27 21:44 ` Lénaïc Huard
2021-08-17 17:22 ` [PATCH v5 0/3] " Derrick Stolee
2021-08-17 19:43 ` Phillip Wood
2021-08-17 20:29 ` Derrick Stolee
2021-08-18 5:56 ` Lénaïc Huard
2021-08-18 13:28 ` Derrick Stolee
2021-08-18 18:23 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13530009.9cuodmXfNX@coruscant.lhuard.fr \
--to=lenaic@lhuard.fr \
--cc=avarab@gmail.com \
--cc=bagasdotme@gmail.com \
--cc=congdanhqx@gmail.com \
--cc=dstolee@microsoft.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=phillip.wood@dunelm.org.uk \
--cc=sandals@crustytoothpaste.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.