-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd service sandboxing and security hardening #158
Conversation
The new unit should enhance security without compromising functionality.
Adding a new daemon with superuser privileges was seen by many peoples as an argument against enabling earlyoom by default in Fedora.
-- @xvitaly, https://pagure.io/fedora-workstation/issue/98#comment-612913
See also:
I use a similar setup and have no problem: https://github.com/hakavlad/nohang/blob/master/nohang/nohang.service.in Do you have any questions? |
I think we should make this as limited as possible and ignore the notifications. In other words, don't run as root. |
Run as a random unprivilege user instead of as root, but add the capabilities CAP_KILL CAP_IPC_LOCK. Supersedes #158
I have gone for the must secure approach here: f2b45e6 If the user wants GUI notifications, they have to comment out DynamicUser=true. |
In case anyone else gets stuck, I've needed to change |
Just comment DynamicUser and ProtectHome. |
@rfjakob I suggest to provide and install earlyoom-root.service with package |
The new unit should enhance security without compromising functionality.