Lennart Poettering CC-BY-SA-3.0
The achievements of and plans for systemd
Extending Integration
Linux Magazine: If you take stock of the last three or four years, what have been the most important innovations in systemd during this time?
Lennart Poettering: That would be, firstly, all the security features we have added and made visible with the systemd-analyze security tool. Regular system services can now be locked into effective sandboxes with relative ease, but can still be integral parts of the host operating system. I believe this has advanced Linux system security quite a bit.
Another important innovation might be systemd-tmpfiles and systemd---sysusers. Strictly speaking, they are more than four or five years old, but it is only in the last three or four years that they have finally seen more widespread use in the popular distributions. We are looking to move to a declarative description of the system and its components, leaving behind imperative scriptlets in packages and the like. This improves robustness, security, and reproducibility.
The dynamic user strategy makes it possible to allocate system users dynamically when starting system services that are automatically released again when the service terminates. This takes into account that system users are the original mechanism used to implement privilege separation on Unix and Linux. No matter which subsystem you look at, access control based on users is always implemented on Linux. Other concepts – such as SELinux labels, Access Control Lists (ACLs), other Mandatory Access Controls (MACs), and so on – are not universally available and are nowhere near as popular or as universally well understood.
Classically, however, such system users are expensive, with only 1,000 of them (or sometimes only 100 or 500, depending on the distribution), and they are allocated individually during package installation. So traditionally they can only be used roughly to secure
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
networkd and nspawn in systemd
Version 219 of the controversial init system, systemd, comes with a few major changes. We look at the new features in network management and container handling. -
Systemd network management and container handling
Version 219 of the controversial systemd init system introduces a number of comprehensive changes. We take a closer look at the innovations in network management and container handling. -
Create secure simple containers with the systemd tools Nspawnd and Portabled
Systemd comes with two functions for container management that allow many programs to run more securely through isolation. -
Harden services with systemd
Systemd comes with a metric for determining the security of your system, letting you track how any service can be secured step-by-step in a sandbox. -
Integrating Podman and systemd
With the integration of Podman and systemd, you can put any software inside a container under the control of systemd and see almost no difference between running the service directly on the host or inside a container.