r/systemd

so, since systemd now has musl support (even though it's experimental), i see this myself as another opened door into embedded & container systems. but in that case, here's the question: how much of a systemd components do i need to start it? because judging by this freedesktop minimal builds page, systemd needs only 3 components to run: systemd itself, udev and journald. but is it really enough in realistic case? i also doubt udev will be useful in such conditions. is there any official building systemd requirements somewhere?

I have a setup where multiple users run a single service using Podman and systemd. For example, one user called "mysql" runs the mysqld in an container. Another user called "gitea" runs the gitea service in a podman container. They talk to each other using Unix sockets.

The problem is, I need to ensure mysql is up and running before gitea. Since they run under different users, user level and system level targets (basic.target, default.target) are no good. And I can't use socket activation via .socket files because some services like gitea doesn't support them. I was thinking of making a bunch of helper services that dip in and out of user and system service spaces, like how podman-user-wait-network-online.service works. That feels hacky.

Is there a way I can "order" how systemd starts user instances? For example, have systemd complete starting up the mysql user and its services before starting up the gitea user?

Hello there,

I tried installing MPD (music plaing deamon) on a openSUSE Tumbleweed machine. I get "Permission denied" on every regular file when scanning the music directory. I changed the mpd-login to /bin/bash and hexdumped a file without problems after switching to the user via sudo su - mpd.

andreas@littlefoot:/srv/music> ls -alh Dartagnan/Feuer\ \&\ Flamme/01\ -\ C\'est\ la\ vie.mp3 
-rwxr-xr-x. 1 mpd audio 6,1M 11. Apr 20:25 Dartagnan/Feuer & Flamme/01 - C'est la vie.mp3

The dot at the end of -rwxr--xr-x. indicates SELinux-data but facl reports nothing special.

andreas@littlefoot:/srv/music> sudo getfacl Dartagnan/Feuer\ \&\ Flamme/01\ -\ C\'est\ la\ vie.mp3 
# file: Dartagnan/Feuer & Flamme/01 - C'est la vie.mp3
# owner: mpd
# group: audio
user::rwx
group::r-x
other::r-x

Currently, I try to narrow down the cause: Does SystemD by default destrict access to some directories? I commented out everything which looked like that. (See attached file at bottom) Config loads fine. I add the SystemD .service-file and the mpd.conf.

Here the mpd.conf-file:

andreas@littlefoot:/etc> cat mpd.conf |grep -v "^#"
music_directory"/srv/music"
playlist_directory"/var/lib/mpd/playlists"
db_file"/var/lib/mpd/mpd.db"
user"mpd"
group"audio"
log_level"warning"
auto_update"no"
zeroconf_enabled"no"
input {
        plugin "curl"
}
audio_output {
type"pipewire"
name"PipeWire"
}
filesystem_charset"UTF-8"

Here the SystemD .service-file:

andreas@littlefoot:/etc/systemd/system/multi-user.target.wants> cat mpd.service 
[Unit]
Description=Music Player Daemon
Documentation=man:mpd(1) man:mpd.conf(5)
After=network.target sound.target

[Service]
Type=notify
ExecStart=/usr/bin/mpd --systemd

# Enable this setting to ask systemd to watch over MPD, see
# systemd.service(5).  This is disabled by default because it causes
# periodic wakeups which are unnecessary if MPD is not playing.
#WatchdogSec=120

# allow MPD to use real-time priority 40
LimitRTPRIO=40
LimitRTTIME=infinity

# for io_uring
LimitMEMLOCK=64M

# disallow writing to /usr, /bin, /sbin, ...
#ProtectSystem=yes
ProtectSystem=no

# more paranoid security settings
#NoNewPrivileges=yes
#ProtectKernelTunables=yes
#ProtectControlGroups=yes
#ProtectKernelModules=yes
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
#RestrictNamespaces=yes

[Install]
WantedBy=multi-user.target
Also=mpd.socket

Hi, I heard Systemd is going to add age verification? Why is that happening? I don't think it offers any security benefits.

systemd PR #40954 merged a `birthDate` field into userdb user records the data layer underpinning the age verification spec being pushed through freedesktop.org (MR #113) and xdg-desktop-portal (PR #1922).

It was merged without a security audit, with no rate limiting on queries, and with no administrator opt-out.

I've been opposing this at every layer because OS-level age verification is redundant surveillance infrastructure ISPs and carriers already do identity verification at the network level.

Embedding it into the Linux desktop stack normalizes it without solving anything.

Today I submitted PR #41259 https://github.com/systemd/systemd/pull/41259 to systemd adding the two things that should have been there from the start:

- `bypassAgeVerification`: admin-only boolean that suppresses birthDate from being returned to callers. Gives distributions and system admins a policy-level opt-out.

- `ageVerificationPollIntervalUSec`: caps how frequently any process can query age data via userdb. Without this, the varlink socket is an unthrottled timing oracle. Defaults to 1 query/second.

Both were raised during mailing list discussion before the original merge and never implemented.

The PR was closed in under a minute by the same maintainer who pushed

#40954 through. No technical response. The title was changed to "spam" and the thread was locked.

The fork with the actual changes is here if you want to look at the diff:

https://github.com/HaplessIdiot/systemd-saneagecheck

The D-Bus bypass tool is here:

https://github.com/HaplessIdiot/ageverificationbypass

The code makes the argument better than I can. The fact that the response was to lock the thread rather than engage with it technically speaks for itself.

Providing an age field is giving legitimacy towards governments locking down the pc.

I want to run a script when any file under a dir changes. Is there a way to do that in systemd or do I have to use itnotifywait or inotifywatch? How do you know which of them you should use?

How can I use systemd to make sure the inotify process runs all the time so I don't have to remember to start it?

DHCP gives me 3 DNS servers x.x.x.x, y.y.y.y, z.z.z.z.

Resolved normally starts using x.x.x.x, but for unknown reason after a few days the "Current DNS Server" has often changed to y.y.y.y or z.z.z.z and doesn't change back.

I assume this is because it treats them as equals and once it changes it sees no reason to change back.

But RFC 2132 states this > Servers SHOULD be listed in order of preference

The reason this is important in my case is that x.x.x.x is an internal DNS server that knows about host names that are not available in public servers, so the first one should be preferred as long as it is working. y.y.y.y and z.z.z.z should only be used as a backup if the internal one is broken.

Have I misunderstood how resolved is prioritizing them, or is it done incorrectly?

I am using Arch Linux and trying to follow their Wiki (along with the systemd man pages) to use the TPM to unlock LUKS based FDE with secure boot and a UKI. I know there are security implications for this, but within those limitations, I want to follow best practices, but the info is scattered and confusing.

First I follow the Secure Boot Arch wiki section and create and enroll the secure boot keys with sbctl

# sbctl create-keys
# sbctl enroll-keys -m

I then jump to the PCR policies Arch wiki section to make some "ukify" keys to sign PCR "policies" for use with the UKI/TPM

# ukify genkey \
        --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
        --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem

and edit the /etc/kernel/uki.conf

[UKI]
SecureBootSigningTool=systemd-sbsign
SignKernel=true
SecureBootPrivateKey=/etc/kernel/secure-boot-private-key.pem
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
Splash=/usr/share/systemd/bootctl/splash-arch.bmp

[PCRSignature:initrd]
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key.pem

and then enroll the keys with

# systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto /dev/disk/by-label/root

Adding a PIN would obviously add security. My big concern is that when I inspect the UKI, it looks like it is only locked to PCR 11 (or a signed version of 11). The cryptenroll TPM section of the Arch wiki seems to suggest adding PCR 7 (and other places suggest adding PCR 0) into the mix.

Are the steps above "best practices" or am I doing something wrong or leaving something out? I feel like I should probably be using pcrlock but that documentation is really sparse and I have no idea how to integrate that with something like fwupd.

How do I reach 0.0 with `systemd-analyze security <name.service>`?
Setting `ProtectClock=true` implies `DeviceAllow=char-rtc r`.
But both `ProtectClock=false` and `DeviceAllow=char-rtc r` give 0.1 points.

Isn't that like really unsatisfying??