Talk:Systemd/Sandboxing

Good draft, one suggestion: add a warning that enabling NoNewPrivileges on sshd.service will cause in sudo / doas calls failing, basically locking the user out from a system that they have no access to. Had to learn the hard way :b Sir-Photch (talk) 07:40, 10 August 2023 (UTC)Reply

<+mpan> NetSysFire: I came across your <https://wiki.archlinux.org/title/User:NetSysFire/systemd_sandboxing>. A *minor* change (so not even opening an official talk), but I would replace “Impact” and “Breakage” with “Benefits” and “Downsides”, or — as sanely suggested by Llama 3.1 — with “Gain” and “Risk” for shorter headers.

<+mpan> NetSysFire: my concern is purely about the dual-meaning of “impact”, and possibly too informal tone of “breakage”. --Mpan (talk) 18:50, 21 October 2024 (UTC)Reply

Currently, only PrivateNetwork= and PrivateDevices= is mentioned, but systemd.resource-control(5) enables more powerful and granular control over such access, via IPAddressAllow/Deny, SocketBindAllow/Deny, RestrictNetworkInterfaces, NFTSet, DeviceAllow, and DevicePolicy directives. -- YHNdnzj (talk) 19:44, 1 December 2024 (UTC)Reply

Please contribute some. I am unfamiliar with these advanced directives. NetSysFire (talk) 05:49, 11 March 2025 (UTC)Reply