NEWS: note about future implicit PrivateUsers= in user units

2024-07-23 19:25:39 +00:00 · 2023-02-08 13:38:38 +00:00 · 2023-02-08 13:38:38 +00:00 · 318c257835
parent 70879f6ccd
commit 318c257835
1 changed files with 16 additions and 0 deletions
--- a/16
+++ b/16
@ -18,6 +18,22 @@ CHANGES WITH 253 in spe:
          For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

+        * We intend to change behaviour w.r.t. units of the per-user service
+          manager and sandboxing options, so that they work without having to
+          manually enable PrivateUsers= as well, which is not required for
+          system units. To make this work, we will implicitly enable user
+          namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
+          user unit. The drawback is that system users will no longer be visible
+          (and appear as 'nobody') to the user unit when a sandboxing option is
+          enabled. By definition a sandboxed user unit should run with reduced
+          privileges, so impact should be small. This will remove a great source
+          of confusion that has been reported by users over the years, due to
+          how these options require an extra setting to be manually enabled when
+          used in the per-user service manager, as opposed as to the system
+          service manager. We plan to enable this change in the next release
+          later this year. For more details, see:
+          https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html
+
        Deprecations and incompatible changes:

        * systemctl will now warn when invoked without /proc/ mounted