From 9b186fc8bc039d76d4667f92437d9ff1464d76fe Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 14 Jan 2025 16:05:33 +0100 Subject: [PATCH] man: Clarify systemd-notify and sd_notify() PID documentation Let's clarify more explicitly that privileged calls to systemd-notify --pid= and sd_pid_notify() effectively override any configured NotifyAccess=main|exec for a service. (cherry picked from commit bbe9e03f8066d1001497494ee862cf45f986b854) --- man/sd_notify.xml | 9 ++++++--- man/systemd-notify.xml | 15 +++++++++++---- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/man/sd_notify.xml b/man/sd_notify.xml index 6aaaa64b3f..a465e02f52 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -140,9 +140,12 @@ sd_pid_notify() and sd_pid_notifyf() are similar to sd_notify() and sd_notifyf() but take a process ID (PID) to use as originating PID for the message as first argument. This is useful to send notification messages on - behalf of other processes, provided the appropriate privileges are available. If the PID argument is - specified as 0, the process ID of the calling process is used, in which case the calls are fully - equivalent to sd_notify() and sd_notifyf(). + behalf of other processes, provided the appropriate privileges are available. Effectively, this means + that a privileged invocation of sd_pid_notify() may circumvent + NotifyAccess=main or NotifyAccess=exec restrictions enforced for a + service. If the PID argument is specified as 0, the process ID of the calling process is used, in which + case the calls are fully equivalent to sd_notify() and + sd_notifyf(). sd_pid_notify_with_fds() is similar to sd_pid_notify() but takes an additional array of file descriptors. These file descriptors are sent along the notification diff --git a/man/systemd-notify.xml b/man/systemd-notify.xml index 55bb8c59cf..9a66721a61 100644 --- a/man/systemd-notify.xml +++ b/man/systemd-notify.xml @@ -125,12 +125,19 @@ argument is specified as self, the PID of the systemd-notify command itself is used, and if parent is specified the calling process' PID is used — even if it is the service manager. is equivalent to systemd-notify - MAINPID=$PID. For details about the semantics of this option see + --pid=$PID. For details about the semantics of this option see sd_notify3. - If this switch is used in an systemd-notify invocation from a process that - shall become the new main process of a service — and which is not the process forked off by the - service manager (or the current main process) —, then it is essential to set + systemd-notify will first attempt to invoke sd_notify() + pretending to have the PID specified with . This will only succeed when + invoked with sufficient privileges. On failure, it will then fall back to invoking it under its own + PID. Effectively, this means that a privileged invocation of systemd-notify --pid= + may circumvent NotifyAccess=main or NotifyAccess=exec + restrictions enforced for a service. + + If this switch is used in an unprivileged systemd-notify invocation from a + process that shall become the new main process of a service — and which is not the process forked off + by the service manager (or the current main process) —, then it is essential to set NotifyAccess=all in the service unit file, or otherwise the notification will be ignored for security reasons. See systemd.service5