From 318c257835ab070d83c023c2a35c76708e08a0f8 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 8 Feb 2023 13:38:38 +0000 Subject: NEWS: note about future implicit PrivateUsers= in user units --- NEWS | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'NEWS') diff --git a/NEWS b/NEWS index fc9d100257..6df17aa599 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,22 @@ CHANGES WITH 253 in spe: For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html + * We intend to change behaviour w.r.t. units of the per-user service + manager and sandboxing options, so that they work without having to + manually enable PrivateUsers= as well, which is not required for + system units. To make this work, we will implicitly enable user + namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a + user unit. The drawback is that system users will no longer be visible + (and appear as 'nobody') to the user unit when a sandboxing option is + enabled. By definition a sandboxed user unit should run with reduced + privileges, so impact should be small. This will remove a great source + of confusion that has been reported by users over the years, due to + how these options require an extra setting to be manually enabled when + used in the per-user service manager, as opposed as to the system + service manager. We plan to enable this change in the next release + later this year. For more details, see: + https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html + Deprecations and incompatible changes: * systemctl will now warn when invoked without /proc/ mounted -- cgit v1.2.1