-
Tighten up the sandboxing of the daemon, paying particular attention to file system access. Further work could be done to make the daemon run as a non-root user (User=/Group=/DynamicUser=), drop capabilities (CapabilityBoundingSet=) and restrict system calls (SystemCallFilter=). This is a reasonable starting point, though. It has been tested with adding, modifying and deleting users, and reading/writing user extension data. Testing was done on a Fedora and a Debian-based system. The useradd/userdel/usermod subprocesses require a lot of permissions which the accounts-service daemon itself doesn’t. In future, it might make sense to run them in a separate privilege-escalated sandbox, and further restrict the permissions of the accounts-service daemon itself. Signed-off-by: Philip Withnall <withnall@endlessm.com> accountsservice/accountsservice!22
0e712e93