Re: Init freedom @Andrew van der Stock
A lot of what you describe is done by the kernel, not systemd at all.
reduces the chances of admins stuffing it up.
It also reduces the chances of the admins fixing it when it fails (because it does fails, as does every system -rather more often, too, in my limited experience).
Systemd's modular security architecture provides separation of duties, so a compromise of one module doesn't imply a compromise of the entire system. It's early days yet, so I bet there's a few sandbox bugs to work out,
That "sandoboxing", as you call it, often causes more problems than it solves. Process-based permissions (as opposed to user- or group-based like in any san system) might have seemed like a good idea at the time. In the real world it's a nightmare as soon as you get out of the precise sequence of actions that you had planned for the system to be able to perform. In my -again, limited- experience a process creating a resource (i.e. mounting a drive, creating a file, whatever else) becomes the exclusive owner of said resource which is then unavailable to other processes. I understand why you would think this is a good idea for security, but now imagine the "creator" process crashes or otherwise stops at a point in the workflow that you hadn't envisionned. Then you're left with a screw-up that can't be fixed without extensive manual intervention as root -provided you can even identify what went, I was going to type "wrong" but not necessarily, just "unexpected".
So, what we have is a system that messes up big time in case something happens that the admin had not planned. Sure, what could possibly go wrong with that? Let's put it on every production system we can find!
Before you answer anything, be informed that the aforementionned scenario happened to me a good dozen times (that's only the ones I could identify with 100% certainty; some of the numerous glitches and fails I encountered may have been caused by such a scenario too). And that's in my limited experience.
Now I could be very mistaken, that's always a possibility. But I much prefer to be wrong with working systems than right but left with rackfulls of very expensive bricks.