Discussion:
How safe are D and R directives for systemd-tmpfiles?
(too old to reply)
Amish
2018-10-16 12:44:05 UTC
Permalink
Hello,

I am interested in knowing how safe D and R directives for tmpfiles.d are?

If by some accident OR some packagers malicious intent - someone places
a file with "R /" in tmpfiles.d, would this erase everything?

Does systemd have a way of specifying that R and D should be applicable
only for /tmp or /var/{cache,run,tmp} only?

I could not locate anything on man page.

Thanks in advance,

Amish
Lennart Poettering
2018-10-16 13:33:07 UTC
Permalink
Post by Amish
Hello,
I am interested in knowing how safe D and R directives for tmpfiles.d are?
If by some accident OR some packagers malicious intent - someone places a
file with "R /" in tmpfiles.d, would this erase everything?
We refuse requests to delete the root dir:

https://github.com/systemd/systemd/blob/master/src/basic/rm-rf.c#L168
Post by Amish
Does systemd have a way of specifying that R and D should be applicable only
for /tmp or /var/{cache,run,tmp} only?
When you invoke the systemd-tmpfiles binary you could specify
--prefix= to drop it's effect on non-listed prefixes.
Post by Amish
I could not locate anything on man page.
see systemd-tmpfiles(8).

Generally though: the directories where systemd-tmpfiles reads its
configuration from are owned by root and not writable by unprivileged
users. Moreover, the snippets are nothing you sloppily enter on the
command line, it's not a user-facing concept. Hence there's much less
chance to be misused on purpose or by accident.

Lennart
--
Lennart Poettering, Red Hat
Amish
2018-10-16 14:33:58 UTC
Permalink
Post by Lennart Poettering
Post by Amish
Does systemd have a way of specifying that R and D should be applicable only
for /tmp or /var/{cache,run,tmp} only?
When you invoke the systemd-tmpfiles binary you could specify
--prefix= to drop it's effect on non-listed prefixes.
Ah! Thank you. I overlooked this.

But is there a config file where this can be mentioned? (separate prefix
for create and remove)

OR can the default unit file be changed?
https://github.com/systemd/systemd/blob/master/units/systemd-tmpfiles-setup.service.in

to:

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/systemd/systemd-tmpfiles.env
ExecStart=@rootbindir@/systemd-tmpfiles --create --boot
--exclude-prefix=/dev $CREATEPREFIX
ExecStart=@rootbindir@/systemd-tmpfiles --remove --boot
--exclude-prefix=/dev $REMOVEPREFIX
SuccessExitStatus=65 73

I know I can setup an override file but just curious if above (or
similar) should be default.
Post by Lennart Poettering
Generally though: the directories where systemd-tmpfiles reads its
configuration from are owned by root and not writable by unprivileged
users. Moreover, the snippets are nothing you sloppily enter on the
command line, it's not a user-facing concept. Hence there's much less
chance to be misused on purpose or by accident.
I know but just wanted to be extra-safe.

And thank you for the prompt reply,

Amish.
Lennart Poettering
2018-10-16 14:37:29 UTC
Permalink
But is there a config file where this can be mentioned? (separate prefix for
create and remove)
This is not available right now, and what'd be the usecae for that?
OR can the default unit file be changed?
https://github.com/systemd/systemd/blob/master/units/systemd-tmpfiles-setup.service.in
You can certainly change it downstream. Simply copy it to
/etc/systemd/system, and edit it there. It will then take precedence.
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/systemd/systemd-tmpfiles.env
--exclude-prefix=/dev $CREATEPREFIX
--exclude-prefix=/dev $REMOVEPREFIX
SuccessExitStatus=65 73
It's totally OK if packages drop in tmpfiles.d/ snippets that remove
stuff below /var at boot. Make the change above to the default files
does not appear desirable to me, as it would break these very valid
usecases.

Lennart
--
Lennart Poettering, Red Hat
Continue reading on narkive:
Loading...