[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1762-1] systemd security update


On Friday, 26 April 2019, Klimov, Evgeny wrote:
> Hello Mike, and a good day to you.
> Our project uses Debian (Jessie so far) as the platform, and since yesterday’s rebuilds with the updated systemd packages (systemd 215-17+deb8u12), our working directories created via tmpfiles are all owned by root:root rather than the intended user and/or group accounts spelled in corresponding configuration files. I have not seen the patch code yet, but looking at the bug descriptions, I’d guess the hardlink protection goes a bit too far.
> So with a typical config like this:
> # systemd-tmpfiles config for some-daemon-name
> d /var/run/some-daemon-name 0755 www-data www-data
> x /var/run/some-daemon-name/*
> …which sort of abused the tmpfiles purpose to make a persistent properly owned location for some service’s data files (ensured to appear before the service starts), we create the /var/run/some-daemon-name directory from scratch, and until yesterday it was owned by www-data. Today it is owned by root and is useless for the service. This happens both on tmpfs and ext4 backed filesystems.
> I see that just recently a systemd 215-17+deb8u13 was released with some fix to tmpfiles so we are waiting for our universe to rebuild and see if it solves our issue, but just in case this is a separate problem – could you please stay on the lookout? 😊
> Thanks in advance,
> Jim Klimov

Hi Jim,

sorry for that flaw from my side. +deb8u13 will fix your observed issue introduced by +deb8u12

Greets and sorry once more for the disruption,

Sent from my Sailfish device

Reply to: