Re: [SECURITY] [DLA 1762-1] systemd security update
Hi,
On Friday, 26 April 2019, Klimov, Evgeny wrote:
> Hello Mike, and a good day to you.
>
> Our project uses Debian (Jessie so far) as the platform, and since yesterday’s rebuilds with the updated systemd packages (systemd 215-17+deb8u12), our working directories created via tmpfiles are all owned by root:root rather than the intended user and/or group accounts spelled in corresponding configuration files. I have not seen the patch code yet, but looking at the bug descriptions, I’d guess the hardlink protection goes a bit too far.
>
> So with a typical config like this:
>
> # systemd-tmpfiles config for some-daemon-name
> d /var/run/some-daemon-name 0755 www-data www-data
> x /var/run/some-daemon-name/*
>
> …which sort of abused the tmpfiles purpose to make a persistent properly owned location for some service’s data files (ensured to appear before the service starts), we create the /var/run/some-daemon-name directory from scratch, and until yesterday it was owned by www-data. Today it is owned by root and is useless for the service. This happens both on tmpfs and ext4 backed filesystems.
>
> I see that just recently a systemd 215-17+deb8u13 was released with some fix to tmpfiles so we are waiting for our universe to rebuild and see if it solves our issue, but just in case this is a separate problem – could you please stay on the lookout? 😊
>
> Thanks in advance,
> Jim Klimov
Hi Jim,
sorry for that flaw from my side. +deb8u13 will fix your observed issue introduced by +deb8u12
Greets and sorry once more for the disruption,
Mike
--
Sent from my Sailfish device
Reply to: