systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)

To: debian-user@lists.debian.org
Subject: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
From: Ansgar Burchardt <ansgar@43-1.org>
Date: Sun, 21 Sep 2014 22:04:55 +0200
Message-id: <[🔎] 854mw0yc2g.fsf_-_@tsukuyomi.43-1.org>
In-reply-to: <[🔎] CAAr43iMJtQ5=ax9qZOWzrjRNO2EwH42XpEA=1OH_C-gDfUerXg@mail.gmail.com> (Joel Rees's message of "Mon, 22 Sep 2014 03:41:37 +0900")
References: <[🔎] 87ha01hdgu.fsf@yun.yagibdah.de> <[🔎] 20140920192144417942185.NoCcsPlease@bob.proulx.com> <[🔎] 541E35E5.3010002@charter.net> <[🔎] 87zjdtelad.fsf@thumper.dhh.gt.org> <[🔎] 20140920222724.5d549dad@mydesq2.domain.cxm> <[🔎] 541E33D7.30201@attglobal.net> <[🔎] 20140921051251.GG8699@teltox.donarmstrong.com> <[🔎] CAAr43iMJtQ5=ax9qZOWzrjRNO2EwH42XpEA=1OH_C-gDfUerXg@mail.gmail.com>

Hi Joel,

Joel Rees <joel.rees@gmail.com> writes:
> (6) systemd and cgroups (at minimum) end up overriding the permissions
> system. It's bad enough having SELinux and ACLs brought in to knock
> holes in the permissions system, but when arbitrary non-kernel system
> functions start getting their hands into the equation, there is no way
> to be sure that when you set any particular file under /etc or under
> ~/ -- including /etc/ssh and ~/.shh -- as mode 740, that the effective
> permissions don't end up 666 or 1147. In this case, even pid 1 is a
> group of arbitrary non-kernel functions.
>
> Permissions and race conditions are not the only ways that the
> modularity of these technologies is broken. I'm not going to try to
> enumerate them here.

I'm interested how use of systemd and cgroups will make a file in
/etc/ssh or ~/.ssh change effective permissions. Could you explain that
in simple, reproducible steps?

Ansgar

Reply to:

Follow-Ups:
- Re: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
  - From: Joel Rees <joel.rees@gmail.com>

References:
- Re: There is no choice
  - From: lee <lee@yun.yagibdah.de>
- Re: There is no choice
  - From: Bob Proulx <bob@proulx.com>
- Re: There is no choice
  - From: Jeff Bauer <jwbauer@charter.net>
- Re: There is no choice
  - From: John Hasler <jhasler@newsguy.com>
- Re: There is no choice
  - From: Steve Litt <slitt@troubleshooters.com>
- Re: There is no choice
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Effectively criticizing decisions you disagree with in Debian
  - From: Don Armstrong <don@debian.org>
- Re: Effectively criticizing decisions you disagree with in Debian
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: excessive CPU usage
Next by Date: Re: starting exim4 takes ages
Previous by thread: Re: Effectively criticizing decisions you disagree with in Debian
Next by thread: Re: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
Index(es):
- Date
- Thread