You are not logged in.
Hello,
Recent update of systemd to 247.4-2 causes some operation not permitted errors on binaries who try to reading files.
Example when I try to run dmesg with my current user:
dmesg: read kernel buffer failed: Operation not permitted
With a binary in /usr/bin
-rwxr-xr-x 1 root root 55264 22 mars 22:41 /usr/bin/qlstatus
$> qlstatus
Error reading file /home/qlem/.config/qlstatus/qlstatus.conf: Operation not permitted
Systemctl status:
$> systemctl status
● wksmitx
State: running
Jobs: 0 queued
Failed: 0 units
Since: Tue 2021-03-23 11:02:04 CET; 1min 3s ago
CGroup: /
├─user.slice
│ └─user-1000.slice
│ ├─user@1000.service
│ │ ├─app.slice
│ │ │ ├─app-flatpak-com.slack.Slack-3434.scope
│ │ │ │ ├─3434 bwrap --args 41 /app/bin/zypak-helper child - /app/extra/lib/slack/slack --type=zygote
│ │ │ │ ├─3441 bwrap --args 39 xdg-dbus-proxy --args=41
│ │ │ │ ├─3442 xdg-dbus-proxy --args=41
│ │ │ │ ├─3446 bwrap --args 41 /app/bin/zypak-helper child - /app/extra/lib/slack/slack --type=zygote
│ │ │ │ ├─3447 /app/extra/lib/slack/slack --type=zygote
│ │ │ │ └─3512 /app/extra/lib/slack/slack --type=renderer --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --field-trial-handle=13845080558085125083,8915310274478452587,131072 -->
│ │ │ ├─xdg-permission-store.service
│ │ │ │ └─3403 /usr/lib/xdg-permission-store
│ │ │ ├─xdg-document-portal.service
│ │ │ │ ├─3400 /usr/lib/xdg-document-portal
│ │ │ │ └─3408 fusermount -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /run/user/1000/doc
│ │ │ ├─pulseaudio.service
│ │ │ │ ├─2865 /usr/bin/pulseaudio --daemonize=no --log-target=journal
│ │ │ │ └─2901 /usr/lib/pulse/gsettings-helper
│ │ │ ├─flatpak-session-helper.service
│ │ │ │ ├─3394 /usr/lib/flatpak-session-helper
│ │ │ │ ├─3398 server --sh -n /run/user/1000/.flatpak-helper/pkcs11-flatpak-3394 --provider p11-kit-trust.so pkcs11:model=p11-kit-trust?write-protected=yes
│ │ │ │ └─3539 p11-kit-remote --provider p11-kit-trust.so pkcs11:model=p11-kit-trust?write-protected=yes
│ │ │ ├─flatpak-portal.service
│ │ │ │ └─3424 /usr/lib/flatpak-portal
│ │ │ ├─at-spi-dbus-bus.service
│ │ │ │ ├─2766 /usr/lib/at-spi-bus-launcher
│ │ │ │ └─3413 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
│ │ │ ├─dbus.service
│ │ │ │ └─2406 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
│ │ │ └─app-flatpak-com.slack.Slack-3391.scope
│ │ │ ├─3391 bwrap --args 40 slack
│ │ │ ├─3415 bwrap --args 40 xdg-dbus-proxy --args=42
│ │ │ ├─3416 xdg-dbus-proxy --args=42
│ │ │ ├─3418 bwrap --args 40 slack
│ │ │ ├─3419 /app/extra/lib/slack/slack -s
│ │ │ ├─3430 /app/extra/lib/slack/slack --type=zygote --no-zygote-sandbox
│ │ │ ├─3432 /app/extra/lib/slack/chrome-sandbox /app/extra/lib/slack/slack --type=zygote
│ │ │ ├─3475 /app/extra/lib/slack/slack --type=gpu-process --field-trial-handle=13845080558085125083,8915310274478452587,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWi>
│ │ │ └─3481 /app/extra/lib/slack/slack --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=13845080558085125083,8915310274478452587,131072 --enable-features=WebComp>
│ │ └─init.scope
│ │ ├─2292 /usr/lib/systemd/systemd --user
│ │ └─2295 (sd-pam)
│ └─session-1.scope
│ ├─ 527 login -- qlem
│ ├─2305 /bin/sh /usr/bin/startx -- -keeptty
│ ├─2339 xinit /home/qlem/.xinitrc -- /usr/bin/X :0 -keeptty vt1 -keeptty -auth /tmp/serverauth.FOv3PrYRXh
│ ├─2340 /usr/lib/Xorg :0 -keeptty vt1 -keeptty -auth /tmp/serverauth.FOv3PrYRXh
│ ├─2398 dwm
│ ├─2408 /usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh
│ ├─2415 picom --config /home/qlem/.config/picom/picom.conf
│ ├─2416 redshift -c /home/qlem/.config/redshift/redshift.conf
│ ├─2417 dunst
│ ├─2716 /usr/lib/firefox/firefox
│ ├─2790 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─2911 /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 174 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─2956 /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 6201 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─3046 /usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─3150 /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─3193 /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
│ ├─3557 alacritty
│ ├─3563 fish
│ ├─3669 /bin/sh /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/bin/webstorm.sh
│ ├─3711 /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/jbr/bin/java -classpath /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/lib/bootstrap.jar:>
│ ├─3786 /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/bin/fsnotifier64
│ ├─3977 systemctl status
│ └─3978 less
├─init.scope
│ └─1 /sbin/init splash
└─system.slice
├─systemd-networkd.service
│ └─339 /usr/lib/systemd/systemd-networkd
├─systemd-udevd.service
│ └─335 /usr/lib/systemd/systemd-udevd
├─docker.service
│ ...
├─polkit.service
│ └─2836 /usr/lib/polkit-1/polkitd --no-debug
├─rtkit-daemon.service
│ └─2804 /usr/lib/rtkit-daemon
├─iwd.service
│ └─435 /usr/lib/iwd/iwd
├─systemd-journald.service
│ └─318 /usr/lib/systemd/systemd-journald
├─systemd-resolved.service
│ └─427 /usr/lib/systemd/systemd-resolved
├─dbus.service
│ └─434 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
├─systemd-timesyncd.service
│ └─429 /usr/lib/systemd/systemd-timesyncd
└─systemd-logind.service
└─436 /usr/lib/systemd/systemd-logind
When I downgrade systemd to 247.3-1 these errors disappear.
Any help is welcome.
EDIT: The error came from qlstatus itself and it is not related to systemd. The Operation not permitted error when running dmesg as non root user it is the expected behavior. See the answers bellow.
Last edited by qlem (2021-03-23 21:59:04)
Offline
Example when I try to run dmesg with my current user:
dmesg: read kernel buffer failed: Operation not permitted
I think that's the expected behaviour:
% zgrep -i dmesg_restrict /proc/config.gz
CONFIG_SECURITY_DMESG_RESTRICT=y
%
$> qlstatus Error reading file /home/qlem/.config/qlstatus/qlstatus.conf: Operation not permitted
What are the permissions for that file? And what is /usr/bin/qlstatus?
Offline
Yes i was wrong about dmesg.
qlstatus is a small binary I wrote in C. It's a light and modular status bar for dwm -> https://github.com/qlem/qlstatus.
The error occur in function that load settings from the config file:
$> ls -al
...
-rw-r--r-- 1 qlem qlem 1,4K 14 mars 01:28 qlstatus.conf
It is the last call to getline that failed, so after having successfully processed all the lines of the file.
int load_config_file(t_main *main, const char *file) {
char *line = NULL;
size_t size = 0;
FILE *stream;
int i = 0;
ssize_t nb;
if ((stream = fopen(file, "r")) == NULL) {
fprintf(stderr, "Cannot load config file: %s\n", strerror(errno));
return -1;
}
while ((nb = getline(&line, &size, stream)) != -1) {
++i;
line[nb - 1] == '\n' ? line[nb - 1] = 0 : 0;
parse_config_line(main, line, i);
line = NULL;
size = 0;
}
if (nb == -1 && errno) {
fprintf(stderr, "Error reading file %s: %s\n", file, strerror(errno));
exit(EXIT_FAILURE);
}
free(line);
close_stream(stream, file);
return 0;
}
Nothing magic so.
link of file on github: https://github.com/qlem/qlstatus/blob/f … fig.c#L243
Like I say, when I downgrade systemd package, my binary works fine. I am a little confused about this.
Last edited by qlem (2021-03-23 20:26:48)
Offline
Have you verified that errno is indeed set by getline()? You don't seem to initialise errno to 0 at all, so potentially it's more an issue of reading a potentially uninitialised variable.
With the right set of compilation flags, gcc should usually complain about that.
Offline
You got right! I missed this with the use of errno. I will fix that.
What is the right flags to get warning about this at the compilation ? My current flags are "-W -Wall -Wextra -Werror".
Thank you for your help!
Last edited by qlem (2021-03-23 21:18:23)
Offline
See -Wmaybe-uninitialized and -Wuninitialized. I think you need the former in this case.
Offline