You are not logged in.

#1 2022-07-21 17:26:13

krazyarchon
Member
Registered: 2022-07-21
Posts: 3

Permissions on /home, /var/log and /sys are not persistent

I played with Archlinux for a month, saving up my unanswered questions for the forum smile

I like to set chmod perms (751) on /home, /var/log and /sys directories (and some others) but noticed that only these 3 directories reset permissions every boot. Could this  be a systemd issue? Frankly, I haven't looked at Linux since systemd gained popularity little less than 10 years ago and decided to give Archlinux a try in 2022.

Currently I am arranging these things during boottime using a rc-local script called by systemd but its not ideal.

I never had an issue with other Linux systems (in the past). Directory perms on /home and /var/log were never volatile. Is there an Arch or systemd way of fixing this rather than the (rc) solution I am using?

Offline

#2 2022-07-21 18:09:51

loqs
Member
Registered: 2014-03-06
Posts: 15,113

Re: Permissions on /home, /var/log and /sys are not persistent

krazyarchon wrote:

I never had an issue with other Linux systems (in the past). Directory perms on /home and /var/log were never volatile. Is there an Arch or systemd way of fixing this rather than the (rc) solution I am using?

See /usr/lib/tmpfiles.d/home.conf  /usr/lib/tmpfiles.d/var.conf and Systemd#systemd-tmpfiles_-_temporary_files.

Offline

#3 2022-07-28 21:44:53

krazyarchon2
Member
Registered: 2022-07-28
Posts: 6

Re: Permissions on /home, /var/log and /sys are not persistent

loqs wrote:
krazyarchon wrote:

I never had an issue with other Linux systems (in the past). Directory perms on /home and /var/log were never volatile. Is there an Arch or systemd way of fixing this rather than the (rc) solution I am using?

See /usr/lib/tmpfiles.d/home.conf  /usr/lib/tmpfiles.d/var.conf and Systemd#systemd-tmpfiles_-_temporary_files.

Great, thank you.

But what about /sys though? Users able to read info on installed hardware such as disks ?

I tried to create the following file:

/etc/systemd/system/user@.service.d/sysfs.conf

(copied from a wiki article - strange choice for a filename btw )

With the following content:

[Service]
SupplementaryGroups=sysfs
/etc/systemd/system/user@.service.d/sysfs.conf 

This obviously does not help me. I am still a noob at systemd (I used rc-init scritp distros for 20 years though)

I can't disable sysfs altogether because it will break some functionality I need. I am just looking for userlevel read-access restrictions , if possible at all.

Offline

#4 2022-07-29 07:46:55

seth
Member
Registered: 2012-09-03
Posts: 30,973

Re: Permissions on /home, /var/log and /sys are not persistent

Which wiki article says "SupplementaryGroups=sysfs"?
Or do you mean (1st google hit) https://madaidans-insecurities.github.i … ting-sysfs ?
In that case you need to re-read the paragraph about the blue box - the systemd user service config aids w/ mitigating the restrictions applied by some script that's linked in that blog.

sysfs is populated by the kernel as new HW shows up (for the most part) and if you want to control access to certain paths you'd do so w/ a udev rule, https://wiki.archlinux.org/title/Udev

Offline

#5 2022-08-04 21:55:45

krazyarchon2
Member
Registered: 2022-07-28
Posts: 6

Re: Permissions on /home, /var/log and /sys are not persistent

seth wrote:

Which wiki article says "SupplementaryGroups=sysfs"?
Or do you mean (1st google hit) https://madaidans-insecurities.github.i … ting-sysfs ?
In that case you need to re-read the paragraph about the blue box - the systemd user service config aids w/ mitigating the restrictions applied by some script that's linked in that blog.

sysfs is populated by the kernel as new HW shows up (for the most part) and if you want to control access to certain paths you'd do so w/ a udev rule, https://wiki.archlinux.org/title/Udev

Yes that's the site I got it from (whitelisting sysfs access to systemd):

https://madaidans-insecurities.github.i … ting-sysfs

I guess I misunderstood the whitelisting part here and this systemd user config is just used to make sure systemd functions. I still need to look into hardening systemd.

As for sysfs, thanks I will also read up about udev rules to restrict read access to sysfs for users.

I guess this topic can be considered [SOLVED]

Offline

#6 2022-08-05 04:43:01

seth
Member
Registered: 2012-09-03
Posts: 30,973

Re: Permissions on /home, /var/log and /sys are not persistent

Mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Offline

Board footer

Powered by FluxBB