You are not logged in.
I've gotten into the habit, where instead of directly editing config files, I copy them do my .dotfiles folder and create a symlink in the original location. For example 00-keyboard.conf looks like this:
$ stat /etc/X11/xorg.conf.d/00-keyboard.conf
File: /etc/X11/xorg.conf.d/00-keyboard.conf -> /home/niraami/.dotfiles/system/etc/X11/xorg.conf.d/00-keyboard.conf
Though I've found at least 3 exceptions for this, where I receive errno 13 (permission denied):
/etc/udev/rules.d/99-udisks2.rules
/etc/xdg/reflector/reflector.conf
/etc/resolv.conf
On the other hand, these work flawlessly:
/etc/vconsole.conf
/etc/pam.d/login
/etc/X11/xorg.conf.d/00-keyboard.conf
Why is this happening & is there any way around this? /home & / are separate partitions (LVMs), so no hard links are possible.
This is how the symlink & its destination looks (changing dest to 777 doesn't help):
$ stat /etc/xdg/reflector/reflector.conf
File: /etc/xdg/reflector/reflector.conf -> /home/niraami/.dotfiles/system/etc/xdg/reflector/reflector.conf
Size: 63 Blocks: 8 IO Block: 4096 symbolic link
Device: fe00h/65024d Inode: 1331 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2021-08-01 01:38:41.385304087 +0200
Modify: 2021-08-01 01:38:32.942045195 +0200
Change: 2021-08-01 01:38:32.942045195 +0200
Birth: 2021-08-01 01:38:32.942045195 +0200
$ stat ~/.dotfiles/system/etc/xdg/reflector/reflector.conf
File: /home/niraami/.dotfiles/system/etc/xdg/reflector/reflector.conf
Size: 992 Blocks: 8 IO Block: 4096 regular file
Device: fe02h/65026d Inode: 1838409 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ niraami) Gid: ( 1000/ niraami)
Access: 2021-08-01 01:21:54.384246224 +0200
Modify: 2021-07-24 01:32:30.557367941 +0200
Change: 2021-08-01 01:20:48.504833203 +0200
Birth: 2021-07-24 01:32:30.557367941 +0200
Last edited by areuz (2021-08-01 18:57:02)
If I'm not a bush, I'm not no one.
Dotfiles Git
Offline
Do you have that permission error when trying to read the symlink directly? Or while the related program or service tries to read it? For example, I saw that the Reflector service has ProtectHome=true, which could explain why it'd be unable to see the symlinked configuration file in your home
Offline
Do you have enabled some security enhanced kernel features like provided by apparmor or selinux?
Apparmor status check: $ aa-enabled
Selinux status: $ sestatus
Offline
Some processes will checkfile permissions/smlink nature/path protection of their config files, others won't.
Another option is that the process drops root privilegues and then lacks the reading access to your $HOME.
From a general security perspective, you approach is insane madness (that's the professional term ;-)
Eg. you're granting joeshituser control over PAM.
=> Don't do that AT ALL and look at eg. the forementioned etckeeper instead.
Offline
From a general security perspective, you approach is insane madness (that's the professional term ;-)
Eg. you're granting joeshituser control over PAM.
=> Don't do that AT ALL and look at eg. the forementioned etckeeper instead.
Don't quite agree with that, but indeed I am granting non-root processes access to a originally root owned file. Though that could be fixed by simply chown-ing it as a root user. Which still doesn't solve this issue, but the other suggestions do.
Do you have enabled some security enhanced kernel features like provided by apparmor or selinux?
Apparmor status check: $ aa-enabled
Selinux status: $ sestatus
Nope, never set those up, so I don't even have them installed.
$ aa-enabled
zsh: command not found: aa-enabled
$ sestatus
zsh: command not found: sestatus
Do you have that permission error when trying to read the symlink directly? Or while the related program or service tries to read it? For example, I saw that the Reflector service has ProtectHome=true, which could explain why it'd be unable to see the symlinked configuration file in your home
Yep, that's it. Turning off ProtectHome solves this... I never looked into the reflector.service file.. I guess the same probably applies to the other services that don't work properly with symlinks to HOME. Of course I'm not going to go with this as the solution, there is a reason why those switches exist
Look into etckeeper
Looks like a sane solution, I've always disliked the idea of symlinks across filesystems. Especially from root to another one, which is going to get mounted who knows when.
I gotta look into it a bit more though, and see what triggers the sync (other than a timer), and how changes on both sides are handled, or if the file in /etc always takes precedence.
Thank you all for the help!
Last edited by areuz (2021-08-01 15:37:05)
If I'm not a bush, I'm not no one.
Dotfiles Git
Offline