You are not logged in.

Pages: 1

#1 2021-07-31 23:46:10

areuz
Member
Registered: 2016-09-16
Posts: 60

[SOLVED] Creating certain config files as symlinks in etc doesn't work

I've gotten into the habit, where instead of directly editing config files, I copy them do my .dotfiles folder and create a symlink in the original location. For example 00-keyboard.conf looks like this: 

$ stat /etc/X11/xorg.conf.d/00-keyboard.conf
  File: /etc/X11/xorg.conf.d/00-keyboard.conf -> /home/niraami/.dotfiles/system/etc/X11/xorg.conf.d/00-keyboard.conf

Though I've found at least 3 exceptions for this, where I receive errno 13 (permission denied):

/etc/udev/rules.d/99-udisks2.rules
/etc/xdg/reflector/reflector.conf
/etc/resolv.conf

On the other hand, these work flawlessly:

/etc/vconsole.conf
/etc/pam.d/login
/etc/X11/xorg.conf.d/00-keyboard.conf

Why is this happening & is there any way around this? /home & / are separate partitions (LVMs), so no hard links are possible.
This is how the symlink & its destination looks (changing dest to 777 doesn't help):

$ stat /etc/xdg/reflector/reflector.conf
  File: /etc/xdg/reflector/reflector.conf -> /home/niraami/.dotfiles/system/etc/xdg/reflector/reflector.conf
  Size: 63        	Blocks: 8          IO Block: 4096   symbolic link
Device: fe00h/65024d	Inode: 1331        Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-08-01 01:38:41.385304087 +0200
Modify: 2021-08-01 01:38:32.942045195 +0200
Change: 2021-08-01 01:38:32.942045195 +0200
 Birth: 2021-08-01 01:38:32.942045195 +0200
$ stat ~/.dotfiles/system/etc/xdg/reflector/reflector.conf
  File: /home/niraami/.dotfiles/system/etc/xdg/reflector/reflector.conf
  Size: 992       	Blocks: 8          IO Block: 4096   regular file
Device: fe02h/65026d	Inode: 1838409     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/ niraami)   Gid: ( 1000/ niraami)
Access: 2021-08-01 01:21:54.384246224 +0200
Modify: 2021-07-24 01:32:30.557367941 +0200
Change: 2021-08-01 01:20:48.504833203 +0200
 Birth: 2021-07-24 01:32:30.557367941 +0200

Last edited by areuz (2021-08-01 18:57:02)

If I'm not a bush, I'm not no one.
Dotfiles Git

Offline

#2 2021-08-01 01:03:36

CarbonChauvinist
Member
Registered: 2012-06-16
Posts: 413
Website

Re: [SOLVED] Creating certain config files as symlinks in etc doesn't work

Look into etckeeper

"the wind-blown way, wanna win? don't play"

Offline

#3 2021-08-01 06:40:27

ITA84
Member
Registered: 2019-10-02
Posts: 21

Re: [SOLVED] Creating certain config files as symlinks in etc doesn't work

Do you have that permission error when trying to read the symlink directly? Or while the related program or service tries to read it? For example, I saw that the Reflector service has ProtectHome=true, which could explain why it'd be unable to see the symlinked configuration file in your home

Offline

#4 2021-08-01 08:21:35

rfried123
Member
Registered: 2021-08-01
Posts: 4

Re: [SOLVED] Creating certain config files as symlinks in etc doesn't work

Do you have enabled some security enhanced kernel features like provided by apparmor or selinux?

Apparmor status check: $ aa-enabled
Selinux status: $ sestatus

Offline

#5 2021-08-01 13:05:38

seth
Member
Registered: 2012-09-03
Posts: 51,253

Re: [SOLVED] Creating certain config files as symlinks in etc doesn't work

Some processes will checkfile permissions/smlink nature/path protection of their config files, others won't.
Another option is that the process drops root privilegues and then lacks the reading access to your $HOME.

From a general security perspective, you approach is insane madness (that's the professional term ;-)
Eg. you're granting joeshituser control over PAM.
=> Don't do that AT ALL and look at eg. the forementioned etckeeper instead.

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#6 2021-08-01 15:35:05

areuz
Member
Registered: 2016-09-16
Posts: 60

Re: [SOLVED] Creating certain config files as symlinks in etc doesn't work

seth wrote:

From a general security perspective, you approach is insane madness (that's the professional term ;-)
Eg. you're granting joeshituser control over PAM.
=> Don't do that AT ALL and look at eg. the forementioned etckeeper instead.

Don't quite agree with that, but indeed I am granting non-root processes access to a originally root owned file. Though that could be fixed by simply chown-ing it as a root user. Which still doesn't solve this issue, but the other suggestions do.

rfried123 wrote:

Do you have enabled some security enhanced kernel features like provided by apparmor or selinux?

Apparmor status check: $ aa-enabled
Selinux status: $ sestatus

Nope, never set those up, so I don't even have them installed.

$  aa-enabled
zsh: command not found: aa-enabled
$ sestatus
zsh: command not found: sestatus
ITA84 wrote:

Do you have that permission error when trying to read the symlink directly? Or while the related program or service tries to read it? For example, I saw that the Reflector service has ProtectHome=true, which could explain why it'd be unable to see the symlinked configuration file in your home

Yep, that's it. Turning off ProtectHome solves this... I never looked into the reflector.service file.. I guess the same probably applies to the other services that don't work properly with symlinks to HOME. Of course I'm not going to go with this as the solution, there is a reason why those switches exist tongue

CarbonChauvinist wrote:

Look into etckeeper

Looks like a sane solution, I've always disliked the idea of symlinks across filesystems. Especially from root to another one, which is going to get mounted who knows when.
I gotta look into it a bit more though, and see what triggers the sync (other than a timer), and how changes on both sides are handled, or if the file in /etc always takes precedence.

Thank you all for the help! smile

Last edited by areuz (2021-08-01 15:37:05)

If I'm not a bush, I'm not no one.
Dotfiles Git

Offline

Pages: 1

Board footer

Powered by FluxBB