Package: systemd Version: 261~rc1-1 Severity: normal X-Debbugs-Cc: [email protected], [email protected] Tags: upstream Control: affects -1 + piuparts base-files
Since 261~rc1, the systemd package contains a tmpfiles.d(5) snippet /usr/lib/tmpfiles.d/root.conf which sets the permissions of the root directory to 0555. This appears to have been added in https://github.com/systemd/systemd/pull/41431 upstream, originally as a way to make the system bootable if the root filesystem was mistakenly bootstrapped, untarred etc. onto an existing filesystem that was created with overly-restrictive permissions like 0700. (Conversely, it would also be helpful if the filesystem had started with overly-broad permissions like 02775, which should be tightened.) According to comments on the PR, upstream intentionally chose to use 0555 rather than 0755, as a preemptive hardening mechanism so that if code is running as uid 0 with no CAP_DAC_OVERRIDE, it can't write the root directory (although this likely only provides any hardening in practice if all root-owned files are on read-only filesystem mounts, otherwise root-without-caps can just elevate privileges to root-with-caps by overwriting an executable that root-with-caps will run, such as systemd itself). This all seems like entirely reasonable reasoning, but it has the effect of changing the permissions of the root directory of existing Debian installations, typically from 0755 to 0555, which is not necessarily expected. It also leads to piuparts complaining about / having changed whenever the systemd package is installed and subsequently purged, for example while testing dbus-system-bus-common, which is how I found this. If we want the root filesystem of Debian systems to be canonically 0555 rather than 0755, that seems like something that should be coordinated with base-files and maybe debootstrap/mmdebstrap/cdebootstrap, so that it will be true for all machines/containers/chroots and not just those that have the systemd package? (I'm not sure which component actually chooses the permissions of the root filesystem during bootstrapping - base-files, or the specific bootstrapper implementation that was used.) Or if this change wasn't intended or isn't desired, the systemd package could either not install root.conf, or mask it with an empty /etc/tmpfiles.d/root.conf. smcv
