Bug 14515

Summary: systemd-tmpfiles changes /dev/fuse permissions denying user access
Product: Mageia Reporter: William Murphy <warrendiogenese>
Component: RPM PackagesAssignee: Colin Guthrie <mageia>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: thkala
Version: CauldronKeywords: Triaged
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: kmod-18-3.mga5.src.rpm CVE:
Status comment:

Description William Murphy 2014-11-12 20:14:34 CET 
Description of problem:
After last cauldron systemd update, permission of /dev/fuse were changed from 666 to 600, forbidding user access.

The update triggered systemd to run:
systemd-tmpfiles --create

This runs:
/usr/bin/kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

The line for fuse in /run/tmpfiles.d/kmod.conf:
c /dev/fuse 0600 - - - 10:229

kmode.conf was genereated by the write_tmpfiles function in static-nodes.c of kmod and has file permission hardcoded to 600:
http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/tree/tools/static-nodes.c

This overrides the original value set in /etc/makedev.d/z-fuse:
c 666 root     root      10 229  1   1 fuse

The same result can be reproduced by resettng /dev/fuse permission to 666 and running: systemd-tmpfiles --create


Reproducible: 

Steps to Reproduce:
Comment 1 Theodoros Kalamatianos 2014-11-13 17:49:58 CET 
/dev/fuse is not the only file affected - pretty much every node in /run/tmpfiles.d/kmod.conf should be reviewed. For example, /dev/cuse and the nodes in /dev/snd should probably not have 0600 permissions either.

At least these are all on a tmpfs - as soon as the root cause is fixed a reboot will eliminate the problem.

CC: (none) => thkala

Manuel Hiebel 2014-11-13 23:05:41 CET

Keywords: (none) => Triaged
Assignee: bugsquad => mageia
Source RPM: systemd: systemd-217-7.mga5.src.rpm => systemd-217-7.mga5.src.rpm

Comment 2 Colin Guthrie 2014-11-14 10:12:23 CET 
The description isn't 100% correct.

Running systemd-tmpfiles --create does not run "kmod static-nodes..".

The latter is run via kmod-static-nodes.service which runs before systemd-tmpfiles-setup-dev.service.

The latter runs "/usr/bin/systemd-tmpfiles --prefix=/dev --create --boot"

What I think is wrong, is that the "kmod static-nodes" generates the tmpfiles file without an ! at the end of the first field.

Doing this should mean that it only applies when systemd-tmpfiles is run with the --boot argument and will not trigger on subsequent calls to "systemd-tmpfiles --create"

In a quick test here, the ! seems to do the job, so I'll look into patching that upstream.

Thanks for the report.
Colin Guthrie 2014-11-14 10:12:31 CET

Status: NEW => ASSIGNED

Comment 3 Colin Guthrie 2014-11-14 10:18:01 CET 
Ahh indeed. Suspicions confirmed as this is already fixed in kmod git.

http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=27eceb2e4ecbf2e31940b67cee682a6935f61e6c

Should be fixed in kmod-18-4.mga5 but please confirm.

Source RPM: systemd-217-7.mga5.src.rpm => kmod-18-3.mga5.src.rpm

Comment 4 Samuel Verschelde 2015-05-20 00:25:34 CEST 
No confirmation, assuming it's fixed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED