Bug 14515 - systemd-tmpfiles changes /dev/fuse permissions denying user access
Summary: systemd-tmpfiles changes /dev/fuse permissions denying user access
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Colin Guthrie
QA Contact:
URL:
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2014-11-12 20:14 CET by William Murphy
Modified: 2015-05-20 00:25 CEST (History)
1 user (show)

See Also:
Source RPM: kmod-18-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description William Murphy 2014-11-12 20:14:34 CET 
Description of problem:
After last cauldron systemd update, permission of /dev/fuse were changed from 666 to 600, forbidding user access.

The update triggered systemd to run:
systemd-tmpfiles --create

This runs:
/usr/bin/kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

The line for fuse in /run/tmpfiles.d/kmod.conf:
c /dev/fuse 0600 - - - 10:229

kmode.conf was genereated by the write_tmpfiles function in static-nodes.c of kmod and has file permission hardcoded to 600:
http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/tree/tools/static-nodes.c

This overrides the original value set in /etc/makedev.d/z-fuse:
c 666 root     root      10 229  1   1 fuse

The same result can be reproduced by resettng /dev/fuse permission to 666 and running: systemd-tmpfiles --create


Reproducible: 

Steps to Reproduce:
Comment 1 Theodoros Kalamatianos 2014-11-13 17:49:58 CET 
/dev/fuse is not the only file affected - pretty much every node in /run/tmpfiles.d/kmod.conf should be reviewed. For example, /dev/cuse and the nodes in /dev/snd should probably not have 0600 permissions either.

At least these are all on a tmpfs - as soon as the root cause is fixed a reboot will eliminate the problem.

CC: (none) => thkala

Manuel Hiebel 2014-11-13 23:05:41 CET

Keywords: (none) => Triaged
Assignee: bugsquad => mageia
Source RPM: systemd: systemd-217-7.mga5.src.rpm => systemd-217-7.mga5.src.rpm

Comment 2 Colin Guthrie 2014-11-14 10:12:23 CET 
The description isn't 100% correct.

Running systemd-tmpfiles --create does not run "kmod static-nodes..".

The latter is run via kmod-static-nodes.service which runs before systemd-tmpfiles-setup-dev.service.

The latter runs "/usr/bin/systemd-tmpfiles --prefix=/dev --create --boot"

What I think is wrong, is that the "kmod static-nodes" generates the tmpfiles file without an ! at the end of the first field.

Doing this should mean that it only applies when systemd-tmpfiles is run with the --boot argument and will not trigger on subsequent calls to "systemd-tmpfiles --create"

In a quick test here, the ! seems to do the job, so I'll look into patching that upstream.

Thanks for the report.
Colin Guthrie 2014-11-14 10:12:31 CET

Status: NEW => ASSIGNED

Comment 3 Colin Guthrie 2014-11-14 10:18:01 CET 
Ahh indeed. Suspicions confirmed as this is already fixed in kmod git.

http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=27eceb2e4ecbf2e31940b67cee682a6935f61e6c

Should be fixed in kmod-18-4.mga5 but please confirm.

Source RPM: systemd-217-7.mga5.src.rpm => kmod-18-3.mga5.src.rpm

Comment 4 Samuel Verschelde 2015-05-20 00:25:34 CEST 
No confirmation, assuming it's fixed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.