Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485766 - sys-apps/systemd - wrong permissions on /run/systemd causes failure to use DBUS sockets
Summary: sys-apps/systemd - wrong permissions on /run/systemd causes failure to use DB...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo systemd Team
URL: http://thread.gmane.org/gmane.comp.sy...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-23 17:59 UTC by Joakim Gebart Nohlgård
Modified: 2013-09-27 06:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
00-systemd-correct-permissions.conf (00-systemd-correct-permissions.conf,26 bytes, text/plain)
2013-09-23 18:01 UTC, Joakim Gebart Nohlgård
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joakim Gebart Nohlgård 2013-09-23 17:59:46 UTC
On two of my systems, when systemd creates the directory /run/systemd at boot it sets the permissions to 0700 and owner root:root. This caused all kinds of problems because of the DBus sockets were unaccessible.

Reproducible: Always

Steps to Reproduce:
1. Install systemd
2. Reboot into systemd
3. Try to interact with systemd
Actual Results:  
Symptoms included journal lines such as:

Aug 25 19:54:18 localhost systemd[1]: Failed to register to bus: Access denied

and:

Aug 25 19:54:18 localhost dbus-daemon[350]: 350: [bus/connection.c(2269):bus_transaction_send_error_reply] Sending error reply org.freedesktop.DBus.Error.AccessDenied "Failed to determine seats of user "0": Permission denied"

and:

Aug 26 08:28:59 localhost systemd-logind[316]: Failed to get system D-Bus connection: Access denied
Aug 26 08:28:59 localhost systemd-logind[316]: Failed to fully start up daemon: Connection refused
Aug 26 08:28:59 localhost systemd[1]: systemd-logind.service: main process exited, code=exited, status=1/FAILURE
Aug 26 08:28:59 localhost systemd[1]: Failed to start Login Service.
Aug 26 08:28:59 localhost systemd[1]: Unit systemd-logind.service entered failed state.


No programs that interact with the running systemd seemed to work (localectl, hostnamectl etc.)

Expected Results:  
No access denied errors.

I solved the problem by adding a tmpfiles.d entry for creating the /run/systemd directory with 0755 permissions.
Comment 1 Joakim Gebart Nohlgård 2013-09-23 18:01:07 UTC
Created attachment 359302 [details]
00-systemd-correct-permissions.conf

I solved the problem by placing this file in /etc/tmpfiles.d and rebooting.
Comment 2 Joakim Gebart Nohlgård 2013-09-23 18:02:00 UTC
emerge --info:

Portage 2.2.6 (default/linux/amd64/13.0/desktop, gcc-4.8.1, glibc-2.17, 3.11.0 x86_64)
=================================================================
System uname: Linux-3.11.0-x86_64-Intel-R-_Core-TM-_i7-4500U_CPU_@_1.80GHz-with-gentoo-2.2
KiB Mem:     8072244 total,   2726528 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Sat, 21 Sep 2013 11:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.5-r2, 3.2.5-r2, 3.3.2-r2
dev-util/cmake:           2.8.11.2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4, 1.14
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.6.4, 4.7.3, 4.8.1
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.11 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo crossdev kim sunrise gamerlay sabayon enlightenment systemd zugaina
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache1-php5.2/ext-active/ /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/crossdev /usr/local/portage/kim /var/lib/layman/sunrise /var/lib/layman/gamerlay /var/lib/layman/sabayon /var/lib/layman/enlightenment /var/lib/layman/systemd /var/lib/layman/zugaina"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 avx bash-completion berkdb bluetooth branding bzip2 c++0x cairo cdda cdr cli cracklib crypt cups cxx dbus dconf dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gles gles1 gles2 gnome gpm gstreamer gtk gtk3 iconv icu ipv6 jpeg lcms ldap libnotify lzma mad mmx mng modules mp3 mp4 mpeg mtp mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pch pcre pdf png policykit ppds pulseaudio python qt3support qt4 readline ruby sdl session spell sse sse2 sse3 sse4 sse4_1 ssl ssse3 startup-notification svg systemd tcpd theora threads tiff truetype udev udisks unicode upower usb v4l vaapi vala vim-syntax vorbis wxwidgets x264 xattr xcb xetex xft xinerama xml xv xvid zlib zsh-completion" ABI_X86="32 64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="coreboot efi-32 efi-64 qemu pc multiboot" INPUT_DEVICES="evdev synaptics keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="sv sv_SE en en_US en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2 python3_3" QEMU_SOFTMMU_TARGETS="*" QEMU_USER_TARGETS="*" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.2 3.3"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Joakim Gebart Nohlgård 2013-09-23 18:05:37 UTC
It might be relevant to know that I'm using a custom initramfs that unlocks and mounts a LUKS encrypted partition as the root file system. The initramfs does not mount or create anything under /run but systemd mounts a tmpfs there automatically so it seems like systemd should be able handle all this by itself.

This is my first attempt at using systemd so this whole problem could just as well be a configuration error on my part.
Comment 4 Mike Gilbert gentoo-dev 2013-09-25 15:47:50 UTC
Looking through the systemd sources:

/run/systemd is created in mount_setup() with a mode parameter of 0755 (src/core/mount-setup.c).

mount_setup() is called from main() on line 1368 of src/core/main.c.

umask(0) is called from main() on line 1445 of src/core/main.c.


Since systemd does not reset umask until after creating /run/systemd, it will inherit the umask from the process that started it: your /init script in the initramfs.

Are you messing with the umask at all before you call systemd?
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-25 18:17:02 UTC
You may try asking upstream to set umask() earlier but I can't guarantee they won't tell you 'use a supported initramfs'...
Comment 6 Joakim Gebart Nohlgård 2013-09-26 08:24:25 UTC
(In reply to Mike Gilbert from comment #4)
> Looking through the systemd sources:
> 
> /run/systemd is created in mount_setup() with a mode parameter of 0755
> (src/core/mount-setup.c).
> 
> mount_setup() is called from main() on line 1368 of src/core/main.c.
> 
> umask(0) is called from main() on line 1445 of src/core/main.c.
> 
> 
> Since systemd does not reset umask until after creating /run/systemd, it
> will inherit the umask from the process that started it: your /init script
> in the initramfs.
> 
> Are you messing with the umask at all before you call systemd?

You are correct, I didn't realize I was setting umask 077 in the initramfs. Problem solved! Thank you!

I doubt upstream will be interested in patching systemd to ignore umask..
Comment 7 Mike Gilbert gentoo-dev 2013-09-26 14:54:19 UTC
I sent a patch upstream (see URL). We will see what happens.
Comment 8 Joakim Gebart Nohlgård 2013-09-27 06:39:43 UTC
(In reply to Mike Gilbert from comment #7)
> I sent a patch upstream (see URL). We will see what happens.

The patch has been merged upstream as 90dc8c2ea2cebf2dd195abe4768205a831fd32cb
see http://article.gmane.org/gmane.comp.sysutils.systemd.devel/13267

http://cgit.freedesktop.org/systemd/systemd/commit/?id=90dc8c2ea2cebf2dd195abe4768205a831fd32cb