From cb0d219206a86065014a20bfe76edba3f0f6765d Mon Sep 17 00:00:00 2001 From: INSUN PYO Date: Thu, 3 Dec 2020 15:07:43 +0900 Subject: [PATCH] delayed: rework dealyed service without capability of /usr/bin/touch VD security remove capability of /usr/bin/touch. (cap_dac_override=ei) Change permision and group of /run/systemd/system from 0755/root/root to 0775/root/systemf_fw. Change-Id: I6e2189c2cd0d4a86db995651b43a4dcdc25fcabf --- tmpfiles.d/systemd.conf.m4 | 3 +++ units/system-default-target-done.service.in | 2 -- units/system-delayed-target-done.service.in | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4 index 9c57d3b..65a297c 100644 --- a/tmpfiles.d/systemd.conf.m4 +++ b/tmpfiles.d/systemd.conf.m4 @@ -77,3 +77,6 @@ d /var/lib/systemd/coredump 0755 root root 3d d /var/lib/private 0700 root root - d /var/log/private 0700 root root - d /var/cache/private 0700 root root - + +# for delayed.target (0755/root/root => 0775/root/system_fw) +e /run/systemd/system 0775 - system_fw - - diff --git a/units/system-default-target-done.service.in b/units/system-default-target-done.service.in index b022326..16b3d96 100644 --- a/units/system-default-target-done.service.in +++ b/units/system-default-target-done.service.in @@ -12,6 +12,4 @@ User=system_fw Group=system_fw ExecStart=@rootbindir@/touch /run/systemd/system/graphical.target.done RemainAfterExit=yes -SecureBits=keep-caps -Capabilities=cap_dac_override=i SmackProcessLabel=System diff --git a/units/system-delayed-target-done.service.in b/units/system-delayed-target-done.service.in index 7bfdea3..0a8e4c7 100644 --- a/units/system-delayed-target-done.service.in +++ b/units/system-delayed-target-done.service.in @@ -11,6 +11,4 @@ User=system_fw Group=system_fw ExecStart=@rootbindir@/touch /run/systemd/system/delayed.target.done RemainAfterExit=yes -SecureBits=keep-caps -Capabilities=cap_dac_override=i SmackProcessLabel=System -- 2.7.4