Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Extending access to the systemd RuntimeDirectory with a POSIX ACL
10 views
Skip to first unread message
Marco d'Itri
Feb 11, 2024, 10:46:03 PM2/11/24
to
inn2[0] uses ephemeral UNIX domain sockets in /run/news/ to communicate
with the ctlinnd program. Since the directory is only writeable by the
"news" user, other unprivileged users are not able to use the command.
I solved this by extending the inn2.service systemd unit with a drop-in
file which uses setfacl to give access to my user "md" to the
RuntimeDirectory created by systemd. This is the content of
/etc/systemd/system/inn2.service.d/md-ctlinnd.conf:
[Service]
# innd will change the permissions of /run/news/ when started: without
# creating it now with mode 0775 then that will change the ACL mask.
RuntimeDirectoryMode=0775
# allow user md to run ctlinnd(8), which creates sockets in /run/news/
ExecStartPost=/usr/bin/setfacl --modify user:md:rwx $RUNTIME_DIRECTORY
The non-obvious issue here is that the innd daemon on startup will
change the directory permissions in a way which sets a more restrictive
(non group-writeable) ACL mask[1], and this would make the newly
created user ACL ineffective. The solution is to create the directory
group-writeable from start.
(Beware: this creates a trivial privileges escalation from md to news.)
[0] https://packages.debian.org/sid/inn2
[1]
https://www.oreilly.com/library/view/network-security-hacks/0596006438/ch01s05.html
Permalink: https://blog.bofh.it/debian/id_468
with the ctlinnd program. Since the directory is only writeable by the
"news" user, other unprivileged users are not able to use the command.
I solved this by extending the inn2.service systemd unit with a drop-in
file which uses setfacl to give access to my user "md" to the
RuntimeDirectory created by systemd. This is the content of
/etc/systemd/system/inn2.service.d/md-ctlinnd.conf:
[Service]
# innd will change the permissions of /run/news/ when started: without
# creating it now with mode 0775 then that will change the ACL mask.
RuntimeDirectoryMode=0775
# allow user md to run ctlinnd(8), which creates sockets in /run/news/
ExecStartPost=/usr/bin/setfacl --modify user:md:rwx $RUNTIME_DIRECTORY
The non-obvious issue here is that the innd daemon on startup will
change the directory permissions in a way which sets a more restrictive
(non group-writeable) ACL mask[1], and this would make the newly
created user ACL ineffective. The solution is to create the directory
group-writeable from start.
(Beware: this creates a trivial privileges escalation from md to news.)
[0] https://packages.debian.org/sid/inn2
[1]
https://www.oreilly.com/library/view/network-security-hacks/0596006438/ch01s05.html
Permalink: https://blog.bofh.it/debian/id_468
0 new messages