Bug#759689: marked as done (systemd: ProtectSystem= should cover /bin, /sbin, /lib on Debian)

[Debian Bug Tracking System]

Your message dated Sun, 07 Sep 2014 09:06:31 +0000
with message-id <e1xqyqz-0006ml...@franck.debian.org>
and subject line Bug#759689: fixed in systemd 215-1
has caused the Debian Bug report #759689,
regarding systemd: ProtectSystem= should cover /bin, /sbin, /lib on Debian
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
759689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: systemd
Version: 214-1
Severity: normal
Tags: patch

systemd's ProtectSystem= option should cover /bin, /sbin, /lib and
/lib64 (if it exists) on Debian systems where these are not symlinks
to /usr.

A patch is attached.

Please also backport 0f625d0b87139fc18cd565c9b6da05c53a0eb7ab.
Otherwise ProtectSystem=full is broken (and treated as
ProtectSystem=false).

Ansgar

From: Ansgar Burchardt <ans...@debian.org>
Date: Thu, 24 Jul 2014 19:38:07 +0200
Subject: Include additional directories in ProtectSystem

--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -371,7 +371,7 @@
                 strv_length(inaccessible_dirs) +
                 private_dev +
                 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
-                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+                (protect_system != PROTECT_SYSTEM_NO ? 6 : 0) +
                 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
 
         if (n > 0) {
@@ -413,7 +413,7 @@
                 }
 
                 if (protect_system != PROTECT_SYSTEM_NO) {
-                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
+                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot", "/etc") : STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot"), READONLY);
                         if (r < 0)
                                 return r;
                 }

--- End Message ---

--- Begin Message ---

Source: systemd
Source-Version: 215-1

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 759...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <bi...@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 07 Sep 2014 09:58:48 +0200
Source: systemd
Binary: systemd systemd-sysv libpam-systemd libsystemd0 libsystemd-dev 
libsystemd-login0 libsystemd-login-dev libsystemd-daemon0 libsystemd-daemon-dev 
libsystemd-journal0 libsystemd-journal-dev libsystemd-id128-0 
libsystemd-id128-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb 
libgudev-1.0-0 gir1.2-gudev-1.0 libgudev-1.0-dev python3-systemd systemd-dbg
Architecture: source amd64
Version: 215-1
Distribution: experimental
Urgency: medium
Maintainer: Debian systemd Maintainers 
<pkg-systemd-maintain...@lists.alioth.debian.org>
Changed-By: Michael Biebl <bi...@debian.org>
Description:
 gir1.2-gudev-1.0 - libgudev-1.0 introspection data
 libgudev-1.0-0 - GObject-based wrapper library for libudev
 libgudev-1.0-dev - libgudev-1.0 development files
 libpam-systemd - system and service manager - PAM module
 libsystemd-daemon-dev - systemd utility library (transitional package)
 libsystemd-daemon0 - systemd utility library (deprecated)
 libsystemd-dev - systemd utility library - development files
 libsystemd-id128-0 - systemd 128 bit ID utility library (deprecated)
 libsystemd-id128-dev - systemd 128 bit ID utility library (transitional 
package)
 libsystemd-journal-dev - systemd journal utility library (transitional package)
 libsystemd-journal0 - systemd journal utility library (deprecated)
 libsystemd-login-dev - systemd login utility library (transitional package)
 libsystemd-login0 - systemd login utility library (deprecated)
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 python3-systemd - Python 3 bindings for systemd
 systemd    - system and service manager
 systemd-dbg - system and service manager (debug symbols)
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 747044 751392 758392 759175 759689 760613
Changes:
 systemd (215-1) experimental; urgency=medium
 .
   * New upstream release.
   * Import upstream v215-stable patch series.
   * Rebase remaining Debian patches on top of v215-stable.
   * Drop our Debian-specific run-user.mount unit as upstream now creates a
     per-user tmpfs via logind.
   * Don't rely on new mount from experimental for now and re-add the patch
     which updates the documentation accordingly.
   * Cherry-pick upstream fix to use correct versions for the new symbols that
     were introduced in libudev.
   * Update symbols files
     - Add two new symbols for libudev1.
     - Remove private symbol from libgudev-1.0-0. This symbol was never part of
       the public API and not used anywhere so we don't need a soname bump.
   * Cherry-pick upstream commit to not install busname units if kdbus support
     is disabled.
   * Make /run/lock tmpfs an API fs so it is available during early boot.
     (Closes: #751392)
   * Install new systemd-path and systemd-escape binaries.
   * Cherry-pick upstream commit which fixes the references to the systemctl
     man page. (Closes: #760613)
   * Use the new systemd-escape utility to properly escape the network
     interface name when starting an ifup@.service instance for hotplugged
     network interfaces. Make sure a recent enough systemd version is installed
     by bumping the versioned Breaks accordingly. (Closes: #747044)
   * Order ifup@.service after networking.service so we don't need to setup the
     runtime directory ourselves and we have a defined point during boot when
     hotplugged network interfaces are started.
   * Disable factory-reset feature and remove files associated with it. This
     feature needs more integration work first before it can be enabled in
     Debian.
   * Cherry-pick upstream commit to fix ProtectSystem=full and make the
     ProtectSystem= option consider /bin, /sbin, /lib and /lib64 (if it exists)
     on Debian systems. (Closes: #759689)
   * Use adduser in quiet mode when creating the system users/groups to avoid
     warning messages about the missing home directories. Those are created
     dynamically during runtime. (Closes: #759175)
   * Set the gecos field when creating the system users.
   * Add systemd-bus-proxy system user so systemd-bus-proxyd can properly drop
     its privileges.
   * Re-exec systemd and restart services at the end of postinst.
   * Cherry-pick upstream commit for sd-journal to properly convert
     object->size on big endian which fixes a crash in journalctl --list-boots.
     (Closes: #758392)
Checksums-Sha1:
 216a8a1c9ae6a9fb658262fca2b53dbfb2eb3aca 4108 systemd_215-1.dsc
 7a592f90c0c1ac05c43de45b8fde1f23b5268cb4 2888652 systemd_215.orig.tar.xz
 f0c073411c9fad72568fb8d2e40a3a3f764059cf 153108 systemd_215-1.debian.tar.xz
 86b68e86077f70251714ed41ab70abf0e3052292 2526392 systemd_215-1_amd64.deb
 bb20e038c9d5fbe4b069a4fecf04cd40e615cc11 27866 systemd-sysv_215-1_amd64.deb
 69e384beb565749c061e967825fab742cd88d43e 117042 libpam-systemd_215-1_amd64.deb
 c320dbd799fdb36b9affacce75ea8c1c45e1444f 80812 libsystemd0_215-1_amd64.deb
 f7d3c79c1b13d238015ad991560e4ee5e27e2523 86882 libsystemd-dev_215-1_amd64.deb
 e61b874bc01ece7211cee9c8590fe15507ce7cc7 41124 
libsystemd-login0_215-1_amd64.deb
 7271cfa08a9ed2000c4eb617523e60ff0ec99b01 23552 
libsystemd-login-dev_215-1_amd64.deb
 822a7cc416d674ac701eff2969644e4145d2001e 30308 
libsystemd-daemon0_215-1_amd64.deb
 86594a25e695b3fbac2aefd9292c6ac4a96a39df 23566 
libsystemd-daemon-dev_215-1_amd64.deb
 54a823ba0d62c6e045940bf98e46d8bad4feb51e 66138 
libsystemd-journal0_215-1_amd64.deb
 5ee4d913c3acf02f6b491a46e93b6b91483d11c3 23544 
libsystemd-journal-dev_215-1_amd64.deb
 7e5f41e22a282dca23913505620a4d1102ffbc6a 29238 
libsystemd-id128-0_215-1_amd64.deb
 aae4322e37b367337160dfdd0889b7ada0c6f491 23544 
libsystemd-id128-dev_215-1_amd64.deb
 ed16f1b7fb21ac32044d625a6fc22bf3f35501b4 875508 udev_215-1_amd64.deb
 351cc4eed60b67eee4ec4e8d4ebcefe64d5c30df 47968 libudev1_215-1_amd64.deb
 5d74597f291ef4f809c8e91044d2bcf6e3e86fa1 23288 libudev-dev_215-1_amd64.deb
 ec3cc988a3e5a6c85a57c675153de61f0e2cbfe9 193952 udev-udeb_215-1_amd64.udeb
 76955551780f2ba59b4d0c09a839676a33adb3c4 24696 libudev1-udeb_215-1_amd64.udeb
 2656a27b5fc76143b47195c1d004a9cca82ce4cb 33788 libgudev-1.0-0_215-1_amd64.deb
 90ef27dc66b6ea42300b19e16c53df633103ed2f 2816 gir1.2-gudev-1.0_215-1_amd64.deb
 9443a746ad0df2a632106d03179293979ec475e5 24488 libgudev-1.0-dev_215-1_amd64.deb
 db5bd8d0fd057191663c2c142918cb9934cb9794 55458 python3-systemd_215-1_amd64.deb
 ff520053f0e26100538906ab97a8bd9950d72379 16038658 systemd-dbg_215-1_amd64.deb
Checksums-Sha256:
 3cca2b0e5fccda2d3399912b511e9188865d366d4fc167848daf3921d25ff1c8 4108 
systemd_215-1.dsc
 ce76a3c05e7d4adc806a3446a5510c0c9b76a33f19adc32754b69a0945124505 2888652 
systemd_215.orig.tar.xz
 6e8aa9224967170dfa5e11018af90378b7a8a537691eb3f41edc832d13210f5a 153108 
systemd_215-1.debian.tar.xz
 3059f86af58b40291ca6fca68499e7027edc9d7c77a94e7a46c971b8b2b3cfd2 2526392 
systemd_215-1_amd64.deb
 1d9695d579005322db2235ffcfa039bb57d848ceb9dc40333b5419bc7b1a9a38 27866 
systemd-sysv_215-1_amd64.deb
 9295332818d8b6aef84e5dab08cab343bc0fa96ea65bc22fab5fbfdd9c31ba0e 117042 
libpam-systemd_215-1_amd64.deb
 d9f33df8808157931619f6b27a2717f54f35c110213e2c5067e28f6a6dbed99f 80812 
libsystemd0_215-1_amd64.deb
 8b7002795a3bcd6dab90ca235a845b6c730e0516c804da405f20337fe4d1f5d8 86882 
libsystemd-dev_215-1_amd64.deb
 e503f3a3095edbbeb4c405d6ad27151cb632e971fb9590801791653f058be7c3 41124 
libsystemd-login0_215-1_amd64.deb
 4d8494248e8001942dabe871b8b1234fe6606a63da67df422c32c320b3afcfbc 23552 
libsystemd-login-dev_215-1_amd64.deb
 63ac556f70d5652255685775dad0740b9450dbc75b6803be17b1ec111c1a9a6b 30308 
libsystemd-daemon0_215-1_amd64.deb
 9b503cf9a1f51ac904197c39e3b6c1d06db6156968c90e71a259fadf3bf5c426 23566 
libsystemd-daemon-dev_215-1_amd64.deb
 733fef42c853c746e46618076e6da98a8b4eda316e8777400516c034ce718470 66138 
libsystemd-journal0_215-1_amd64.deb
 6183b9d530d6b88360d6335b21617b23d98b77a0f261a825ed52384a7b460fec 23544 
libsystemd-journal-dev_215-1_amd64.deb
 ae22792d617837ddc0395094a5cfa1588010cff580c25448e2c5da28a3ba7255 29238 
libsystemd-id128-0_215-1_amd64.deb
 3002a5b87d8fbbe533b22f8bf13bfe44f95be198cd68d0bb23a9b3a3a5bc0fa1 23544 
libsystemd-id128-dev_215-1_amd64.deb
 4dc26625b5e759fbd5897fe0f24305ee7e4d3c4bc046ffbeffc577f308934aa9 875508 
udev_215-1_amd64.deb
 58bf96d68bb3d535c9e8819c1cb8dfd22c837f4c5afba0d8accd344a602bd636 47968 
libudev1_215-1_amd64.deb
 72f2ecb6168ae49972f120cd1f3798957424dc39732874761f7c0ae0d17ed087 23288 
libudev-dev_215-1_amd64.deb
 d9ab3f3dc91905b50a2d4b847a7adf71af33a2476e59de46dba566cc72b9aba1 193952 
udev-udeb_215-1_amd64.udeb
 1098d8fb26fb4fcc9784eb8478da34086373edee63cb7a88521b2418b2945a53 24696 
libudev1-udeb_215-1_amd64.udeb
 0c535519db43063b301ffba499b617686aa4c7766096cfa13eae225a3c95faa7 33788 
libgudev-1.0-0_215-1_amd64.deb
 7a57a3d0f3652dd8def4b2032f9f8502ad60c16506d2504407bd751f4559504a 2816 
gir1.2-gudev-1.0_215-1_amd64.deb
 8c03f0184c8cf79b0b913f226d1edbb5d60cdc97a0584598fb4998978c25a62f 24488 
libgudev-1.0-dev_215-1_amd64.deb
 548dd7bbaedc3bff163e8e7468ad6db6f11a267ac9a788d30ace16b26cf77d06 55458 
python3-systemd_215-1_amd64.deb
 d971cc608f2c92e5f228e08072b9c1e809f70726dc1f97893959333d6d567f72 16038658 
systemd-dbg_215-1_amd64.deb
Files:
 9c1178ece8ca1db3ced649ce3a71ef69 2526392 admin optional systemd_215-1_amd64.deb
 3043085a9ec2fd93e49d316669490beb 27866 admin extra systemd-sysv_215-1_amd64.deb
 49255d41bbd7f0947d49e2cef175c05f 117042 admin optional 
libpam-systemd_215-1_amd64.deb
 a224f8e6f8977a7a3ad08d31ed515ed3 80812 libs optional 
libsystemd0_215-1_amd64.deb
 5e82df27c35b43aaef1118157d1f5e5a 86882 libdevel optional 
libsystemd-dev_215-1_amd64.deb
 2d7dc6cef75fd79686e8ba8ace07886c 41124 oldlibs extra 
libsystemd-login0_215-1_amd64.deb
 b51a002b14aceee6d2342d95d10456cb 23552 oldlibs extra 
libsystemd-login-dev_215-1_amd64.deb
 91a18e43bfbcfe130ea7a13570c476d0 30308 oldlibs extra 
libsystemd-daemon0_215-1_amd64.deb
 7e37a9c1ccde655469f1c40d872a54f1 23566 oldlibs extra 
libsystemd-daemon-dev_215-1_amd64.deb
 1ab53d45f02f06a7d6be052ece99c622 66138 oldlibs extra 
libsystemd-journal0_215-1_amd64.deb
 cb7f53df63afd89029824f80c328fda8 23544 oldlibs extra 
libsystemd-journal-dev_215-1_amd64.deb
 efa575d8b44c597a7efcffaa9e583222 29238 oldlibs extra 
libsystemd-id128-0_215-1_amd64.deb
 5499835bf36a40a77d0d51c62702d636 23544 oldlibs extra 
libsystemd-id128-dev_215-1_amd64.deb
 15d26767bb258714c5858e2e87a5cf01 875508 admin important udev_215-1_amd64.deb
 a19387bd827d929af3df0ae385f83202 47968 libs important libudev1_215-1_amd64.deb
 312d45a886940a27eb8422e685bfff72 23288 libdevel optional 
libudev-dev_215-1_amd64.deb
 2821bbc4ff2534fb93f574e062dbe6cd 193952 debian-installer optional 
udev-udeb_215-1_amd64.udeb
 1e7a9bacd9665f981ec1c0bf5750cb1b 24696 debian-installer optional 
libudev1-udeb_215-1_amd64.udeb
 221e33be6c8c2419de7ec4d0459d3ad0 33788 libs optional 
libgudev-1.0-0_215-1_amd64.deb
 466c36af89f2895221896e67dc344c25 2816 introspection optional 
gir1.2-gudev-1.0_215-1_amd64.deb
 b5390a1158bc5092677148e4d1a828c5 24488 libdevel optional 
libgudev-1.0-dev_215-1_amd64.deb
 d07488d8820669c9bf156825439a779d 55458 python optional 
python3-systemd_215-1_amd64.deb
 5aaf11801c311e5f11a577ee2d74401a 16038658 debug extra 
systemd-dbg_215-1_amd64.deb
 6a7b3393d793c066e6a96d404a3ff0ba 4108 admin optional systemd_215-1.dsc
 d2603e9fffd8b18d242543e36f2e7d31 2888652 admin optional systemd_215.orig.tar.xz
 2ce698d6b26dca49ed3fa084d85ba52d 153108 admin optional 
systemd_215-1.debian.tar.xz
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUDBWWAAoJEGrh3w1gjyLcSSMP/3Dqct+Fwoo0o9WyOnODC7CW
VYLyaNzXOvUdY0ga8p1ucc0H8t3OVR/7Fs1c+ODrJruK5e5eKwUKbI6TBQDeHt44
Zp1NLpV3Ueuy21itZt7dUw3HpLQ9+bH00vAagij+w+xYTHRVJnlcZemgPSW7FEUf
Y3QuuNz/BXqr/qIWwgYIOFjEQCpJBmGd1EY54iVI7pqhuYpscUpkj8UaQ4xegJvD
FEHCShHzimMbBcVi+IM6Z2mzbYrrUrUrL4fFAXA7UEb52qnLmRwgoZL0P5jnKCGf
qPHW5V/SJmPHcXl4WBncym0fHNrpz2KREfvB7cPiRajF2NfqIap/OZwNeJD+2c7o
amsZLD3Oz4Ccj7MemEWuGe0zPNESjnJ1JuAgSSLvtGaDVaivz5C3I353Yk51McDh
hGLAvcEDOAH5I3vxBIiQ7YqTa2Vwe269wt7CWD0rAsqJhCWc3aCoVLzJ+RBuSNXb
+nWe6UN+4VpF/+n4jSQ+GOzw1OWF8CyAcYx/rqzM4S3AmTktmLhbmVeMEpG5sHlw
vD8tqNrP9JSXOGoD+1p6207l//pNskX+hAGZR74H5WfZAXvf7KgSZYMqh1H4BvqT
DBAZ6wYVJWG5HvBnrvyiPIXGNn6KBI+OCbDgTftPAVMAxCK0U1U6ix/SQJS0ihrS
wYn5roA6RhBVx0MlBWTt
=Wx0s
-----END PGP SIGNATURE-----

--- End Message ---