Your message dated Sat, 06 Mar 2021 23:48:26 +0000 with message-id <[email protected]> and subject line Bug#931753: fixed in systemd 247.3-2 has caused the Debian Bug report #931753, regarding DefaultDependencies=no ignores PrivateTmp=yes, but honors its implied RequiresMountsFor= to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 931753: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931753 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: systemd Version: 241-5 Severity: minor After discovering "systemd-analyze security", I went around adding systemd-level confinement to units, e.g. remove modprobe privileges from all units that don't modprobe. I noticed that adding PrivateTmp=yes to keyboard-setup.service and systemd-udev-settle.service caused ordering cycles. This is because 1. they want to run BEFORE zfs-mount, but 2. PrivateTmp=yes implies RequiresMountsFor=/tmp /var/tmp, so they ALSO want to run AFTER zfs-mount. So OK, the obvious answer is "don't do that, then" - remove PrivateTmp=yes. But I also noticed that "systemd-analyze security" says that PrivateTmp=yes will be ignored: # SYSTEMD_PAGER='grep apply' systemd-analyze security procps.service PrivateTmp= Service runs in special boot phase, option does not apply ProtectHome= Service runs in special boot phase, option does not apply ProtectSystem= Service runs in special boot phase, option does not apply RootDirectory=/RootImage= Service runs in special boot phase, option does not apply RemoveIPC= Service runs as root, option does not apply If systemd ignores PrivateTmp=yes when DefaultDependencies=no, then systemd SHOULD ignore the implied RequiresMountsFor= (and knock-on Requires=var-tmp.mount) when DefaultDependencies=no. I realize this is probably a huge pain to fix. Probably the implicit options are added at read time, but the "ignore conflicting options" is done much later, at which time it's impossible to know if Requires=var-tmp.mount was added explicitly or implicitly. Possibly an easy mitigation is just to log a warning like: WARNING: procps.service has both DefaultDependencies=no and PrivateTmp=yes; this won't do what you want! There are already similar warnings for similar dumb mistakes: systemd[1]: /etc/systemd/system/charybdis.service:7: Unknown lvalue 'StartExec' in section 'Service', ignoring systemd[1]: charybdis.service: Service has no ExecStart=, ExecStop=, or SuccessAction=. Refusing. PS: DynamicUser=yes implies PrivateTmp=yes, so I think it should also be "does not apply" for "special boot phase". PPS: I ran into this on a system with ZFS, but it should be reproducible anywhere that has a dedicated /var/tmp mount in /etc/fstab.
--- End Message ---
--- Begin Message ---Source: systemd Source-Version: 247.3-2 Done: Michael Biebl <[email protected]> We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl <[email protected]> (supplier of updated systemd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 06 Mar 2021 22:32:14 +0100 Source: systemd Architecture: source Version: 247.3-2 Distribution: unstable Urgency: medium Maintainer: Debian systemd Maintainers <[email protected]> Changed-By: Michael Biebl <[email protected]> Closes: 898530 931753 975289 978011 980820 981407 Changes: systemd (247.3-2) unstable; urgency=medium . * Downgrade a couple of warnings to debug. If a package still ships only a SysV init script or if a service file or tmpfile uses /var/run, downgrade those messages to debug. We can use lintian to detect those issues. For service files and tmpfiles in /etc, keep the warning, as those files are typically added locally and aren't checked by lintian. (Closes: #981407) * core: fix mtime calculation of dropin files (Closes: #975289) * analyze: slightly reword PrivateTmp= message (Closes: #931753) * rules: move ID_SMARTCARD_READER definition to a <70 configuration (Closes: #978011) * units: turn off DNSSEC validation when timesyncd resolves hostnames (Closes: #898530) * table: drop trailing white spaces of the last cell in row (Closes: #980820) Checksums-Sha1: a618fb6dfe398ca4e7cc31f86c63ba20c5c08658 5167 systemd_247.3-2.dsc cefda9b089182955299b0c5958fae2c94ec8f501 164040 systemd_247.3-2.debian.tar.xz b9977d4468d6f6b1855755e1ee6a8a942fbbd749 9338 systemd_247.3-2_source.buildinfo Checksums-Sha256: d1fb8b11cf690f087ba261de62991eda89b4320f78db4e958ae3f86051af8b46 5167 systemd_247.3-2.dsc b1e9dd90a70532878d7fcd8d46c9312922b85165b447fba56bd99e5ffebd2d23 164040 systemd_247.3-2.debian.tar.xz fa3e43ce64887df32793f504211d40949762e9069f3ec6689495f3df374a4a96 9338 systemd_247.3-2_source.buildinfo Files: 1d0ea4e9f98f1ba7df9829efd3711c63 5167 admin optional systemd_247.3-2.dsc 40989205a5f994f85af72702799b85ba 164040 admin optional systemd_247.3-2.debian.tar.xz 9759fe24572d5c42039a14057b08c3d4 9338 admin optional systemd_247.3-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmBEDo0ACgkQauHfDWCP ItyY0RAAmkC9EeTkJcfLz9KrsshqI1v/HsP6CokgJt6/lJMDH0pQcqBGflHHZtD4 OJdk1OvUr6IcHRHDKNzSNrhSQ2dViYqUI/9FFtI6SiAH/hsBZEcBkIod/XztxeLA yKiDAAQXy9qKPAply8PGeQ5wOJPP6BIzm5Qql78ntSKEs+EVn8325SaFLtCmDPfk H+i9UhhibfsHv5a8iFsALx/h9or+Pc8tBD54B7GHLJjl4G3gQkSJHd3gL4XVIpiA EBZ4MuVFGbbYeCtbNx2zH8Dh/Gycr4AG3koMp9FisjugpjeetzAIqmWXIPgJpyTP QeI0M0FRBWdtRE8BPhez8qCZg3BFsG/ekSI0ftN1IAdL0Tm6l/Zp2SVKBE0389xY fm4rOVGbQByk9KX3NVJDdQMgcWHzdc3V2B30H+xDXInTKAthaZ92GpvCn6i1kvAV Gkf7Uw9hNl/OjfuFdrjOCLX2n7WR6QlbBSiM01E7P4rKoO1N7SkzMA8PmstQMfVA /YSEl4z92lNVdAJAGyN+r/xFssK7AbXBQDUItn/ZqqPvUE3yamD3xxEFa+bjq3p/ hKq4D3nn1zeOT/VyS/ZWt5weBRfmsCoPzvNUtYnPfAgbpC8Ifs/YYUkAD8gvuwQd RHjLXNpbaze4LsDRasXRllgQ9ajZtgharcJpBF8XOEpGTBvBsqI= =LQ7L -----END PGP SIGNATURE-----
--- End Message ---
