Bug#986354: Re[2]: Bug#986354: hardening-runtime breaks upowerd which affects default installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2021-04-04 at 22:59 +0930, Andrew Savchenko wrote: > ``` > WARNING! > > This package sets restrictive permissions on a number of directories. > > While this is beneficial to the system security, it might lead to situation > where an application is unable to access a certain path. > > Please use `reportbug` shall you encounter any. > ``` That doesn't really look good to me. First, it seems that the issue isn't with directory permissions here, and second, there are already a warning about performance or usability issues. Maybe this could be worded differently but I don't thnk it's really sustainable to list each and every issue which might arrise with various stuff, unfortunately. It might be worth listing known issues and potential fixes in a specific file in /u/s/d/hardening-runtime (README.Debian or a new file) though, if you can propose something. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmBq0ygACgkQ3rYcyPpX RFtWCAgAnSH6gLlqqfWbZo4KmKCRPJRDovvsc1X/TIxrAuOvFNRweiliR7Q7dkAe ZuRg+6+RmTyh5dXJko4+xddjb7+AvQAkJvxVa7zM+v6L02+n6hs+waZmFgZKeQuA /m4zRSuprwSbv+1eymI3gDeBPPrhCLG9JXxTu1/ARgJxKHaDNpojLO3dueuz1WSE vh4yA42snTUHc/Y74MWTHfp14foDdUTl1RqjHvxPnaDN2Qblj1Pskbj7VNWYsFQf 77DIE2tI4dsWejjbjDcV5aJl+Vup/ouWWIMokTURfER9JYQdJv3NUaGVLXoqtUOu O/vagCy0GCw2IabgI4b6F/KAetzoow== =0Dm3 -END PGP SIGNATURE-
Bug#986354: Re[2]: Bug#986354: hardening-runtime breaks upowerd which affects default installation
Hello Yves-Alexis, Sunday, April 4, 2021, 6:09:22 PM, you wrote: > Hi, could you detail which permissions and from where? I'm aware of the issue > with user namespaces but not from the permissions. Indeed, user namespaces were to blame. > There's already a small warning in the package long description, do you have > something specific in mind? Could you propose a wording? ``` WARNING! This package sets restrictive permissions on a number of directories. While this is beneficial to the system security, it might lead to situation where an application is unable to access a certain path. Please use `reportbug` shall you encounter any. ``` -- Regards, A
Bug#986354: hardening-runtime breaks upowerd which affects default installation
Package: hardening-runtime Version: 2 Severity: important X-Debbugs-Cc: and...@lists.savchenko.net Dear Maintainer, Installing this package leads to dpkg-overrides setting permissions in a way that upowerd is unable to start under a non-root account. This breaks default installation where DE is using UPower service: Gnome, Mate and potentially some others. Please consider adding a conditional or a warning prior to installation. Tested on fully-updated Bullseye. -- System Information: Debian Release: bullseye/sid APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#986354: hardening-runtime breaks upowerd which affects default installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2021-04-04 at 15:48 +0930, Andrew Savchenko wrote: > Installing this package leads to dpkg-overrides setting permissions in a > way that upowerd is unable to start under a non-root account. Hi, could you detail which permissions and from where? I'm aware of the issue with user namespaces but not from the permissions. > > This breaks default installation where DE is using UPower service: Gnome, > Mate and potentially some others. > > Please consider adding a conditional or a warning prior to installation. > Tested on fully-updated Bullseye. There's already a small warning in the package long description, do you have something specific in mind? Could you propose a wording? Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmBpezoACgkQ3rYcyPpX RFsXsgf9GWN6YoeASS9++pFyg9IR3hdIRf4xDc4yx03YG37QB1+C13DoZ52xNHB6 kMs44+/HaBFON2q6xpzyMP/h1R2GsCvQIpny8g3vd0ZytT2VHUM8p29rZJQKpvrx qV687/zFw9lhY+HZlFCalYUCyv+e3u4LGbw9sRfHA07cGUaptijhziEIeXhQMjTs yx6v0thChAEWg+uspulIB+rS34T9rtgj3KGARuCyMFIQ+8VHVzXGTLPkN0toDpnU P5Pp8tfvSTZABT9pgT+h6ExykCGUzRD2No/ry/xi9294G/ujHXk7QAyckTIVSQ6G YwLcsvHjz2Gqa5Z9pPlDwiDUQYb3WQ== =rLoG -END PGP SIGNATURE-