Package: htpdate
Version: 1.2.2-3
Hi guys,
the issue has btw not been solved from what I can see and test, but is
still present on Buster backports as well as on Bullseye and Sid.
The reason is "InaccessibleDirectories" option in the systemd unit
"/lib/systemd/system/htpdate.service". For security hardening it contains:
-----
InaccessibleDirectories=/boot /home /media /mnt /root /opt /srv
-----
All these directories must exist, otherwise systemd fails to mount them
inaccessible for the service, producing the reported error. This could
hence be also seen as systemd issue, although the question is how to
better deal with such case:
1. Pre-create the directories, if they do not exist? However could be
confusing when a systemd unit creates directories unexpectedly and could
even cause issues if those places are (about to be) used for files or it
is a R/O path.
2. Ignore directories that do not exist? However could break the
security intention when e.g. the dir is created after the service has
been started and data is stored inside then that was wanted to be
inaccessible for the service.
3. Use another mount method that does not require the dir to exist
before? Not sure if possible, at least "mount" command as well requires
the mountpoint dir to exist.
So finally it is probably indeed best to fail and let the admin decide
how to solve it. The error message has been slightly enhanced with new
systemd version (Buster backports+):
-----
May 25 14:31:26 VM-Buster systemd[216]: htpdate.service: Failed to set
up mount namespacing: /run/systemd/unit-root/media: No such file
or directory
-----
However could still be more clear, not sure how fast one usually derives
from this that "/media" dir is missing.
Since all listed directories are "required" to fulfil current FHS
(https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s02.html) IMO it
is okay that htpdate expects them and the issue could be forwarded to
systemd to either handle such cases more gracefully or make the error
output bulletproof understandable.
Best regards,
Micha
