From b8da477eaf6c775e8c82aad43a4511f7609b0b69 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 14 Jun 2018 11:26:29 +0900 Subject: [PATCH 1/3] fs-util: introduce fchmod_and_chown() The new function fchmod_and_chown() is almost same as chmod_and_chown() except it takes file descriptor instead of file path. --- src/basic/fs-util.c | 16 ++++++++++++++++ src/basic/fs-util.h | 1 + 2 files changed, 17 insertions(+) diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c index ab6ccf7c86..c4e2ebf9b8 100644 --- a/src/basic/fs-util.c +++ b/src/basic/fs-util.c @@ -230,6 +230,22 @@ int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) { return 0; } +int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) { + /* Under the assumption that we are running privileged we + * first change the access mode and only then hand out + * ownership to avoid a window where access is too open. */ + + if (mode != MODE_INVALID) + if (fchmod(fd, mode) < 0) + return -errno; + + if (uid != UID_INVALID || gid != GID_INVALID) + if (fchown(fd, uid, gid) < 0) + return -errno; + + return 0; +} + int fchmod_umask(int fd, mode_t m) { mode_t u; int r; diff --git a/src/basic/fs-util.h b/src/basic/fs-util.h index 4d0ed641b4..9129d1c88b 100644 --- a/src/basic/fs-util.h +++ b/src/basic/fs-util.h @@ -31,6 +31,7 @@ int readlink_value(const char *p, char **ret); int readlink_and_make_absolute(const char *p, char **r); int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid); +int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid); int fchmod_umask(int fd, mode_t mode); int fchmod_opath(int fd, mode_t m); From c039af2388fb38ce26f2288a20df4dcbb04e70a6 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 14 Jun 2018 11:39:55 +0900 Subject: [PATCH 2/3] sysusers: use fchmod_and_chown() --- src/sysusers/sysusers.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index ccb3fca8f2..bf148913bb 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -212,11 +212,9 @@ static int make_backup(const char *target, const char *x) { backup = strjoina(x, "-"); /* Copy over the access mask */ - if (fchmod(fileno(dst), st.st_mode & 07777) < 0) - log_warning_errno(errno, "Failed to change mode on %s: %m", backup); - - if (fchown(fileno(dst), st.st_uid, st.st_gid)< 0) - log_warning_errno(errno, "Failed to change ownership of %s: %m", backup); + r = fchmod_and_chown(fileno(dst), st.st_mode & 07777, st.st_uid, st.st_gid); + if (r < 0) + log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup); ts[0] = st.st_atim; ts[1] = st.st_mtim; @@ -335,13 +333,7 @@ static int sync_rights(FILE *from, FILE *to) { if (fstat(fileno(from), &st) < 0) return -errno; - if (fchmod(fileno(to), st.st_mode & 07777) < 0) - return -errno; - - if (fchown(fileno(to), st.st_uid, st.st_gid) < 0) - return -errno; - - return 0; + return fchmod_and_chown(fileno(to), st.st_mode & 07777, st.st_uid, st.st_gid); } static int rename_and_apply_smack(const char *temp_path, const char *dest_path) { From 86aaccb020d3b9ed1bd805a91c575d49f7a311f5 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 14 Jun 2018 11:29:08 +0900 Subject: [PATCH 3/3] timesync: ignore any errors related to timestamp file --- src/timesync/timesyncd.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c index dbecfb6ce8..9973e2df08 100644 --- a/src/timesync/timesyncd.c +++ b/src/timesync/timesyncd.c @@ -21,6 +21,9 @@ #include "timesyncd-manager.h" #include "user-util.h" +#define STATE_DIR "/var/lib/systemd/timesync" +#define CLOCK_FILE STATE_DIR "/clock" + static int load_clock_timestamp(uid_t uid, gid_t gid) { _cleanup_close_ int fd = -1; usec_t min = TIME_EPOCH * USEC_PER_SEC; @@ -34,7 +37,7 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) { * systems lacking a battery backed RTC. We also will adjust * the time to at least the build time of systemd. */ - fd = open("/var/lib/systemd/timesync/clock", O_RDWR|O_CLOEXEC, 0644); + fd = open(CLOCK_FILE, O_RDWR|O_CLOEXEC, 0644); if (fd >= 0) { struct stat st; usec_t stamp; @@ -50,24 +53,26 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) { if (geteuid() == 0) { /* Try to fix the access mode, so that we can still touch the file after dropping priviliges */ - r = fchmod(fd, 0644); + r = fchmod_and_chown(fd, 0644, uid, gid); if (r < 0) - return log_error_errno(errno, "Failed to change file access mode: %m"); - r = fchown(fd, uid, gid); - if (r < 0) - return log_error_errno(errno, "Failed to change file owner: %m"); + log_warning_errno(r, "Failed to chmod or chown %s, ignoring: %m", CLOCK_FILE); } } else { - r = mkdir_safe_label("/var/lib/systemd/timesync", 0755, uid, gid, + r = mkdir_safe_label(STATE_DIR, 0755, uid, gid, MKDIR_FOLLOW_SYMLINK | MKDIR_WARN_MODE); - if (r < 0) - return log_error_errno(r, "Failed to create state directory: %m"); + if (r < 0) { + log_debug_errno(r, "Failed to create state directory, ignoring: %m"); + goto settime; + } /* create stamp file with the compiled-in date */ - (void) touch_file("/var/lib/systemd/timesync/clock", false, min, uid, gid, 0644); + r = touch_file(CLOCK_FILE, false, min, uid, gid, 0644); + if (r < 0) + log_debug_errno(r, "Failed to create %s, ignoring: %m", CLOCK_FILE); } +settime: ct = now(CLOCK_REALTIME); if (ct < min) { struct timespec ts; @@ -77,7 +82,7 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) { format_timestamp(date, sizeof(date), min)); if (clock_settime(CLOCK_REALTIME, timespec_store(&ts, min)) < 0) - log_error_errno(errno, "Failed to restore system clock: %m"); + log_error_errno(errno, "Failed to restore system clock, ignoring: %m"); } return 0; @@ -174,8 +179,11 @@ int main(int argc, char *argv[]) { } /* if we got an authoritative time, store it in the file system */ - if (m->sync) - (void) touch("/var/lib/systemd/timesync/clock"); + if (m->sync) { + r = touch(CLOCK_FILE); + if (r < 0) + log_debug_errno(r, "Failed to touch %s, ignoring: %m", CLOCK_FILE); + } sd_event_get_exit_code(m->event, &r);