tmpfiles: use same credstore perms everywhere

In b6033b7060 support was added to create {/etc|/run}/credstore{|.encrypted} via tmpfiles.d with perms 0000. These perms are so restrictive that not even root can access them unless it has CAP_DAC_OVERRIDE capability. This is creates the dirs at boot time In 24039e1207 support was added to create /etc/credstore with perm 0700 from meson.build at build time. This patch makes unifies the two parts: 1. creates both /etc/credstore *and* /etc/credstore.encrypted in both places (the build system still won't create them in /run/, since that's pointless since not shipped, and the runtime won't create the dirs below /usr/lib/, since that's not generically writable anyway). 2. Both at runtime and at build time we'll create the dirs with mode 0700. This is easier for packaging tools to handle since they generally react pretty negatively on dirs they can't enumerate.
2024-07-01 07:34:28 +00:00 · 2023-05-30 15:13:38 +02:00 · 2023-05-30 15:13:38 +02:00 · 40fb9eebbc
commit 40fb9eebbc
parent 600bf76c17
2 changed files with 6 additions and 4 deletions
--- a/meson.build
+++ b/meson.build
@ -3851,7 +3851,9 @@ public_programs += executable(
 # there.
 meson.add_install_script('sh', '-c', mkdir_p.format(credstoredir))
 if install_sysconfdir
+        # Keep in sync with tmpfiles.d/credstore.conf
        meson.add_install_script('sh', '-c', mkdir_p_mode.format(sysconfdir / 'credstore', '0700'))
+        meson.add_install_script('sh', '-c', mkdir_p_mode.format(sysconfdir / 'credstore.encrypted', '0700'))
 endif

 executable(
--- a/tmpfiles.d/credstore.conf
+++ b/tmpfiles.d/credstore.conf
@ -7,7 +7,7 @@

 # See tmpfiles.d(5) for details

-d /etc/credstore 0000 root root
-d /etc/credstore.encrypted 0000 root root
-z /run/credstore 0000 root root
-z /run/credstore.encrypted 0000 root root
+d /etc/credstore 0700 root root
+d /etc/credstore.encrypted 0700 root root
+z /run/credstore 0700 root root
+z /run/credstore.encrypted 0700 root root