git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Tue, 30 May 2023 13:13:38 +0000 (15:13 +0200)
committer	Mike Yuan <me@yhndnzj.com>
	Wed, 31 May 2023 03:15:26 +0000 (11:15 +0800)
commit	40fb9eebbc075ce1e63100386d2c5f177ad7d738
tree	1c8e3a382734ab34ec1c7314a37a0b4edb577d7a	tree \| snapshot
parent	600bf76c178a2960d6470af2c6a8c598fabd5fd9	commit \| diff

tmpfiles: use same credstore perms everywhere

In b6033b706028a64e9affb79050ced1ad9a4f5b43 support was added to create
{/etc|/run}/credstore{|.encrypted} via tmpfiles.d with perms 0000. These
perms are so restrictive that not even root can access them unless it
has CAP_DAC_OVERRIDE capability. This is creates the dirs at boot time

In 24039e1207c169b18adf5234ad300ea3ba1b671e support was added to create
/etc/credstore with perm 0700 from meson.build at build time.

This patch makes unifies the two parts:

1. creates both /etc/credstore *and* /etc/credstore.encrypted in both
   places (the build system still won't create them in /run/, since
   that's pointless since not shipped, and the runtime won't create the
   dirs below /usr/lib/, since that's not generically writable anyway).

2. Both at runtime and at build time we'll create the dirs with mode
   0700. This is easier for packaging tools to handle since they
   generally react pretty negatively on dirs they can't enumerate.

meson.build		diff \| blob \| blame \| history
tmpfiles.d/credstore.conf		diff \| blob \| blame \| history