tmpfiles: automatically create /etc/credstore/ and friends

This adds a tmpfiles.d/ snippet for LoadCredential= style credentials
directories in /etc/ and /run/.

This is done primarily to ensure that the access modes for the dirs are
set up properly, in the most restrictive ways. Specifically these are
set to 0000, so that CAP_DAC_OVERRIDE is necessary to enumerate and read
the credentials, and being UID=0 is not sufficient to do so.

This creates /etc/credstore/, but leaves /run/credstore/ absent if
missing, for now. Thinking is: the latter being non-persistent is
created by software usually, not manually by users, and hence more
likely right. But dunno, we might want to revisit this sooner or later.

This is ultimately an exercise to advertise the LoadCredential= concept
a bit, and do so in a reasonably secure way, underlining the safety of
the concept.

diff --git a/tmpfiles.d/credstore.conf b/tmpfiles.d/credstore.conf
new file mode 100644 (file)
index 0000000..fb1ccf8
--- /dev/null
+++ b/tmpfiles.d/credstore.conf
@@ -0,0 +1,13 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+d /etc/credstore 0000 root root
+d /etc/credstore.encrypted 0000 root root
+z /run/credstore 0000 root root
+z /run/credstore.encrypted 0000 root root

diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index ca1abbf3fecf5cc0eba940b690e33d18a1a17de6..4d94e3743ff48f64d753553f7d272c53a7a8e912 100644 (file)
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -15,6 +15,7 @@ files = [['README',               ''],
          ['tmp.conf',             ''],
          ['x11.conf',             ''],
          ['provision.conf',       ''],
+         ['credstore.conf',       ''],
         ]
 
 foreach pair : files