In
b6033b706028a64e9affb79050ced1ad9a4f5b43 support was added to create
{/etc|/run}/credstore{|.encrypted} via tmpfiles.d with perms 0000. These
perms are so restrictive that not even root can access them unless it
has CAP_DAC_OVERRIDE capability. This is creates the dirs at boot time
In
24039e1207c169b18adf5234ad300ea3ba1b671e support was added to create
/etc/credstore with perm 0700 from meson.build at build time.
This patch makes unifies the two parts:
1. creates both /etc/credstore *and* /etc/credstore.encrypted in both
places (the build system still won't create them in /run/, since
that's pointless since not shipped, and the runtime won't create the
dirs below /usr/lib/, since that's not generically writable anyway).
2. Both at runtime and at build time we'll create the dirs with mode
0700. This is easier for packaging tools to handle since they
generally react pretty negatively on dirs they can't enumerate.
# there.
meson.add_install_script('sh', '-c', mkdir_p.format(credstoredir))
if install_sysconfdir
+ # Keep in sync with tmpfiles.d/credstore.conf
meson.add_install_script('sh', '-c', mkdir_p_mode.format(sysconfdir / 'credstore', '0700'))
+ meson.add_install_script('sh', '-c', mkdir_p_mode.format(sysconfdir / 'credstore.encrypted', '0700'))
endif
executable(
# See tmpfiles.d(5) for details
-d /etc/credstore 0000 root root
-d /etc/credstore.encrypted 0000 root root
-z /run/credstore 0000 root root
-z /run/credstore.encrypted 0000 root root
+d /etc/credstore 0700 root root
+d /etc/credstore.encrypted 0700 root root
+z /run/credstore 0700 root root
+z /run/credstore.encrypted 0700 root root
projects / thirdparty / systemd.git / commitdiff
