Ubuntu
systemd package

229_4ubuntu17 removes group write permissions from /var/log

Bug #1687015 reported by Simon Davy
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Won't Fix
Undecided
Unassigned
Nominated for Xenial by Simon Davy

Bug Description

Steps to reproduce (time senstive, once lxd image is updated with 4ubuntu17, I expect this won't work)

lxc launch ubuntu:x test
lxc exec test -- ls -ld /var/log # shows 775 perms
lxc exec test -- apt update
lxc exec test -- apt-cache policy systemd
lxc exec test -- apt install systemd
lxc exec test -- ls -ld /var/log # shows 755 permissions

straceing the apt install shows no chmod calls to /var/log (only /var/log/apt.log, as you'd expect)

This means syslog cannot write new files in /var/log, and had broken some production logging for us as a result.

See original description
Tags: xenial
Simon Davy (bloodearnest)
description: updated
summary: - 229_4ubuntu17 remove group write permissions from /var/log
+ 229_4ubuntu17 removes group write permissions from /var/log
Revision history for this message
madbiologist (me-again) wrote :

Which version of Ubuntu is this occurring on?

Changed in systemd (Ubuntu):
status: New → Incomplete
Revision history for this message
Simon Davy (bloodearnest) wrote :

Xenial, sorry, ubuntu:x is lxd shortcut for xenial.

Revision history for this message
Simon Davy (bloodearnest) wrote :

Installing systemd 229_4ubuntu17 also installs the same version of libsystemd0 and libpam-systemd, so possibly could be those packages, but as noted, an strace of 'apt install systemd' didn't indictate anything.

Revision history for this message
Simon Davy (bloodearnest) wrote :

The source package: https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu17
and the diff: http://launchpadlibrarian.net/306522149/systemd_229-4ubuntu16_229-4ubuntu17.diff.gz

Revision history for this message
Simon Davy (bloodearnest) wrote :

I'm an idiot. Of course strace doesn't trace forks by default.

I did a full strace -f (including custom build of strace to stop truncating arguments) and found more info.

The culprit seems to be /bin/systemd-tmpfiles

During install of the package this is called like so:

/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/debian.conf /usr/lib/tmpfiles.d/home.conf /usr/lib/tmpfiles.d/journal-nocow.conf /usr/lib/tmpfiles.d/legacy.conf /usr/lib/tmpfiles.d/systemd-nologin.conf /usr/lib/tmpfiles.d/systemd.conf /usr/lib/tmpfiles.d/tmp.conf /usr/lib/tmpfiles.d/var.conf /usr/lib/tmpfiles.d/x11.conf

On a clean default xenial lxd image, in which /var/log is 775, running the above, even without upgrading to 229_4ubuntu17, will change perms on /var/log to 755.

Digging further, I see a conflict in tmpfiles.d config for /var/log in the *current* xenial image.

$ cat /usr/lib/tmpfiles.d/00rsyslog.conf
# Override systemd's default tmpfiles.d/var.conf to make /var/log writable by
# the syslog group, so that rsyslog can run as user.
# See tmpfiles.d(5) for details.

The config it's overriding is in /usr/lib/tmpfiles.d/var.conf:

    ...
    d /var/log 0755 - - -
    ...

It seems that, by providing an explicit list of tmpfiles.d to the /bin/systemd-tmpfiles, the install process is excluding the careful placed override in /usr/lib/tmpfiles.d/00rsyslog.conf

Revision history for this message
Simon Davy (bloodearnest) wrote :

The explicit /bin/systemd-tmpfiles is invoked in the postinst script for systemd.

Interestingly, it's identical to systemd 229_4ubuntu16 postinst script, so it was not introduced in 4ubuntu17.

I suspect this issue has been present for a while, but the daily run of systemd-tmpfiles-clean job restores it.

If so, this is probably a debhelper bug? As it, it should respect the machine's tmpfiles.d config rather than exclude it?

madbiologist (me-again)
tags: added: xenial
Changed in systemd (Ubuntu):
status: Incomplete → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Dan Streetman (ddstreet) wrote :

please reopen if this is still an issue

Changed in systemd (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.