FS#72320 - [bird] 2.0.8-3 specifies User=bird in systemd service, but does not create user
Attached to Project:
Arch Linux
Opened by Peter Fern (pdf) - Friday, 01 October 2021, 23:36 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 October 2021, 18:41 GMT
Opened by Peter Fern (pdf) - Friday, 01 October 2021, 23:36 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 October 2021, 18:41 GMT
|
Details
Description:
The bird package (correctly) specifies a lower privilege user to run as in its systemd service, and applies all caps required to operate, however the package does not create the corresponding user on install. Additional info: $ systemctl cat bird.service # /usr/lib/systemd/system/bird.service [Unit] Description=BIRD routing daemon After=network.target [Service] Type=forking ExecStart=/usr/bin/bird ExecReload=/usr/bin/birdc configure ExecStop=/usr/bin/birdc down RuntimeDirectory=bird RuntimeDirectoryMode=0750 DynamicUser=true User=bird ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectControlGroups=true PrivateTmp=true PrivateDevices=true CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW [Install] WantedBy=multi-user.target $ getent passwd bird $ echo $? 2 |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Sunday, 10 October 2021, 18:41 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#71902
Sunday, 10 October 2021, 18:41 GMT
Reason for closing: Duplicate
Additional comments about closing:
See https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#USER/GROUP_IDENTITY
So if you want to have the config file only readable by bird, you could just create the user yourself, I guess.
Maybe there is an alternative (possibly using BindPaths and/or ConfigurationDirectory?), though.