From e35a65a2f8a32f63c78a9d41cf993a5cf8a323c0 Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 30 Jan 2025 15:51:59 +0100 Subject: [PATCH] nixos: Fix timesyncd test for systemd >= 257.1 Version 257.1 of systemd changed[1] the PrivateTmp setting for the systemd-timesyncd service from "yes" to "disconnected", which broke our systemd-timesyncd test. The reason for this is because the systemd-tmpfiles-setup.service is *only*[2] added as a dependency of systemd-timesyncd.service if PrivateTmp is set to "yes" but not when it is set to "disconnected" (which would make sense given that the tmpfiles.d mechanism was originally designed for temporary files). Commit 339a866b7c25ce44705552105b64cd9cb78780a8 switched the activation script to using systemd-tmpfiles, but the commit in question doesn't provide an explanation why this was necessary in this particular case. However the pull request[3] lists an ongoing effort to get rid of Perl and in the future get also rid of BASH for activation. The reasons for doing this are outlined in the document[4]: > The simple presence of interpreters on a system pose a security risk. > An attacker that gains access to a system can abuse them to execute > arbitrary commands. Mitre lists this as technique T1059. The most > radical yet simple solution to mitigate this exploit is to remove all > interpreters from a system (Mitre M1042). This radical solution is > only really feasible and/or interesting for appliances (i.e. > non-interactive) systems. Especially for high-security solutions this > mitigtation is interesting. I personally don't think this is a very compelling reason, at least for our activation scripts, since an attacker could simply drop an executable binary. Nevertheless, getting rid of additional dependencies on eg. Perl or BASH is something worth pursuing to trim down moving parts. To address this, I decided to implement this as a normal systemd service unit, since we need to guarantee that it's started before systemd-timesyncd.service and with a dedicated unit we can ensure explicit ordering. This has the advantage that we don't interfere with the effort of getting rid of Perl/BASH for activation/boot and also don't risk running into race conditions (again) because it's very unlikely that systemd will change/deprecate explicit unit ordering in the near future. [1]: https://github.com/systemd/systemd/commit/1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5 [2]: https://github.com/systemd/systemd/blob/30675a6ee98540a02bd1d6afcf80f0c0aa8c0910/src/core/unit.c#L1274 [3]: https://github.com/NixOS/nixpkgs/pull/263203 [4]: https://pad.lassul.us/nixos-perlless-activation Signed-off-by: aszlig --- nixos/tests/systemd-timesyncd.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/nixos/tests/systemd-timesyncd.nix b/nixos/tests/systemd-timesyncd.nix index d50b6386786c..b1f618d947cd 100644 --- a/nixos/tests/systemd-timesyncd.nix +++ b/nixos/tests/systemd-timesyncd.nix @@ -26,13 +26,18 @@ import ./make-test-python.nix ( # create the path that should be migrated by our activation script when # upgrading to a newer nixos version system.stateVersion = "19.03"; - systemd.tmpfiles.settings.systemd-timesyncd-test = { - "/var/lib/systemd/timesync".R = { }; - "/var/lib/systemd/timesync".L.argument = "/var/lib/private/systemd/timesync"; - "/var/lib/private/systemd/timesync".d = { - user = "systemd-timesync"; - group = "systemd-timesync"; - }; + systemd.services.old-timesync-state-dir = { + requiredBy = [ "sysinit.target" ]; + before = [ "systemd-timesyncd.service" ]; + after = [ "local-fs.target" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + script = '' + rm -rf /var/lib/systemd/timesync + mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync + ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync + chown systemd-timesync: /var/lib/private/systemd/timesync + ''; }; } );