mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-10 19:55:41 +03:00
e35a65a2f8
Version 257.1 of systemd changed[1] the PrivateTmp setting for the systemd-timesyncd service from "yes" to "disconnected", which broke our systemd-timesyncd test. The reason for this is because the systemd-tmpfiles-setup.service is *only*[2] added as a dependency of systemd-timesyncd.service if PrivateTmp is set to "yes" but not when it is set to "disconnected" (which would make sense given that the tmpfiles.d mechanism was originally designed for temporary files). Commit339a866b7cswitched the activation script to using systemd-tmpfiles, but the commit in question doesn't provide an explanation why this was necessary in this particular case. However the pull request[3] lists an ongoing effort to get rid of Perl and in the future get also rid of BASH for activation. The reasons for doing this are outlined in the document[4]: > The simple presence of interpreters on a system pose a security risk. > An attacker that gains access to a system can abuse them to execute > arbitrary commands. Mitre lists this as technique T1059. The most > radical yet simple solution to mitigate this exploit is to remove all > interpreters from a system (Mitre M1042). This radical solution is > only really feasible and/or interesting for appliances (i.e. > non-interactive) systems. Especially for high-security solutions this > mitigtation is interesting. I personally don't think this is a very compelling reason, at least for our activation scripts, since an attacker could simply drop an executable binary. Nevertheless, getting rid of additional dependencies on eg. Perl or BASH is something worth pursuing to trim down moving parts. To address this, I decided to implement this as a normal systemd service unit, since we need to guarantee that it's started before systemd-timesyncd.service and with a dedicated unit we can ensure explicit ordering. This has the advantage that we don't interfere with the effort of getting rid of Perl/BASH for activation/boot and also don't risk running into race conditions (again) because it's very unlikely that systemd will change/deprecate explicit unit ordering in the near future. [1]:1f6e192848[2]:30675a6ee9/src/core/unit.c (L1274)[3]: https://github.com/NixOS/nixpkgs/pull/263203 [4]: https://pad.lassul.us/nixos-perlless-activation Signed-off-by: aszlig <aszlig@nix.build>
72 lines
2.4 KiB
Nix
72 lines
2.4 KiB
Nix
# Regression test for systemd-timesync having moved the state directory without
|
|
# upstream providing a migration path. https://github.com/systemd/systemd/issues/12131
|
|
|
|
import ./make-test-python.nix (
|
|
let
|
|
common =
|
|
{ lib, ... }:
|
|
{
|
|
# override the `false` value from the qemu-vm base profile
|
|
services.timesyncd.enable = lib.mkForce true;
|
|
};
|
|
mkVM = conf: {
|
|
imports = [
|
|
conf
|
|
common
|
|
];
|
|
};
|
|
in
|
|
{
|
|
name = "systemd-timesyncd";
|
|
nodes = {
|
|
current = mkVM { };
|
|
pre1909 = mkVM (
|
|
{ lib, ... }:
|
|
{
|
|
# create the path that should be migrated by our activation script when
|
|
# upgrading to a newer nixos version
|
|
system.stateVersion = "19.03";
|
|
systemd.services.old-timesync-state-dir = {
|
|
requiredBy = [ "sysinit.target" ];
|
|
before = [ "systemd-timesyncd.service" ];
|
|
after = [ "local-fs.target" ];
|
|
unitConfig.DefaultDependencies = false;
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
rm -rf /var/lib/systemd/timesync
|
|
mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync
|
|
ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync
|
|
chown systemd-timesync: /var/lib/private/systemd/timesync
|
|
'';
|
|
};
|
|
}
|
|
);
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
current.succeed("systemctl status systemd-timesyncd.service")
|
|
# on a new install with a recent systemd there should not be any
|
|
# leftovers from the dynamic user mess
|
|
current.succeed("test -e /var/lib/systemd/timesync")
|
|
current.succeed("test ! -L /var/lib/systemd/timesync")
|
|
|
|
# timesyncd should be running on the upgrading system since we fixed the
|
|
# file bits in the activation script
|
|
pre1909.succeed("systemctl status systemd-timesyncd.service")
|
|
|
|
# the path should be gone after the migration
|
|
pre1909.succeed("test ! -e /var/lib/private/systemd/timesync")
|
|
|
|
# and the new path should no longer be a symlink
|
|
pre1909.succeed("test -e /var/lib/systemd/timesync")
|
|
pre1909.succeed("test ! -L /var/lib/systemd/timesync")
|
|
|
|
# after a restart things should still work and not fail in the activation
|
|
# scripts and cause the boot to fail..
|
|
pre1909.shutdown()
|
|
pre1909.start()
|
|
pre1909.succeed("systemctl status systemd-timesyncd.service")
|
|
'';
|
|
}
|
|
)
|