Fix permissions on folder '/run/NetworkManager/'#422
Conversation
slyon
added
the
community
When the Netplan systemd generator runs before the NetworkManager service, Netplan will preempt NetworkManager from creating folder '/run/NetworkManager' and will assign it permissions 700. This is a side effect of the call to umask in function write_nm_conf_access_point, made to restrict the permissions on subfolder '/run/NetworkManger/system-connections'. A regular user needs to read from /run/NetworkManager where, in some systems, files such as resolv.conf ultimately reside.
Newer versions of pyflakes (3.0.0+) deprecated python2.x "# type:" comments (PEP 484). Let's avoid that failure.
There was a problem hiding this comment.
Thank you very much for your contribution to Netplan!
This is a good catch and you're very right! /run/NetworkManager/ should be 0o755, while only /run/NetworkManager/system-connections/ should be using 0o700 permissions (and we have tests in tests/generator/base.py to actually check for the latter).
PS: I also pushed a small additional commit to avoid the pyflakes 3.0.0+ linting error in the CI.
PPS: The failure in the "Autopkgtest CI" tunnels (gre6) test case are well known (LP#2037667) and unrelated to this PR. Ignoring.
| * Letting the next invokation of safe_mkdir_p_dir do it would result in | ||
| * more restrictive access because of the call to umask. */ | ||
| nm_run_path = g_strjoin(G_DIR_SEPARATOR_S, rootdir ?: "", "run/NetworkManager/", NULL); | ||
| if (!g_file_test(nm_run_path, G_FILE_TEST_EXISTS)) |
There was a problem hiding this comment.
nitpick: you had some leading whitespace here, which doesn't match our code style, so I quickly fixed this up.
|
Thanks for the merge, and the edits |
2 participants
When the Netplan systemd generator runs before the NetworkManager service, Netplan will preempt NetworkManager from creating folder '/run/NetworkManager' and will assign it permissions 700.
This is a side effect of the call to umask in function write_nm_conf_access_point, made to restrict the permissions on subfolder '/run/NetworkManger/system-connections'. A regular user needs to read from /run/NetworkManager where, in some systems, files such as resolv.conf ultimately reside.
Description
In my Yocto image /etc/resolv.conf is a symlink to /etc/resolv-conf.NetworkManager itself to /run/Netw
orkManager/resolv.conf. Because the /run/NetworkManager folder created by Netplan has 700 permissions a regular user has no access to resolv.conf which breaks domain name resolution.
This fix assigns the proper access to rights to /run/NetworkManager, 755, if Netplan happens to be the first to create it, without elevating privileges to /run/NetworkManager/system-connections, which is what was intended by the original code.
Checklist
make checksuccessfully.make check-coverage).