bootctl: allow non-root user to run bootctl status
#5964
Conversation
|
@yuwata thanks for the patch. Are you sure that what bootctl status will show will not break some privacy here ? Also could you please improve that
|
|
@tixxdz Thank you for your comment and sorry for late reply. I've force pushed the updated version. Please take a look.
I think it does not.
Unfortunately, I do not have enough knowledge about user namespace and capabilities, so I may not correctly understand your comments. Anyway, in the updated version, I use |
|
Hi, sorry for the delay. My UEFI vm suffered a catastrophic failure a while back (when testing the systemd-tmpfiles-wipes-rootfs bug ;)), and it took me a while to get around to testing this. Patch 1/2 seems like the right thing to do. Nevertheless, I get the following warning: I don't understand patch 2/2. I don't see why bootctl would be running with uid != euid, so I don't think it makes much difference in practice, but euid seems like the right thing to check in general... @tixxdz this code is all unprivileged, so the checks are only for convenience. I don't think namespaces are relevant here. Also, can you explain why you think |
src/boot/bootctl.c
Outdated
| if (r < 0) | ||
| return r; | ||
|
|
||
| r = find_esp(NULL, NULL, NULL, &uuid); |
There was a problem hiding this comment.
The value of r is never checked.
src/boot/bootctl.c
Outdated
| if (r < 0) | ||
| return r; | ||
| if (arg_path) | ||
| r = status_binaries(arg_path, uuid); |
There was a problem hiding this comment.
So you stop checking r and continue, even if there are errors. I think this is OK, because it is better to try to print as much information as possible, even if something fails early in the process. But at the end, failure should be returned in any of the parts failed. So I think this should be changed to:
r = find_esp(...);
if (arg_path)
r2 = status_binaries(...);
if (is_efi_boot())
r3 = status_variables();
return r < 0 ? r : r2 < 0 ? r2 : r3;
yuwata
force-pushed
the
bootctl-status
branch
2 times, most recently
from
b2196aa to
6492371
Compare
|
@keszybz Thank you for your comments. I've force pushed the updated version. The changes in the updated version are
|
src/boot/bootctl.c
Outdated
| return -ENOENT; | ||
|
|
||
| return log_error_errno(errno, "Failed to check file system type of \"%s\": %m", p); | ||
| return quiet ? -errno : log_error_errno(errno, "Failed to check file system type of \"%s\": %m", p); |
There was a problem hiding this comment.
It's usually better to log at debug level (it makes any debugging much easier). And the condition could be made much stricter. Why not something like this:
return log_full_errno(errno, quiet && errno == EPERM ? LOG_DEBUG : LOG_ERROR, ....);
src/boot/bootctl.c
Outdated
| return -EADDRNOTAVAIL; | ||
|
|
||
| log_error("File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p); | ||
| if (!quiet) |
There was a problem hiding this comment.
If statfs failed, we exit above. So this error should not be silenced, I think.
src/boot/bootctl.c
Outdated
|
|
||
| if (stat(p, &st) < 0) | ||
| return log_error_errno(errno, "Failed to determine block device node of \"%s\": %m", p); | ||
| return quiet ? -errno : log_error_errno(errno, "Failed to determine block device node of \"%s\": %m", p); |
There was a problem hiding this comment.
Again, log_full_errno(errno, quiet && errno == EPERM ? LOG_DEBUG : LOG_ERROR, ...);
src/boot/bootctl.c
Outdated
|
|
||
| if (major(st.st_dev) == 0) { | ||
| log_error("Block device node of %p is invalid.", p); | ||
| if (!quiet) |
There was a problem hiding this comment.
Similarly, I don't think this conditional should be added here.
src/boot/bootctl.c
Outdated
| r = stat(t2, &st2); | ||
| if (r < 0) | ||
| return log_error_errno(errno, "Failed to determine block device node of parent of \"%s\": %m", p); | ||
| return quiet ? -errno : log_error_errno(errno, "Failed to determine block device node of parent of \"%s\": %m", p); |
src/boot/bootctl.c
Outdated
|
|
||
| if (st.st_dev == st2.st_dev) { | ||
| log_error("Directory \"%s\" is not the root of the EFI System Partition (ESP) file system.", p); | ||
| if (!quiet) |
|
not grokking the getuid()/geteuid() change. Can you elaborate? |
|
@keszybz and @poettering Thank you for your comments. Updated. |
|
lgtm, but @keszybz has an outstanding review left, so I'll leave it for him to merge. (i still wonder about the getuid()/geteuid() thing you now dropped, what was the rationale there? i am honestly interested!) |
|
@poettering As I wrote in the above, unfortunately I do not have enough knowledge about user namespace. So, I cannot judge which function is suitable here, and now I just omit the geteuid()/getuid() change. If all you judge that getuid() instead of geteuid() is suitable, then the change is trivial so I will add the commit again. Thanks. |
|
@poettering I was proposed by @tixxdz (#5964 (comment)) and we have all been clamouring for justification since ;) |
|
Looks good. Thanks. |
|
@poettering @keszybz oups sorry :-) , totally forget about this question getuid()/geteuid() , actually it is just a security measure, since I saw some users or vendors setting the setuid bit on some systemd tools and IIRC even PRs here suggest that some users do this or set file capabilities, and since this deals with boot stuff I just suggested it would be at least safe to use getuid() to ignore the setuid bits and avoid damage since that checks seems to be used by other write operations... anyway this is not really a big issue and users can do whatever they want :-) ! |
4 participants
The command
bootctl statusdoes not make any change to the system. Lets's allow non-root user to run the command. However, for non-root user, I have no idea to get the partition UUID of detected ESP. So, currently only root user can show the UUID.