On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote: > Hi Bastian, Emil, > > On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@xxxxxx> > wrote: > > > > This is needed both so the owner can adjust config as needed, and > > for > > distribution builds to be able to move/delete files as part of the > > build without adjusting permissions themselves. Limiting writes > > from > > the running service needs to be done in the systemd unit (already > > the > > case) or init script. > > > > See also: > > https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@xxxxxx/T/ > > --- > > Makefile.am | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/Makefile.am b/Makefile.am > > index 297d0774c..29018a91c 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth > > statedir = $(localstatedir)/lib/bluetooth > > > > bluetoothd-fix-permissions: > > - install -dm555 $(DESTDIR)$(confdir) > > + install -dm755 $(DESTDIR)$(confdir) > > install -dm700 $(DESTDIR)$(statedir) > > > > if DATAFILES > > -- > > 2.45.2 > > Any comments regarding these changes, shall we also use 0755 in the > systemd service? That's fine, although the changes are really academic, as root/the owner can write and move those files just fine, even without explicit write permissions. The point made about the stopping the running daemon from writing to /etc is on point though, which could be fixed by something like: diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 8ebe89bec682..ddaa9d444eed 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -15,7 +15,7 @@ LimitNPROC=1 # Filesystem lockdown ProtectHome=true -ProtectSystem=strict +ProtectSystem=full PrivateTmp=true ProtectKernelTunables=true ProtectControlGroups=true See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem= Cheers