Re: systemd-timedated: Not possible to set time zone that is a symlink!

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Fr, 05.07.19 21:41, Christopher Wong (christopher.wong@xxxxxxxx) wrote:

> Hi,
>
>
> The systemd-timedated doesn't allow setting a tz-file under
> /usr/share/zoneinfo to be a symlink. Is it due to security reasons?

Hmm, I don't think we care whether it is a symlink or not. Where does
your symlink point to though?

Note that we turn on a sandbox for systemd-timedated though, which
limits access to /usr and /etc basically... (and turns off mount
propagation for those dirs). Maybe that's tripping you up, because
your symlink destination are mounts established later on in /home?

> I am asking because our system mount /usr/share/zoneinfo as
> read-only and because of legacy we need to support the user being
> able to change the TZ string in a tz-file. Installing a symlink that
> point to such a tz-file will allow us to use the systemd-timedated
> interface to set time zone. The changeable tz-file (located at
> /etc/...) can be altered by root and a specific service. Do you see
> any potential risk by doing so?

consider turning off the sandboxing features, i.e. add a drop-in that
turns off ProtectSystem=, ProtectHome= and suchlike.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel