http://bugzilla.suse.com/show_bug.cgi?id=1092269 http://bugzilla.suse.com/show_bug.cgi?id=1092269#c1 --- Comment #1 from Karol Babioch --- At least on Tumbleweed (20180420) this is also an issue. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1092269 http://bugzilla.suse.com/show_bug.cgi?id=1092269#c3 --- Comment #3 from Matthias Gerstner --- I am not exactly sure how the machine-id business is supposed to work, from the spec file it sounds like it is a kind of two stage process where some other component is responsible for "fixing up" the file. Can you please find a solution that avoids having this file world writeable in the first place? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1092269 http://bugzilla.suse.com/show_bug.cgi?id=1092269#c4 Thomas Blume changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thomas.blume@suse.com Flags| |needinfo?(lnussel@suse.com) --- Comment #4 from Thomas Blume --- (In reply to Matthias Gerstner from comment #3)

I am not exactly sure how the machine-id business is supposed to work, from the spec file it sounds like it is a kind of two stage process where some other component is responsible for "fixing up" the file.

Can you please find a solution that avoids having this file world writeable in the first place?

That had been introduced here: https://build.opensuse.org/request/show/479267 but I don't see any reason making it world writable. The upstream code (src/core/machine-id-setup.c) shows even 444 as permissions: --> int machine_id_setup(const char *root, sd_id128_t machine_id, sd_id128_t *ret) { const char *etc_machine_id, *run_machine_id; _cleanup_close_ int fd = -1; bool writable; int r; etc_machine_id = prefix_roota(root, "/etc/machine-id"); RUN_WITH_UMASK(0000) { /* We create this 0444, to indicate that this isn't really * something you should ever modify. Of course, since the file * will be owned by root it doesn't matter much, but maybe * people look. */ (void) mkdir_parents(etc_machine_id, 0755); fd = open(etc_machine_id, O_RDWR|O_CREAT|O_CLOEXEC|O_NOCTTY, 0444); --< Still, considering the original commit, I guess we'd need to make it 644. Ludwig, since you were involved in bug#1024740, I guess you are the best to comment on that, any objection? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1092269 http://bugzilla.suse.com/show_bug.cgi?id=1092269#c6 --- Comment #6 from Thomas Blume --- (In reply to Ludwig Nussel from comment #5)

I'm sure I didn't ask for 666. 444 as upstream does it should be fine as well as root has CAP_DAC_OVERRIDE.

Ok, thanks, the original 666 was only done during initial package installation but I guess we need to change that also for running systems. Unfortunately, I don't see any possibility to distinguish if the permissions of machine-id were set during package installation or from the user by purpose. So, I guess we can only change it to ro now and be aware that there might be some complaints. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1092269 http://bugzilla.suse.com/show_bug.cgi?id=1092269#c8 --- Comment #8 from Thomas Blume --- (In reply to Ludwig Nussel from comment #7)

I assume nobody sane would set /etc/machine-id to 666 :-) Existing installations could be forced to a specific mode after the fact via /etc/permissions

Ok, here is the submission: https://build.opensuse.org/request/show/605312 -- You are receiving this mail because: You are on the CC list for the bug.