[systemd-devel] systemd-timedated: Not possible to set time zone that is a symlink!
Lennart Poettering
lennart at poettering.net
Wed Jul 10 08:26:28 UTC 2019
On Fr, 05.07.19 21:41, Christopher Wong (christopher.wong at axis.com) wrote:
> Hi,
>
>
> The systemd-timedated doesn't allow setting a tz-file under
> /usr/share/zoneinfo to be a symlink. Is it due to security reasons?
Hmm, I don't think we care whether it is a symlink or not. Where does
your symlink point to though?
Note that we turn on a sandbox for systemd-timedated though, which
limits access to /usr and /etc basically... (and turns off mount
propagation for those dirs). Maybe that's tripping you up, because
your symlink destination are mounts established later on in /home?
> I am asking because our system mount /usr/share/zoneinfo as
> read-only and because of legacy we need to support the user being
> able to change the TZ string in a tz-file. Installing a symlink that
> point to such a tz-file will allow us to use the systemd-timedated
> interface to set time zone. The changeable tz-file (located at
> /etc/...) can be altered by root and a specific service. Do you see
> any potential risk by doing so?
consider turning off the sandboxing features, i.e. add a drop-in that
turns off ProtectSystem=, ProtectHome= and suchlike.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list