Re: another mount issue on jessie

2016-02-10 Thread Sebastian Kuzminsky
On 02/10/2016 06:57 AM, IOhannes m zmölnig (Debian/GNU) wrote: @sebastian: could you confirm that you had to remove the PrivateTmp for each and every service you found by grepping? or did you just disable PrivateTmp for all of these services, and then no more problem occured (though by chance yo

Re: another mount issue on jessie

2016-02-10 Thread Debian/GNU
On 2016-02-09 20:03, Bas Wijnen wrote: > On Tue, Feb 09, 2016 at 10:38:26AM -0700, Sebastian Kuzminsky wrote: >> On another Jessie machine I had to apply the same workaround to some >> additional services. I identified the services that needed the workaround >> by grepping for 'PrivateTmp' in /l

Re: another mount issue on jessie

2016-02-09 Thread Simon McVittie
On 09/02/16 19:54, Sebastian Kuzminsky wrote: > So it sounds useful and valuable, and I can see why people want it > turned on. Other systemd features that provide security hardening but might break some mount-operation patterns include ReadWriteDirectories, ReadOnlyDirectories, InaccessibleDirect

Re: another mount issue on jessie

2016-02-09 Thread Sebastian Kuzminsky
On 02/09/2016 12:03 PM, Bas Wijnen wrote: On Tue, Feb 09, 2016 at 10:38:26AM -0700, Sebastian Kuzminsky wrote: On another Jessie machine I had to apply the same workaround to some additional services. I identified the services that needed the workaround by grepping for 'PrivateTmp' in /lib/syst

Re: another mount issue on jessie

2016-02-09 Thread Bas Wijnen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Feb 09, 2016 at 10:38:26AM -0700, Sebastian Kuzminsky wrote: > On another Jessie machine I had to apply the same workaround to some > additional services. I identified the services that needed the workaround > by grepping for 'PrivateTmp' in /

Re: another mount issue on jessie

2016-02-09 Thread Sebastian Kuzminsky
(This is in reply to Simon McVittie's email here: https://lists.debian.org/debian-devel/2016/02/msg00154.html) Simon McVittie wrote: You could try putting [Service] PrivateTmp=no in /etc/systemd/system/{colord,rtkit-daemon}.service.d/local.conf, and see whether that has any effect after a `s

Re: another mount issue on jessie

2016-02-08 Thread Simon McVittie
On 08/02/16 20:58, Sebastian Kuzminsky wrote: > The problem only manifests when running the Jessie or Wheezy kernel (on > the Jessie userspace) and Gnome is installed and colord, packagekit, and > rtkit-daemon are all running. Does "are all running" mean literally colord && packagekit && rtkit-dae

another mount issue on jessie

2016-02-08 Thread Sebastian Kuzminsky
Hi folks, I'm running in to a mount issue on Jessie, it seems different from the one reported here: https://lists.debian.org/debian-devel/2016/01/msg00750.html I've attached a short shell script the reproduces the issue 100% of the time. The pattern that triggers the failure is this: rbind-m