[Nix-dev] atd broken by hard-link security features

Peter Simons simons at cryp.to
Fri Apr 26 23:42:58 CEST 2013


Hi guys,

the 'atd' daemon in NixOS doesn't work any more. The problem is that
'at' creates job files in /var/spool/atjobs that are owned by the user
who submitted the job, but the daemon -- running as user 'atd' -- tries
to lock that job by creating a hardlink to it, which the kernel won't
allow:

  kernel: type=1702 audit(1367012178.547:30): op=linkat action=denied \
    pid=1069 comm="ln" path="/var/spool/atjobs/a00002015ba626" dev="dm-0" \
    ino=11024344

Does anyone have an idea how to work around this issue?

Take care,
Peter



More information about the nix-dev mailing list