[Nix-dev] atd broken by hard-link security features

Vladimír Čunát vcunat at gmail.com
Fri Apr 26 23:58:21 CEST 2013


On 04/26/2013 11:42 PM, Peter Simons wrote:
> the 'atd' daemon in NixOS doesn't work any more. The problem is that
> 'at' creates job files in /var/spool/atjobs that are owned by the user
> who submitted the job, but the daemon -- running as user 'atd' -- tries
> to lock that job by creating a hardlink to it, which the kernel won't
> allow:
>
>    kernel: type=1702 audit(1367012178.547:30): op=linkat action=denied \
>      pid=1069 comm="ln" path="/var/spool/atjobs/a00002015ba626" dev="dm-0" \
>      ino=11024344
>
> Does anyone have an idea how to work around this issue?

I thought other distros use this feature, we can use their ways... e.g. 
I think someone said Ubuntu was among them, and they seem to have atd 
http://manpages.ubuntu.com/manpages/raring/man8/atd.8.html

I still don't see how hardlinking can lock a file, but never mind :-)


Vlada


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130426/372b4385/attachment.bin 


More information about the nix-dev mailing list