On Mon, 2016-07-18 at 19:33 +0100, Philip Withnall wrote:
On Wed, 2016-07-13 at 13:20 +0300, Patrik Flykt wrote:
> On Mon, 2016-07-11 at 18:27 +0100, Philip Withnall wrote:
> > Setting the timezone requires unlinking and relinking
> > /etc/localtime,
> > so we need /etc to be mounted read–write. This means that commit
> > dc8f151e has to be softened to ProtectSystem=true rather than
> > ProtectSystem=full. This mounts most of the filesystem as read-
> > only,
> > apart from /etc, which is read–write.
> > Signed-off-by: Philip Withnall <philip.withnall(a)collabora.co.uk>
> > ---
> > src/connman.service.in | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> > diff --git a/src/connman.service.in b/src/connman.service.in
> > index 57eaaf9..d5d6d44 100644
> > --- a/src/connman.service.in
> > +++ b/src/connman.service.in
> > @@ -15,7 +15,7 @@ ExecStart=@sbindir@/connmand -n
> > StandardOutput=null
> > CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN
> > CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SYS_TIME CAP_SYS_MODULE
> > ProtectHome=true
> > -ProtectSystem=full
> > +ProtectSystem=true
> > [Install]
> > WantedBy=multi-user.target
> > --
> > 2.5.5
> Yes, this will fix the problem. On the other hand there is also a
> desired use case that ConnMan has write access only to as few
> possible, for run-time information that would be /var/run/connman.
> order to keep in line with that, I suggest something similar that
> done for resolv.conf handling. See a few commits
> from 3a9ad49c8c8448875375a67913af98f74bca0ad7 forwards.
> So this could be handled by copying the symlink/file from
> /etc/localtime to /var/run with tmpfiles.d and create the link to
> (see e.g. scripts/connman_resolvconf.conf.in).
> What do you think?
I think that sounds feasible, and definitely better than downgrading
from ProtectSystem=full. I’m away for the next couple of weeks, but
will try and look at this when I get back. Sorry for the delay.
After looking more closely, I don't think it will be possible to set up
an additional symlink:
/etc/localtime -> /var/run/connman/localtime ->
because systemd apparently parses the symlink target of /etc/localtime
to find the timezone. See localtime(5).
I wonder if a better solution would be to use the
org.freedesktop.timedate1 interface to set the timezone via systemd. On
platforms which don't use systemd, we can continue to use the existing
/etc/localtime code, and we won't hit the ProtectSystem=full problem.