Bug 982920

Summary: systemd --test paranoid security
Product: [Fedora] Fedora Reporter: v.ronnen
Component: systemdAssignee: systemd-maint
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: johannbg, lnykryn, msekleta, plautrba, rvokal, systemd-maint, vpavlin, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-15 01:27:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description v.ronnen 2013-07-10 06:49:29 UTC 
Description of problem:

systemd --test can not be run as root nor as an ordinary user

Version-Release number of selected component (if applicable):
Fedora 19

How reproducible:
Allways

Steps to Reproduce:
1. as root:
systemd --test --system --unit=multi-user.target
Don't run test mode as root.
2. as a normal user:
$ systemd --test --system --unit=multi-user.target
systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Failed to set hostname to <fc20.homelinux.org>: Operation not permitted
Failed to open /dev/tty0: Permission denied
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied

Actual results:
useless results

Expected results:
Usefull results

Additional info:

Bug proves --test functionality is not understood by the programmers. 
--test implies do nothing harmful and should be run by root.

Bug proves --test functionality has not been tested at all.
This example is strait from the fedora 19 docs.
Comment 1 Zbigniew Jędrzejewski-Szmek 2014-10-15 01:27:38 UTC 
This got fixed as part of the systemd-analyze work (http://cgit.freedesktop.org/systemd/systemd/commit/?id=0d8c31ff72 is the gist of that). So this works fine in F21 since a while. I'll not backport this though.