Bug#1110980: /var/lock/ is the standard interface for serial devices locks

Marco d'Itri md at Linux.IT
Mon Sep 1 17:45:44 BST 2025 

On Aug 29, Luca Boccassi <bluca at debian.org> wrote:

>The FHS is dead and severely outdated. As mentioned on
>https://github.com/systemd/systemd/issues/38563 support for this will
>be removed in 259. Modern utilities should use BSD locks, and IIRC some
>serial applications do that already.
The opinion of systemd upstream is not very relevant here, since Debian 
packages need to follow Debian policy and so far Debian policy requires 
using UUCP HDB lock files.
#1111839 is open for whoever wants to try changing this.

Since /var/lock/ is provided by systemd, this is a systemd bug unless 
some other package will be identified to take care of it.
But you cannot just decide that the policy violation does not exist.

>A world writable directory in /run/ is a security risk, as it allows
>unprivileged processes to DOS the system by exhausting space/inodes,
>and then critical services such as udev will stop working (been there,
>done that).
Not being contested.
As explained, a good compromise would be to make /var/lock/ writeable 
only by group dialout, which would remove any concern for the general 
case of systemd without users with access to serial devices.
This would solve the problem for all legitimate uses while we can figure 
out what to do in the longer term.

>If there still remains any packages that need a world writable /run/,
>they can ship the tmpfiles.d themselves, and assume responsibility for
>it. Anything can ship tmpfiles.d, it doesn't have to be systemd to do
>that. I certainly won't try to stop anyone wishing to do it, but also I
>do not wish for these old workarounds to ship in this package either.
I do not believe that this is practical, not just because of the effort 
needed to change so many packages, but also because systemd-tmpfiles 
would start spewing warnings about the duplicated entries.

>There's ~2 years time until Forky ships, and that should be plenty time
>to either add this workaround elsewhere, or fix remaining programs to
>use BSD locks, or both, so I'm not going to hold back the new version
>from testing for this niche case, sorry.
Ignoring RC bugs is a prerogative of the release team, not us.

-- 
ciao,
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20250901/fa258e24/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list