Bug#1137429: systemd: Changes permissions of root directory from 0755 to 0555

Simon McVittie smcv at debian.org
Sat May 23 19:43:55 BST 2026 

Package: systemd
Version: 261~rc1-1
Severity: normal
X-Debbugs-Cc: piuparts at packages.debian.org, base-files at packages.debian.org
Tags: upstream
Control: affects -1 + piuparts base-files

Since 261~rc1, the systemd package contains a tmpfiles.d(5) snippet 
/usr/lib/tmpfiles.d/root.conf which sets the permissions of the root 
directory to 0555. This appears to have been added in 
https://github.com/systemd/systemd/pull/41431 upstream, originally as a 
way to make the system bootable if the root filesystem was mistakenly 
bootstrapped, untarred etc. onto an existing filesystem that was created 
with overly-restrictive permissions like 0700. (Conversely, it would 
also be helpful if the filesystem had started with overly-broad 
permissions like 02775, which should be tightened.)

According to comments on the PR, upstream intentionally chose to use 
0555 rather than 0755, as a preemptive hardening mechanism so that if 
code is running as uid 0 with no CAP_DAC_OVERRIDE, it can't write the 
root directory (although this likely only provides any hardening in 
practice if all root-owned files are on read-only filesystem mounts, 
otherwise root-without-caps can just elevate privileges to 
root-with-caps by overwriting an executable that root-with-caps will 
run, such as systemd itself).

This all seems like entirely reasonable reasoning, but it has the effect 
of changing the permissions of the root directory of existing Debian 
installations, typically from 0755 to 0555, which is not necessarily 
expected. It also leads to piuparts complaining about / having changed 
whenever the systemd package is installed and subsequently purged, for 
example while testing dbus-system-bus-common, which is how I found this.

If we want the root filesystem of Debian systems to be canonically 0555 
rather than 0755, that seems like something that should be coordinated 
with base-files and maybe debootstrap/mmdebstrap/cdebootstrap, so that 
it will be true for all machines/containers/chroots and not just those 
that have the systemd package? (I'm not sure which component actually 
chooses the permissions of the root filesystem during bootstrapping - 
base-files, or the specific bootstrapper implementation that was used.)

Or if this change wasn't intended or isn't desired, the systemd package 
could either not install root.conf, or mask it with an empty 
/etc/tmpfiles.d/root.conf.

    smcv

More information about the Pkg-systemd-maintainers mailing list