Remove /sbin from paths if split-bin is false (systemd#8324)

keszybz · poettering · commit 671f0f8de0a6 · 2018-03-01T21:48:36.000+01:00
Follow-up for 157baa8.
diff --git a/meson.build b/meson.build
@@ -59,13 +59,16 @@ if get_option('split-usr') == 'auto'
 else
         split_usr = get_option('split-usr') == 'true'
 endif
-conf.set10('HAVE_SPLIT_USR', split_usr)
+conf.set10('HAVE_SPLIT_USR', split_usr,
+           description : '/usr/bin and /bin directories are separate')
 
 if get_option('split-bin') == 'auto'
         split_bin = run_command('test', '-L', '/usr/sbin').returncode() != 0
 else
         split_bin = get_option('split-bin') == 'true'
 endif
+conf.set10('HAVE_SPLIT_BIN', split_bin,
+           description : 'bin and sbin directories are separate')
 
 rootprefixdir = get_option('rootprefix')
 # Unusual rootprefixdir values are used by some distros
diff --git a/src/basic/path-util.h b/src/basic/path-util.h
@@ -28,8 +28,14 @@
 #include "string-util.h"
 #include "time-util.h"
 
-#define DEFAULT_PATH_NORMAL "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
-#define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":/sbin:/bin"
+#if HAVE_SPLIT_BIN
+#  define PATH_SBIN_BIN(x) x "sbin:" x "bin"
+#else
+#  define PATH_SBIN_BIN(x) x "bin"
+#endif
+
+#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/")
+#define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/")
 
 #if HAVE_SPLIT_USR
 #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
diff --git a/src/core/namespace.c b/src/core/namespace.c
@@ -152,7 +152,9 @@ static const MountEntry protect_system_yes_table[] = {
         { "/lib",                READONLY,     true  },
         { "/lib64",              READONLY,     true  },
         { "/bin",                READONLY,     true  },
+#  if HAVE_SPLIT_BIN
         { "/sbin",               READONLY,     true  },
+#  endif
 #endif
 };
 
@@ -166,7 +168,9 @@ static const MountEntry protect_system_full_table[] = {
         { "/lib",                READONLY,     true  },
         { "/lib64",              READONLY,     true  },
         { "/bin",                READONLY,     true  },
+#  if HAVE_SPLIT_BIN
         { "/sbin",               READONLY,     true  },
+#  endif
 #endif
 };
 
diff --git a/src/libsystemd/sd-path/sd-path.c b/src/libsystemd/sd-path/sd-path.c
@@ -478,6 +478,12 @@ static int search_from_environment(
         return 0;
 }
 
+#if HAVE_SPLIT_BIN
+#  define ARRAY_SBIN_BIN(x) x "sbin", x "bin"
+#else
+#  define ARRAY_SBIN_BIN(x) x "bin"
+#endif
+
 static int get_search(uint64_t type, char ***list) {
 
         assert(list);
@@ -490,13 +496,10 @@ static int get_search(uint64_t type, char ***list) {
                                                ".local/bin",
                                                "PATH",
                                                true,
-                                               "/usr/local/sbin",
-                                               "/usr/local/bin",
-                                               "/usr/sbin",
-                                               "/usr/bin",
+                                               ARRAY_SBIN_BIN("/usr/local/"),
+                                               ARRAY_SBIN_BIN("/usr/"),
 #if HAVE_SPLIT_USR
-                                               "/sbin",
-                                               "/bin",
+                                               ARRAY_SBIN_BIN("/"),
 #endif
                                                NULL);
 
