When systemd‑tmpfiles Wiped Home Files: The Bug, the Fallout, and the Fix

Background

Systemd is a widely adopted init system and service manager for Linux distributions, often sparking debate but now considered essential infrastructure. Beyond its core responsibilities, systemd provides auxiliary utilities such as systemd-tmpfiles, which, according to its manual page, creates, removes, and cleans volatile and temporary files and directories.

Incident Overview

A Linux user, seeking to clean /var/tmp, executed systemd-tmpfiles --purge from the newly released systemd 256 package. Unexpectedly, warning messages appeared referencing paths under /home, indicating that the tool was attempting to modify user home directories. The user aborted the operation with Ctrl‑C, but some files were permanently lost.

The user reported the problem on the systemd project page on GitHub, drawing immediate attention from the maintainers.

Developer Response

A systemd developer, also a Microsoft employee, replied sharply, emphasizing that the user should have been aware that any file or directory created via a tmpfiles.d entry would be subject to removal. The developer suggested the user review existing tmpfiles.d configurations before running such commands.

Discussion and Proposed Solution

The exchange sparked a broader discussion involving core systemd developers, including Lennart Poettering. The core issue was identified as the handling of configuration files located in /usr/lib/tmpfiles.d/, particularly the home.conf entry, which unintentionally allowed --purge to affect user home directories.

Critics pointed out that the command’s documentation insufficiently warned about the far‑reaching effects of --purge, and that the name systemd-tmpfiles itself is misleading for users unfamiliar with its deep configuration semantics.

GitHub discussions proposed adding clearer warnings and possibly altering the command’s default behavior to exclude critical paths like /home unless explicitly specified. A pull request was submitted to refine the operation scope, ensuring that home directories and other sensitive locations are only touched when an administrator deliberately configures them.

Outcome

The changes were merged quickly, and systemd 256.1 was released with the necessary safeguards. The full discussion and the pull request can be followed on the systemd GitHub repository, and related commentary appeared on Mastodon.