Bug#994807: marked as done (sssd-common: capabilities restrictions break the service)

[Debian Bug Tracking System]

Your message dated Wed, 22 Sep 2021 16:19:13 +0000
with message-id <e1mt4xl-000bwp...@fasolo.debian.org>
and subject line Bug#994807: fixed in sssd 2.5.2-3
has caused the Debian Bug report #994807,
regarding sssd-common: capabilities restrictions break the service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
994807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994807
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sssd-common
Version: 2.5.2-2
Severity: important


Quack,

This morning sssd got upgraded from 2.4.1-2 to 2.5.2-2 and I could not log in as user. I use sssd-ldap + sssd-dbus + sssd-tools (the rest is automatically installed).

I tried to downgrade but that did not solve anything, that was weird.

The service failed with:
● sssd.service - System Security Services Daemon

Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: activating (start) since Tue 2021-09-21 12:11:07 JST; 30ms ago

   Main PID: 3094 (sssd)
      Tasks: 1 (limit: 38361)
     Memory: 2.2M
        CPU: 14ms
     CGroup: /system.slice/sssd.service
             └─3094 /usr/sbin/sssd -i --logger=files

Sep 21 12:11:07 Annael systemd[1]: Starting System Security Services Daemon...

Sep 21 12:11:07 Annael sssd[3094]: Starting up

Sep 21 12:11:07 Annael sssd[3094]: dbus[3094]: arguments to dbus_server_get_address() were incorrect, assertion "server != NULL" failed in file ../../../dbus/dbus-server.c line 835. Sep 21 12:11:07 Annael sssd[3094]: This is normally a bug in some application using the D-Bus library. Sep 21 12:11:07 Annael sssd[3094]: D-Bus not built with -rdynamic so unable to print a backtrace

Then the daemon crashed because in src/sbus/server/sbus_server.c sbus_server_socket_listen() only logs the problem without stopping: Storage: /var/lib/systemd/coredump/core.sssd.0.b78fd458dc7e43a29506481bb2d20de3.3094.1632193867000000.zst

       Message: Process 3094 (sssd) of user 0 dumped core.

                Stack trace of thread 3094:
                #0  0x00007f3ba7170e71 __GI_raise (libc.so.6 + 0x3ce71)
                #1  0x00007f3ba715a536 __GI_abort (libc.so.6 + 0x26536)
                #2  0x00007f3ba6c25d62 n/a (libdbus-1.so.3 + 0xed62)

#3 0x00007f3ba6c48b60 _dbus_warn_check_failed (libdbus-1.so.3 + 0x31b60) #4 0x00007f3ba6c40592 dbus_server_get_address (libdbus-1.so.3 + 0x29592) #5 0x00007f3ba73214ba sbus_server_create (libsss_sbus.so + 0x284ba) #6 0x00007f3ba730e7b4 sbus_server_create_and_connect_send (libsss_sbus.so + 0x157b4)

                #7  0x0000560ec6eada62 n/a (sssd + 0x5a62)

#8 0x00007f3ba715be4a __libc_start_main (libc.so.6 + 0x27e4a)

                #9  0x0000560ec6eadbba n/a (sssd + 0x5bba)

Anyway, dbus was started and now that I found a workaround (see below) I can say it works fine and that is not the problem.

I tried various things to no avail and decide to put aside my config and purge/reinstall all *sss* packages. After putting back my config and starting again I got:

# systemctl restart sssd

Broadcast message from systemd-journald@Annael (Tue 2021-09-21 17:12:14 JST):

sssd[11845]: Could not open file [/var/log/sssd/sssd.log]. Error: [13][Permission denied]

Job for sssd.service failed because a fatal signal was delivered causing the control process to dump core.

See "systemctl status sssd.service" and "journalctl -xe" for details.

And more precisely in the journal:
Sep 21 17:13:45 Annael sssd[11975]: Starting up

Sep 21 17:13:45 Annael sssd[11975]: dbus[11975]: arguments to dbus_server_get_address() were incorrect, assertion "server != NULL" failed in file ../../../dbus/dbus-server.c line 840. Sep 21 17:13:45 Annael sssd[11975]: This is normally a bug in some application using the D-Bus library. Sep 21 17:13:45 Annael sssd[11975]: D-Bus not built with -rdynamic so unable to print a backtrace

Sep 21 17:21:55 Annael systemd[1]: Starting System Security Services Daemon... Sep 21 17:21:55 Annael sssd[14233]: Could not open file [/var/log/sssd/sssd.log]. Error: [13][Permission denied] Sep 21 17:21:55 Annael sssd[14233]: Error opening log file, falling back to stderr Sep 21 17:21:55 Annael sssd[14233]: [sssd] [ldb] (0x0020): Unable to open tdb '/var/lib/sss/db/config.ldb': Permission denied Sep 21 17:21:55 Annael sssd[14233]: [sssd] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/config.ldb' with backend 'tdb': Unable to open tdb '/var/lib/sss/db/config.ldb': Permission denied Sep 21 17:21:55 Annael sssd[14233]: [sssd] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Sep 21 17:21:55 Annael sssd[14233]: [sssd] [confdb_setup] (0x0010): The confdb initialization failed [5]: Input/output error Sep 21 17:21:55 Annael sssd[14233]: [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [5]: Input/output error Sep 21 17:21:55 Annael sssd[14233]: [sssd] [main] (0x0010): SSSD couldn't load the configuration database. Sep 21 17:21:55 Annael sssd[14233]: SSSD couldn't load the configuration database [5]: Input/output error. Sep 21 17:21:55 Annael systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION Sep 21 17:21:55 Annael systemd[1]: sssd.service: Failed with result 'exit-code'.

After trying various solutions I found out that if I comment CapabilityBoundingSet in the service file everything works fine again. I purged and reinstalled all again to be sure this is the only change. I tried adding extra capabilities but I could not find the correct set.

I honestly got confused by the permissions: /var/lib/sss has various directories owned by the sssd user but the service is only run as root.

Tell me if you need more info.
Regards.
\_o<



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug

APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')

Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)

Locale: LANG=en_US.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sssd-common depends on:
ii  adduser            3.118
ii  libc-ares2         1.17.2-1
ii  libc6              2.32-4
ii  libdbus-1-3        1.13.18-2
ii  libdhash1          0.6.1-2
ii  libglib2.0-0       2.70.0-1
ii  libgssapi-krb5-2   1.18.3-7
ii  libini-config5     0.6.1-2
ii  libkeyutils1       1.6.1-2
ii  libkrb5-3          1.18.3-7
ii  libldap-2.4-2      2.4.59+dfsg-1
ii  libldb2            2:2.2.0-3.1
ii  libnfsidmap2       0.25-6
ii  libnl-3-200        3.4.0-1+b1
ii  libnl-route-3-200  3.4.0-1+b1
ii  libp11-kit0        0.24.0-2
ii  libpam0g           1.4.0-10
ii  libpcre2-8-0       10.36-2
ii  libpopt0           1.18-3
ii  libref-array1      0.6.1-2
ii  libselinux1        3.1-3
ii  libsemanage1       3.1-1+b2
ii  libssl1.1          1.1.1l-1
ii  libsss-certmap0    2.5.2-2
ii  libsss-idmap0      2.5.2-2
ii  libsss-nss-idmap0  2.5.2-2
ii  libsystemd0        247.9-1
ii  libtalloc2         2.3.1-2+b1
ii  libtdb1            1.4.3-1+b1
ii  libtevent0         0.10.2-1
ii  python3            3.9.2-3
ii  python3-sss        2.5.2-2

Versions of packages sssd-common recommends:
ii  bind9-host  1:9.16.15-1
ii  libnss-sss  2.5.2-2
pn  libpam-sss  <none>

Versions of packages sssd-common suggests:
ii  apparmor     3.0.3-2
pn  libsss-sudo  <none>
ii  sssd-tools   2.5.2-2

-- no debconf information


--
Marc Dequènes

--- End Message ---

--- Begin Message ---

Source: sssd
Source-Version: 2.5.2-3
Done: Timo Aaltonen <tjaal...@debian.org>

We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 994...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaal...@debian.org> (supplier of updated sssd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Sep 2021 18:54:07 +0300
Source: sssd
Built-For-Profiles: noudeb
Architecture: source
Version: 2.5.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian SSSD Team <pkg-sssd-de...@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaal...@debian.org>
Closes: 994807 994879
Changes:
 sssd (2.5.2-3) unstable; urgency=medium
 .
   * rules: Explicitly set sssd-user as root.
   * install: Add sssd-pcsc.rules to -common.
   * postinst: Correct file/dir permissions and ownership when the daemon
     is run as root. (Closes: #994807)
   * 0001-ad-fallback-to-ldap-if-cldap-is-not-available-in-lib.patch: Our
     libldap is built without LDAP_CONNECTIONLESS, cope with that.
     (Closes: #994879)
Checksums-Sha1:
 fe90c85f278445de10c09a145ece0f903965d1ca 4957 sssd_2.5.2-3.dsc
 31bd3873718660bce692061e4ee0097fb4b52c98 38056 sssd_2.5.2-3.debian.tar.xz
 cc8211a9b92ee1673e15c093307e1a1dec02cc5c 9635 sssd_2.5.2-3_source.buildinfo
Checksums-Sha256:
 263dedd0a52033ab3f8b2bf018c9285ab429146cb245bac6647d474a61203847 4957 
sssd_2.5.2-3.dsc
 3364def970fd78d224b0e82d1e56685fcbfa997b5d4c2336cd0911a81a9a6fbe 38056 
sssd_2.5.2-3.debian.tar.xz
 f9c18d181053decb0f15030c8b1eb89b8b2fb38235395e26dcbcd3b3ba8d64e3 9635 
sssd_2.5.2-3_source.buildinfo
Files:
 fe2367a8303fa285fc8dc6ce97ac8ee0 4957 utils optional sssd_2.5.2-3.dsc
 de8e2b751c7446d37ff12d1073950bec 38056 utils optional 
sssd_2.5.2-3.debian.tar.xz
 f0811bd2e25604f57bec0119ef214607 9635 utils optional 
sssd_2.5.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmFLUcQACgkQy3AxZaiJ
hNzH/w//SjAN1RSusksnmQfu6cwimeay8NAGHo8JgHk4wyn32gYSDflZJvHXvgc1
OyXeL9a6Kc8cMSa/t9lbuf0ybEN96+EueGNjA5lHS4iqu7m3v588VEP55Z6mM3NW
ZxooDql9W2WL5ILfm1ky3DaQZ6hK4qtQBqsEIjPtmtL0PT7JP7K/RjWpyAcskl7A
ssKHb9Yse42MTsedD9jHCS0ZCyKW0AqO3HHZ6UzNGP84sVez/4StFixiZGZqybAY
Dl4NBp1piRJmkQWns4KbaxxtrDL5YIuxTHF+PRwiEAQUSDWT+9OyiEZHmR0I2hsS
vSVo13XpLuMvuvnreFQhpkz3veFoCELBmx7fkItVSCJXZugJ7DU/LJZL/28Sn6kR
83UFJXvJoe/NxE6IHnCFIrG2P64wwT8you7I4PE6n9xa3f5ikEf+DWstskqTed9t
t+OQxkJAEHv5M2Ir5AozEkCBSF9kTGWXgfoxlrlh/+X2pvxvUf02AIXe8xSQa7Lz
BxxaxWIuu5mr0YclxiRow4ueWzbqVMqs8sW6QK9UKMhKt/jsk9OI+g/67/aL/kub
7fKUrYxTZSN4FtYXSmISOUqc0/Hoi4AIdkMnGXKH01EpRe6zDcSMBy/eR8s8jNMr
YUbY2BrIWVyjuCMPMnaFtosOEdcE9mnPHej5EvExsEN4pa+IFI4=
=ZLtd
-----END PGP SIGNATURE-----

--- End Message ---