-------- Weitergeleitete Nachricht --------Betreff: Archived bug #1002993 seems to be related to unprivileged containers
Datum: Tue, 3 Sep 2024 21:24:25 +0200 Von: Dr. Lars Hanke <[email protected]> An: [email protected] Dear Michael, well, I know the bug has been archived, but I just saw exactly the same behavior updating Debian11 to systemd 247.3-7+deb11u6 on amd64. Updates on privileged containers produced no issues. It happens with libudev1:amd64. This is from the apt upgrade log: Vorbereitung zum Entpacken von .../5-libudev1_247.3-7+deb11u6_amd64.deb ... Entpacken von libudev1:amd64 (247.3-7+deb11u6) über (247.3-7+deb11u5)... libudev1:amd64 (247.3-7+deb11u6) wird eingerichtet ... systemd (247.3-7+deb11u6) wird eingerichtet ... Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal failed: Invalid argument Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal/50c8cff5a8de4c2fa08f91b6525115a5 failed: Invalid argument Setting access ACL "u::rw-,g::r-x,g:adm:r--,g:4294967295:r-x,m::r--,o::---" on /var/log/journal/50c8cff5a8de4c2fa08f91b6525115a5/system.journal failed: Invalid argument (Lese Datenbank ... 23418 Dateien und Verzeichnisse sind derzeit installiert.) Entering the container I can display the ACL and actually set the requested ACL, which adds the ACL for group "adm": root@saraswati:/var/log/journal# getfacl . # file: . # owner: root # group: systemd-journal # flags: -s- user::rwx group::r-x group:4294967295:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:4294967295:r-x default:mask::r-x default:other::r-x root@saraswati:/var/log/journal# setfacl --set "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" . root@saraswati:/var/log/journal# getfacl . # file: . # owner: root # group: systemd-journal # flags: -s- user::rwx group::r-x group:adm:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:4294967295:r-x default:mask::r-x default:other::r-x So, there seems to be something wierd in the setup scripts, which does not work in unprivileged containers. A sidenote: At first I tried to use "-m" instead of "--set", which failed with "double entry in entry 4" (translated from German). I don't know if this is the expected behavior or a quirk of the container.
OpenPGP_signature.asc
Description: OpenPGP digital signature
