Your message dated Sat, 17 Dec 2016 01:33:38 +0000 with message-id <[email protected]> and subject line Bug#756604: fixed in systemd 232-8 has caused the Debian Bug report #756604, regarding Misleading documentation about NoNewPrivileges and UID changes to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 756604: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756604 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: systemd Version: 208-6 Severity: normal Hi, the attached unit file has NoNewPrivileges set to "yes", which, according to systemd.exec(5), "prohibits UID changes of any kind". However, the tor daemon it starts successfully manages to change its UID to debian-tor, as configured with "User debian-tor" in /usr/share/tor/tor-service-defaults-torrc: # systemctl status tor.service tor.service - Anonymizing overlay network for TCP Loaded: loaded (/etc/systemd/system/tor.service; disabled) Active: active (running) since Thu 2014-07-31 11:25:47 CEST; 14min ago Process: 30506 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config (code=exited, status=0/SUCCESS) Main PID: 30509 (tor) CGroup: /system.slice/tor.service └─30509 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 $ ps aux | grep usr/bin/tor debian-+ 30509 0.1 0.2 66536 33708 ? Ss 11:25 0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 Did I misunderstand the documentation, or is the doc wrong, or is there a bug somewhere? Cheers, -- intrigeri[Unit] Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target [Service] Type = simple ExecStartPre = /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config # A torrc that has "RunAsDaemon 1" won't work with the "simple" service type; # let's explicitly override it. ExecStart = /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 ExecReload = /bin/kill -HUP ${MAINPID} KillSignal = SIGINT TimeoutSec = 30 Restart = on-failure LimitNOFILE = 32768 # Hardening PrivateTmp = yes DeviceAllow = /dev/null rw DeviceAllow = /dev/urandom r InaccessibleDirectories = / /home # does not extend to submounts ReadOnlyDirectories = /etc /usr ReadWriteDirectories = /var/lib/tor /var/log/tor NoNewPrivileges = yes #AppArmorProfile = system_tor [Install] WantedBy = multi-user.target
--- End Message ---
--- Begin Message ---Source: systemd Source-Version: 232-8 We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl <[email protected]> (supplier of updated systemd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 17 Dec 2016 01:54:18 +0100 Source: systemd Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb Architecture: source Version: 232-8 Distribution: unstable Urgency: medium Maintainer: Debian systemd Maintainers <[email protected]> Changed-By: Michael Biebl <[email protected]> Description: libnss-myhostname - nss module providing fallback resolution for the current hostname libnss-mymachines - nss module to resolve hostnames for local container instances libnss-resolve - nss module to resolve names via systemd-resolved libnss-systemd - nss module providing dynamic user and group name resolution libpam-systemd - system and service manager - PAM module libsystemd-dev - systemd utility library - development files libsystemd0 - systemd utility library libudev-dev - libudev development files libudev1 - libudev shared library libudev1-udeb - libudev shared library (udeb) systemd - system and service manager systemd-container - systemd container/nspawn tools systemd-coredump - tools for storing and retrieving coredumps systemd-journal-remote - tools for sending and receiving remote journal logs systemd-sysv - system and service manager - SysV links udev - /dev/ and hotplug management daemon udev-udeb - /dev/ and hotplug management daemon (udeb) Closes: 756109 756604 818978 837999 Changes: systemd (232-8) unstable; urgency=medium . [ Martin Pitt ] * Drop systemd dependency from libnss-myhostname again. This NSS module is completely independent from systemd, unlike the other three. * Install 71-seat.rules into the initrd. This helps plymouth to detect applicable devices. (Closes: #756109) * networkd: Fix crash when setting routes. * resolved: Drop removal of resolvconf entry on stop. This leads to timeouts on shutdown via the resolvconf hooks and does not actually help much -- /etc/resolv.conf would then just be empty instead of having a nonexisting 127.0.0.53 nameserver, so manually stopping resolved in a running system is broken either way. (LP: #1648068) * Keep RestrictAddressFamilies on amd64. This option and libseccomp currently work on amd64 at least, so let's make sure it does not break there as well, and benefit from the additional protection at least on this architecture. * Explicitly set D-Bus policy dir. This is about to change upstream in https://github.com/systemd/systemd/pull/4892, but as explained in commit 2edb1e16fb12f4 we need to keep the policies in /etc/ until stretch+1. . [ Michael Biebl ] * doc: Clarify NoNewPrivileges in systemd.exec(5). (Closes: #756604) * core: Rework logic to determine when we decide to add automatic deps for mounts. This adds a concept of "extrinsic" mounts. If mounts are extrinsic we consider them managed by something else and do not add automatic ordering against umount.target, local-fs.target, remote-fs.target. (Closes: #818978) * rules: Add persistent links for nbd devices. (Closes: #837999) Checksums-Sha1: d6cfa7ec7edbb3dce39f9451c5f5f365616ce0e9 4653 systemd_232-8.dsc 1b26f509c3b7f3b355db00bcadab2177fa270a80 131676 systemd_232-8.debian.tar.xz Checksums-Sha256: 3ca60d621830e7df68aff42fcd7e09ad3eeca54ce15cade2f5190ad5d9208581 4653 systemd_232-8.dsc 5dcb0e19e7a33e15ad5cea4b9806c4705b78ebe87a0478fbdf7d85c20fc29bab 131676 systemd_232-8.debian.tar.xz Files: b01af8a35f918408571da8473dfb5f25 4653 admin optional systemd_232-8.dsc 3eef4a6e45f03ac77181592576cc08ee 131676 admin optional systemd_232-8.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlhUknUACgkQauHfDWCP ItwbvQ/9Gt18eR75LIRWma626sFC6tW0goC0r+VFrESjgoLx5LdYJpArTlKK6srl JxoLcvTWIfNroiPs63Rs/DhHcPisoJOSfmZ5y8KL6Nbphmx1A9fqkEb8tTbVosgw FpfXRUcN2tQaTt8xi5doGZ2lBhLz728NIxxBkZOZMFi0zT+RU426ew9m1fNvOj// 2yg9DHhcQezCcRIaCATLpMihQxmvACNt440xFLn+yNIj5za7xcqP9RXLzOC4lqCr voGE9AgO+i0v0O5KNnzSDjnNMtGelu3GZGENIP22ZF9+/qqfLu4hWJpifaW/75q/ MDlM5xWqVa5Naie8nxoq+bmP8OXXW0K+tl5b5VgESA/P2umNOTT7bHXDTodwyzj/ YnyaN5UXCmCHVFO2j9X65pQWt9ZNkuKJ9N0+EmzLgiTuD6hZ/lMOAWWvkbtftdZo VPXYKh2T2HSUGFny2NxwdRWsS4xnNqUgGxT1WBTqZlDHfA0Fo6KwMl+e3Y6kmLny TK8yoouCiLqxrpDbIX8DhGQEw0IATOf77qreP32ZA74QpOKgBokrbsUrO/pY+7Hs /azo2EAH0/2lqU6yYTBr6/OPe4OR+S8F6gfTDXhHyZH0KesPthhrE03+VQHbfFwn o7+RTiVgEeJjGP97Zw8zNdHPPpDT8HQnw04g7wIKcuPHq7h3XY8= =2DPH -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
