Package: systemd
Version: 215-17+deb8u12
Severity: important
Dear Maintainer,
it seems the recent security update led to systemd ignoring the user and
group columns in tmpfiles.d files. This immediately leads to postgresql
in the current oldstable version (postgresql-9.4 9.4.21-0+deb8u1,
postgresql-common 165+deb8u3) breaking on reboot.
This is /usr/lib/tmpfiles.d/postgrestql.conf from
postgresql-common 165+deb8u3:
# Directory for PostgreSQL sockets, lockfiles and stats tempfiles
d /var/run/postgresql 2775 postgres postgres - -
User and group postgres exist on the system. However, after reboot,
/var/run/postgresql has root:root as owner:
# stat /var/run/postgresql
File: ‘/var/run/postgresql’
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: eh/14d Inode: 9690Links: 3
Access: (0775/drwxrwxr-x) Uid: (0/root) Gid: (0/root)
Access: 2019-04-25 13:19:45.279148802 +0200
Modify: 2019-04-25 13:19:48.963148802 +0200
Change: 2019-04-25 13:19:48.963148802 +0200
Birth: -
This means postgres can't write its lock file in that directory, and
fails to start:
# systemctl status postgresql@9.4-main.service -l
● postgresql@9.4-main.service - PostgreSQL Cluster 9.4-main
Loaded: loaded (/lib/systemd/system/postgresql@.service; disabled)
Active: failed (Result: exit-code) since Thu 2019-04-25 13:19:49 CEST; 15s
ago
Process: 352 ExecStart=postgresql@%i %i start (code=exited, status=1/FAILURE)
Apr 25 13:19:49 [server] postgresql@9.4-main[352]: The PostgreSQL server failed
to start. Please check the log output:
Apr 25 13:19:49 [server] postgresql@9.4-main[352]: 2019-04-25 11:19:49 UTC
[390-1] FATAL: could not create lock file
"/var/run/postgresql/.s.PGSQL.5432.lock": Permission denied
Apr 25 13:19:49 [server] systemd[1]: postgresql@9.4-main.service: control
process exited, code=exited status=1
Apr 25 13:19:49 [server] systemd[1]: Failed to start PostgreSQL Cluster
9.4-main.
Apr 25 13:19:49 [server] systemd[1]: Unit postgresql@9.4-main.service entered
failed state.
I wonder whether that has something to do with the following item in the
change log:
* CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are
hardlinked, unless protected_hardlinks sysctl is on.
Though protected_hardlinks is on:
# cat /proc/sys/fs/protected_hardlinks
1
And a directory can't be hardlinked anyway, so the relationship to that
change log entry might be a red herring.
-- Package-specific info:
-- System Information:
Debian Release: 8.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii acl 2.2.52-2
ii adduser 3.113+nmu3
ii initscripts 2.88dsf-59
ii libacl1 2.2.52-2
ii libaudit1 1:2.4-1+b1
ii libblkid1 2.25.2-6
ii libc6 2.19-18+deb8u10
ii libcap2 1:2.24-8
ii libcap2-bin 1:2.24-8
ii libcryptsetup4 2:1.6.6-5
ii libgcrypt20 1.6.3-2+deb8u5
ii libkmod218-3
ii liblzma55.1.1alpha+20120614-2+b3
ii libpam0g1.1.8-3.1+deb8u2+b1
ii libselinux1 2.3-2
ii libsystemd0 215-17+deb8u12
ii mount 2.25.2-6
ii sysv-rc 2.88dsf-59
ii udev215-17+deb8u12
ii util-linux 2.25.2-6
Versions of packages systemd recommends:
ii dbus1.8.22-0+deb8u1
pn libpam-systemd
Versions of packages systemd suggests:
pn systemd-ui
-- Configuration Files:
/etc/systemd/timesyncd.conf changed [not included]
-- no debconf information
