Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hi, Martin:
Thanks for reminding me that my patch isn't good enough.
My intension is indeed to keep uid/gid creation more explicitly.
So the script can handle other "exceptions" better (in the future).
I prefer to keep the logic instead of treating 65534 special.
Thanks.
-KM
On Fri, Nov 16, 2018 at 9:32 AM Martin Pitt wrote:
> Hello Keh-Ming Luoh, hello Michael,
>
> sorry for the delay!
>
> Keh-Ming Luoh [2018-10-31 19:22 -0700]:
> > When I upgrade my systemd, I found there is a "nobody" group created
> > automatically.
>
> Thanks for tracking this down!
>
> > -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s
> %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
> > +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n",
> $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
>
> This is not quite correct. If you specify the GID explicitly, then it
> needs to
> exist before, i. e. the script would also need to be changed to create
> groups
> like "sys:3" explicitly. I. e. the conditional
>
># only take groups whose name+gid != the corresponding user in
> passwd.master
>
> part would need to become unconditional. This would work, but would make
> both
> the group and passwd list more unwieldy.
>
> As all static Debian users and groups *except* nobody:nogroup have the same
> name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as
> it's
> generally the right thing to do and more robust. So instead I'd like to
> handle the "nogroup" special-case as such.
>
> With the attached patch I seem to get the correct behaviour. The effective
> diff
> of the generated sysusers.d is
>
> -u nobody 65534 - /nonexistent /usr/sbin/nologin
> +u nobody 65534:65534 - /nonexistent /usr/sbin/nologin
>
> and nothing else. With current 239-11:
>
> # systemd-sysusers
> Creating group nobody with gid 999.
>
> and with this patched /usr/lib/sysusers.d/basic.conf:
>
> # systemd-sysusers
> # grep nobody /etc/group
> #
>
> i. e. it stops creating the group.
>
> I also added some postinst cleanup with some reasonable defensiveness.
> (Double-checking it now)
>
> @Michael, does that seem ok to you?
>
> Thanks,
>
> Martin
>
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hello Michael, Michael Biebl [2018-11-17 22:33 +0100]: > I applied your patch and simplified postinst a bit using delgroup; > delgroup --system seems to DTRT already. Indeed, that's much better, thank you! Martin signature.asc Description: PGP signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Am 17.11.18 um 14:11 schrieb Michael Biebl: > Any reason you didn't use "getent group" and "delgroup" ? I applied your patch and simplified postinst a bit using delgroup; delgroup --system seems to DTRT already. https://salsa.debian.org/systemd-team/systemd/commit/a2344f4e8d16f98c9151de777ec8cf8d79ae0eff https://salsa.debian.org/systemd-team/systemd/commit/cc664cb424cf0e865f76b1fda654ad41e33e76be Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hi Martin Am 16.11.18 um 18:32 schrieb Martin Pitt: > I also added some postinst cleanup with some reasonable defensiveness. > (Double-checking it now) > > @Michael, does that seem ok to you? The patch seems to work fine as is. That said, lintian is not happy about the direct parsing and mangling of /etc/group. > W: systemd: maintainer-script-should-not-parse-etc-passwd-or-group > postinst:160 'grep '^nobody:x:' /etc/group' > N: > N:The maintainer script appears to manually parse /etc/passwd or > N:/etc/group instead of using the getent(1) utility to display entries. > N: > N:This bypasses the Name Service Switch (NSS), avoiding querying > N:centralised or networked user databases such as LDAP, etc. > N: > N:Refer to the getent(1) manual page and the nss(5) manual page for > N:details. > N: > N:Severity: normal, Certainty: possible > N: > N:Check: scripts, Type: binary > N: > N: Finished processing group systemd/239-12 Any reason you didn't use "getent group" and "delgroup" ? Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hello Keh-Ming Luoh, hello Michael,
sorry for the delay!
Keh-Ming Luoh [2018-10-31 19:22 -0700]:
> When I upgrade my systemd, I found there is a "nobody" group created
> automatically.
Thanks for tracking this down!
> -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s
> %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
> +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }'
> < /usr/share/base-passwd/passwd.master
This is not quite correct. If you specify the GID explicitly, then it needs to
exist before, i. e. the script would also need to be changed to create groups
like "sys:3" explicitly. I. e. the conditional
# only take groups whose name+gid != the corresponding user in passwd.master
part would need to become unconditional. This would work, but would make both
the group and passwd list more unwieldy.
As all static Debian users and groups *except* nobody:nogroup have the same
name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as it's
generally the right thing to do and more robust. So instead I'd like to
handle the "nogroup" special-case as such.
With the attached patch I seem to get the correct behaviour. The effective diff
of the generated sysusers.d is
-u nobody 65534 - /nonexistent /usr/sbin/nologin
+u nobody 65534:65534 - /nonexistent /usr/sbin/nologin
and nothing else. With current 239-11:
# systemd-sysusers
Creating group nobody with gid 999.
and with this patched /usr/lib/sysusers.d/basic.conf:
# systemd-sysusers
# grep nobody /etc/group
#
i. e. it stops creating the group.
I also added some postinst cleanup with some reasonable defensiveness.
(Double-checking it now)
@Michael, does that seem ok to you?
Thanks,
Martin
>From b74313718d817e224e807b7979dd6434ba2fc120 Mon Sep 17 00:00:00 2001
From: Martin Pitt
Date: Fri, 16 Nov 2018 18:21:29 +0100
Subject: [PATCH] Fix wrong "nobody" group from sysusers.d
Fix our make-sysusers-basic sysusers.d generator to special-case the
nobody group. "nobody" user and "nogroup" group both have the same ID
65534, which is the only special case for Debian's static users/groups.
So specify the gid explicitly, to avoid systemd-sysusers creating a
dynamic system group for "nobody".
Also clean up the group on upgrades.
Thanks to Keh-Ming Luoh for the original patch!
Closes: #912525
---
debian/extra/make-sysusers-basic | 3 ++-
debian/systemd.postinst | 9 +
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic
index 0aaa65cc5c..8ff1b15900 100755
--- a/debian/extra/make-sysusers-basic
+++ b/debian/extra/make-sysusers-basic
@@ -14,4 +14,5 @@ done < /usr/share/base-passwd/group.master
echo
-awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n",
$1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
+# treat "nobody:nogroup" specially: same ID, but different name, so prevent
creating a "nobody" group
+awk -F: '{ i = ($3 == $4 && $4 != 65534) ? $3 : $3":"$4; printf("u %-10s %-7s
- %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
diff --git a/debian/systemd.postinst b/debian/systemd.postinst
index 21210baab8..70f0b2334d 100644
--- a/debian/systemd.postinst
+++ b/debian/systemd.postinst
@@ -155,4 +155,13 @@ if dpkg --compare-versions "$2" lt-nl "236-1~"; then
rm -f /var/lib/systemd/clock
fi
+if dpkg --compare-versions "$2" lt-nl "239-12~"; then
+# clean up bogus "nobody" group from #912525; ensure that it's a system
group
+gid=$(grep '^nobody:x:' /etc/group | cut -f3 -d:)
+if [ -n "$gid" ] && [ "$gid" -gt 0 ] && [ "$gid" -lt 1000 ]; then
+echo "Cleaning up erroneous nobody group"
+sed -i '/^nobody:x:/d' /etc/group
+fi
+fi
+
#DEBHELPER#
--
2.19.1
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
On Thu, 1 Nov 2018 07:47:48 +0100 Michael Biebl wrote: > Am 01.11.18 um 03:22 schrieb Keh-Ming Luoh: > > > I think there is a bug in debian/extra/make-sysusers-basic > > > I can confirm that running systemd-sysusers in a fresh sid chroot yields: > > # systemd-sysusers > > Creating group nobody with gid 999. > > Creating group systemd-coredump with gid 998. > > Creating user systemd-coredump (systemd Core Dumper) with uid 998 and gid > > 998. > > Martin is most familiar with that particular code, so it would be best > if he can take a look. > > Besides fixing make-sysusers-basic, I think we should also clean-up the > nobody group on updates. Martin, would really appreciate your feedback/review for this issue. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Am 01.11.18 um 03:22 schrieb Keh-Ming Luoh: > I think there is a bug in debian/extra/make-sysusers-basic I can confirm that running systemd-sysusers in a fresh sid chroot yields: > # systemd-sysusers > Creating group nobody with gid 999. > Creating group systemd-coredump with gid 998. > Creating user systemd-coredump (systemd Core Dumper) with uid 998 and gid 998. Martin is most familiar with that particular code, so it would be best if he can take a look. Besides fixing make-sysusers-basic, I think we should also clean-up the nobody group on updates. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Package: systemd
Version: 239-11~bpo9+1
Severity: normal
Tags: patch
Dear Maintainer,
When I upgrade my systemd, I found there is a "nobody" group created
automatically.
I was wondering what caused that.
After tracing down the behavior, I figured out the following line in
/usr/lib/sysusers.d/basic.conf triggered it.
"u nobody 65534 - /nonexistent /usr/sbin/nologin"
Then I started to trace code from
https://salsa.debian.org/systemd-team/systemd.git
I think there is a bug in debian/extra/make-sysusers-basic
Skipping the GID when generating basic.conf may cause the above
behavior.
BR,
-KM
-- Package-specific info:
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii adduser 3.115
ii libacl1 2.2.52-3+b1
ii libapparmor12.11.0-3+deb9u2
ii libaudit1 1:2.6.7-2
ii libblkid1 2.29.2-1+deb9u1
ii libc6 2.24-11+deb9u3
ii libcap2 1:2.25-1
ii libcryptsetup4 2:1.7.3-4
ii libgcrypt20 1.7.6-2+deb9u3
ii libgnutls30 3.5.8-5+deb9u3
ii libgpg-error0 1.26-2
ii libidn111.33-1
ii libip4tc0 1.6.0+snapshot20161117-6
ii libkmod223-2
ii liblz4-10.0~r131-2+b1
ii liblzma55.2.2-1.2+b1
ii libmount1 2.29.2-1+deb9u1
ii libpam0g1.1.8-3.6
ii libseccomp2 2.3.1-2.1
ii libselinux1 2.6-3+b3
ii libsystemd0 239-11~bpo9+1
ii mount 2.29.2-1+deb9u1
ii procps 2:3.3.12-3+deb9u1
ii util-linux 2.29.2-1+deb9u1
Versions of packages systemd recommends:
ii dbus1.10.26-0+deb9u1
ii libpam-systemd 239-11~bpo9+1
Versions of packages systemd suggests:
ii policykit-10.105-18
ii systemd-container 239-11~bpo9+1
Versions of packages systemd is related to:
pn dracut
ii initramfs-tools 0.130
ii udev 232-25+deb9u4
-- no debconf information
>From e29915221cfbe90f393d1139ee27036b73ed37a3 Mon Sep 17 00:00:00 2001
From: Keh-Ming Luoh
Date: Wed, 31 Oct 2018 19:07:29 -0700
Subject: [PATCH] don't skip gid even it's the same as uid, or nobody group
will be created automatically
---
debian/extra/make-sysusers-basic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic
index 0aaa65cc5c..c70ebd30d6 100755
--- a/debian/extra/make-sysusers-basic
+++ b/debian/extra/make-sysusers-basic
@@ -14,4 +14,4 @@ done < /usr/share/base-passwd/group.master
echo
-awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n",
$1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
+awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' <
/usr/share/base-passwd/passwd.master
--
2.11.0
>From e29915221cfbe90f393d1139ee27036b73ed37a3 Mon Sep 17 00:00:00 2001
From: Keh-Ming Luoh
Date: Wed, 31 Oct 2018 19:07:29 -0700
Subject: [PATCH] don't skip gid even it's the same as uid, or nobody group
will be created automatically
---
debian/extra/make-sysusers-basic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic
index 0aaa65cc5c..c70ebd30d6 100755
--- a/debian/extra/make-sysusers-basic
+++ b/debian/extra/make-sysusers-basic
@@ -14,4 +14,4 @@ done < /usr/share/base-passwd/group.master
echo
-awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n",
$1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
+awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' <
/usr/share/base-passwd/passwd.master
--
2.11.0
