Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hi, Martin: Thanks for reminding me that my patch isn't good enough. My intension is indeed to keep uid/gid creation more explicitly. So the script can handle other "exceptions" better (in the future). I prefer to keep the logic instead of treating 65534 special. Thanks. -KM On Fri, Nov 16, 2018 at 9:32 AM Martin Pitt wrote: > Hello Keh-Ming Luoh, hello Michael, > > sorry for the delay! > > Keh-Ming Luoh [2018-10-31 19:22 -0700]: > > When I upgrade my systemd, I found there is a "nobody" group created > > automatically. > > Thanks for tracking this down! > > > -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s > %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > > +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", > $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > > This is not quite correct. If you specify the GID explicitly, then it > needs to > exist before, i. e. the script would also need to be changed to create > groups > like "sys:3" explicitly. I. e. the conditional > ># only take groups whose name+gid != the corresponding user in > passwd.master > > part would need to become unconditional. This would work, but would make > both > the group and passwd list more unwieldy. > > As all static Debian users and groups *except* nobody:nogroup have the same > name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as > it's > generally the right thing to do and more robust. So instead I'd like to > handle the "nogroup" special-case as such. > > With the attached patch I seem to get the correct behaviour. The effective > diff > of the generated sysusers.d is > > -u nobody 65534 - /nonexistent /usr/sbin/nologin > +u nobody 65534:65534 - /nonexistent /usr/sbin/nologin > > and nothing else. With current 239-11: > > # systemd-sysusers > Creating group nobody with gid 999. > > and with this patched /usr/lib/sysusers.d/basic.conf: > > # systemd-sysusers > # grep nobody /etc/group > # > > i. e. it stops creating the group. > > I also added some postinst cleanup with some reasonable defensiveness. > (Double-checking it now) > > @Michael, does that seem ok to you? > > Thanks, > > Martin >
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hello Michael, Michael Biebl [2018-11-17 22:33 +0100]: > I applied your patch and simplified postinst a bit using delgroup; > delgroup --system seems to DTRT already. Indeed, that's much better, thank you! Martin signature.asc Description: PGP signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Am 17.11.18 um 14:11 schrieb Michael Biebl: > Any reason you didn't use "getent group" and "delgroup" ? I applied your patch and simplified postinst a bit using delgroup; delgroup --system seems to DTRT already. https://salsa.debian.org/systemd-team/systemd/commit/a2344f4e8d16f98c9151de777ec8cf8d79ae0eff https://salsa.debian.org/systemd-team/systemd/commit/cc664cb424cf0e865f76b1fda654ad41e33e76be Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hi Martin Am 16.11.18 um 18:32 schrieb Martin Pitt: > I also added some postinst cleanup with some reasonable defensiveness. > (Double-checking it now) > > @Michael, does that seem ok to you? The patch seems to work fine as is. That said, lintian is not happy about the direct parsing and mangling of /etc/group. > W: systemd: maintainer-script-should-not-parse-etc-passwd-or-group > postinst:160 'grep '^nobody:x:' /etc/group' > N: > N:The maintainer script appears to manually parse /etc/passwd or > N:/etc/group instead of using the getent(1) utility to display entries. > N: > N:This bypasses the Name Service Switch (NSS), avoiding querying > N:centralised or networked user databases such as LDAP, etc. > N: > N:Refer to the getent(1) manual page and the nss(5) manual page for > N:details. > N: > N:Severity: normal, Certainty: possible > N: > N:Check: scripts, Type: binary > N: > N: Finished processing group systemd/239-12 Any reason you didn't use "getent group" and "delgroup" ? Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Hello Keh-Ming Luoh, hello Michael, sorry for the delay! Keh-Ming Luoh [2018-10-31 19:22 -0700]: > When I upgrade my systemd, I found there is a "nobody" group created > automatically. Thanks for tracking this down! > -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s > %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' > < /usr/share/base-passwd/passwd.master This is not quite correct. If you specify the GID explicitly, then it needs to exist before, i. e. the script would also need to be changed to create groups like "sys:3" explicitly. I. e. the conditional # only take groups whose name+gid != the corresponding user in passwd.master part would need to become unconditional. This would work, but would make both the group and passwd list more unwieldy. As all static Debian users and groups *except* nobody:nogroup have the same name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as it's generally the right thing to do and more robust. So instead I'd like to handle the "nogroup" special-case as such. With the attached patch I seem to get the correct behaviour. The effective diff of the generated sysusers.d is -u nobody 65534 - /nonexistent /usr/sbin/nologin +u nobody 65534:65534 - /nonexistent /usr/sbin/nologin and nothing else. With current 239-11: # systemd-sysusers Creating group nobody with gid 999. and with this patched /usr/lib/sysusers.d/basic.conf: # systemd-sysusers # grep nobody /etc/group # i. e. it stops creating the group. I also added some postinst cleanup with some reasonable defensiveness. (Double-checking it now) @Michael, does that seem ok to you? Thanks, Martin >From b74313718d817e224e807b7979dd6434ba2fc120 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 16 Nov 2018 18:21:29 +0100 Subject: [PATCH] Fix wrong "nobody" group from sysusers.d Fix our make-sysusers-basic sysusers.d generator to special-case the nobody group. "nobody" user and "nogroup" group both have the same ID 65534, which is the only special case for Debian's static users/groups. So specify the gid explicitly, to avoid systemd-sysusers creating a dynamic system group for "nobody". Also clean up the group on upgrades. Thanks to Keh-Ming Luoh for the original patch! Closes: #912525 --- debian/extra/make-sysusers-basic | 3 ++- debian/systemd.postinst | 9 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic index 0aaa65cc5c..8ff1b15900 100755 --- a/debian/extra/make-sysusers-basic +++ b/debian/extra/make-sysusers-basic @@ -14,4 +14,5 @@ done < /usr/share/base-passwd/group.master echo -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master +# treat "nobody:nogroup" specially: same ID, but different name, so prevent creating a "nobody" group +awk -F: '{ i = ($3 == $4 && $4 != 65534) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master diff --git a/debian/systemd.postinst b/debian/systemd.postinst index 21210baab8..70f0b2334d 100644 --- a/debian/systemd.postinst +++ b/debian/systemd.postinst @@ -155,4 +155,13 @@ if dpkg --compare-versions "$2" lt-nl "236-1~"; then rm -f /var/lib/systemd/clock fi +if dpkg --compare-versions "$2" lt-nl "239-12~"; then +# clean up bogus "nobody" group from #912525; ensure that it's a system group +gid=$(grep '^nobody:x:' /etc/group | cut -f3 -d:) +if [ -n "$gid" ] && [ "$gid" -gt 0 ] && [ "$gid" -lt 1000 ]; then +echo "Cleaning up erroneous nobody group" +sed -i '/^nobody:x:/d' /etc/group +fi +fi + #DEBHELPER# -- 2.19.1
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
On Thu, 1 Nov 2018 07:47:48 +0100 Michael Biebl wrote: > Am 01.11.18 um 03:22 schrieb Keh-Ming Luoh: > > > I think there is a bug in debian/extra/make-sysusers-basic > > > I can confirm that running systemd-sysusers in a fresh sid chroot yields: > > # systemd-sysusers > > Creating group nobody with gid 999. > > Creating group systemd-coredump with gid 998. > > Creating user systemd-coredump (systemd Core Dumper) with uid 998 and gid > > 998. > > Martin is most familiar with that particular code, so it would be best > if he can take a look. > > Besides fixing make-sysusers-basic, I think we should also clean-up the > nobody group on updates. Martin, would really appreciate your feedback/review for this issue. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Am 01.11.18 um 03:22 schrieb Keh-Ming Luoh: > I think there is a bug in debian/extra/make-sysusers-basic I can confirm that running systemd-sysusers in a fresh sid chroot yields: > # systemd-sysusers > Creating group nobody with gid 999. > Creating group systemd-coredump with gid 998. > Creating user systemd-coredump (systemd Core Dumper) with uid 998 and gid 998. Martin is most familiar with that particular code, so it would be best if he can take a look. Besides fixing make-sysusers-basic, I think we should also clean-up the nobody group on updates. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Package: systemd Version: 239-11~bpo9+1 Severity: normal Tags: patch Dear Maintainer, When I upgrade my systemd, I found there is a "nobody" group created automatically. I was wondering what caused that. After tracing down the behavior, I figured out the following line in /usr/lib/sysusers.d/basic.conf triggered it. "u nobody 65534 - /nonexistent /usr/sbin/nologin" Then I started to trace code from https://salsa.debian.org/systemd-team/systemd.git I think there is a bug in debian/extra/make-sysusers-basic Skipping the GID when generating basic.conf may cause the above behavior. BR, -KM -- Package-specific info: -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3+b1 ii libapparmor12.11.0-3+deb9u2 ii libaudit1 1:2.6.7-2 ii libblkid1 2.29.2-1+deb9u1 ii libc6 2.24-11+deb9u3 ii libcap2 1:2.25-1 ii libcryptsetup4 2:1.7.3-4 ii libgcrypt20 1.7.6-2+deb9u3 ii libgnutls30 3.5.8-5+deb9u3 ii libgpg-error0 1.26-2 ii libidn111.33-1 ii libip4tc0 1.6.0+snapshot20161117-6 ii libkmod223-2 ii liblz4-10.0~r131-2+b1 ii liblzma55.2.2-1.2+b1 ii libmount1 2.29.2-1+deb9u1 ii libpam0g1.1.8-3.6 ii libseccomp2 2.3.1-2.1 ii libselinux1 2.6-3+b3 ii libsystemd0 239-11~bpo9+1 ii mount 2.29.2-1+deb9u1 ii procps 2:3.3.12-3+deb9u1 ii util-linux 2.29.2-1+deb9u1 Versions of packages systemd recommends: ii dbus1.10.26-0+deb9u1 ii libpam-systemd 239-11~bpo9+1 Versions of packages systemd suggests: ii policykit-10.105-18 ii systemd-container 239-11~bpo9+1 Versions of packages systemd is related to: pn dracut ii initramfs-tools 0.130 ii udev 232-25+deb9u4 -- no debconf information >From e29915221cfbe90f393d1139ee27036b73ed37a3 Mon Sep 17 00:00:00 2001 From: Keh-Ming Luoh Date: Wed, 31 Oct 2018 19:07:29 -0700 Subject: [PATCH] don't skip gid even it's the same as uid, or nobody group will be created automatically --- debian/extra/make-sysusers-basic | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic index 0aaa65cc5c..c70ebd30d6 100755 --- a/debian/extra/make-sysusers-basic +++ b/debian/extra/make-sysusers-basic @@ -14,4 +14,4 @@ done < /usr/share/base-passwd/group.master echo -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master -- 2.11.0 >From e29915221cfbe90f393d1139ee27036b73ed37a3 Mon Sep 17 00:00:00 2001 From: Keh-Ming Luoh Date: Wed, 31 Oct 2018 19:07:29 -0700 Subject: [PATCH] don't skip gid even it's the same as uid, or nobody group will be created automatically --- debian/extra/make-sysusers-basic | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic index 0aaa65cc5c..c70ebd30d6 100755 --- a/debian/extra/make-sysusers-basic +++ b/debian/extra/make-sysusers-basic @@ -14,4 +14,4 @@ done < /usr/share/base-passwd/group.master echo -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master -- 2.11.0