Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines
>The problem is, this file >/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from >systemd-shim a long time ago ... >I'm not sure, why Francesco still had this file around, as there is a >.maintscript file in systemd-shim which was supposed to clean that up: ... >So I can only guess, that Francesco had removed, but not purged the >package before the 8-4 update. I usually do a manual "aptitude full-upgrade" every day. >From time to time, I happen to remove packages: in that case I usually purge them with "aptitude purge", but I see that their dependencies are not purged, only removed. Maybe I removed or purged a package that had systemd-shim as a dependency, or maybe a full-upgrade removed it without purging it. Anyway, I just did: # aptitude purge systemd-shim The following packages will be REMOVED: systemd-shim{p} 0 packages upgraded, 0 newly installed, 1 to remove and 2 not upgraded. Need to get 0 B of archives. After unpacking 0 B will be used. Do you want to continue? [Y/n/?] (Reading database ... 903812 files and directories currently installed.) Purging configuration files for systemd-shim (7-1) ... No diversion 'diversion of /usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to /usr/share/d\ bus-1/system-services/org.freedesktop.systemd1.service.systemd by systemd-shim', none removed. Processing triggers for dbus (1.12.10-1) ... and now /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf doe not exist any more. Should you need to know the contenst of any files before this operation, just ask and I will recover them from backups. Thanks for maintaining this
Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines
Am 21.11.18 um 18:03 schrieb Simon McVittie: > Real solution: > >> ===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf=== > ... >> > ... >> >> > > org.freedesktop.systemd-shim.conf should not have this Deny line. It's > redundant with the implicit default-deny in system.conf, and is going to > break the file installed by the real systemd. > > systemd should perhaps mitigate this bug for buster by moving its bus > configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing > a filename that is higher precedence than systemd-shim's. (Sorry, I don't > immediately know whether that means earlier or later in ASCII order.) The problem is, this file /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from systemd-shim a long time ago systemd-shim (8-4) unstable; urgency=medium * Drop the dbus policy entirely from this package, as discussed in bug #765101; since the security policy should always be in sync with systemd's, and since the systemd package ships both logind (the consumer of systemd-shim) and this dbus policy, there's no reason to ship this separately rather than relying on the systemd copy. -- Steve Langasek Wed, 22 Oct 2014 04:29:44 + I'm not sure, why Francesco still had this file around, as there is a .maintscript file in systemd-shim which was supposed to clean that up: $ cat debian/systemd-shim.maintscript rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd1.conf 6-2 systemd-shim rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf 8-4 systemd-shim So I can only guess, that Francesco had removed, but not purged the package before the 8-4 update. Changing systemd to move the dbus policy file back to /etc/ seems like a workaround, which we could never get rid off, as there might always be users who removed but not purged the package before 8-4. I guess the only sensible thing we can do at this point if we let the systemd package itself clean up this mess, and remove /etc/dbus-1/system.d/org.freedesktop.systemd1.conf either via systemd.maintscript or just a simple rm -f in postinst. I'm aware this is not 100% policy compliant, but I can't think of a better solution atm. WDYT? Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines
Processing control commands: > reassign -1 systemd-shim Bug #914285 [dbus] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager Bug reassigned from package 'dbus' to 'systemd-shim'. No longer marked as found in versions dbus/1.12.10-1. Ignoring request to alter fixed versions of bug #914285 to the same values previously set > severity -1 important Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager Severity set to 'important' from 'minor' > retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other recent > APIs on systemd Manager Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager Changed Bug title to 'systemd-shim: prevents calling GetDynamicUsers() and other recent APIs on systemd Manager' from 'dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager'. -- 914285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914285 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines
Control: reassign -1 systemd-shim Control: severity -1 important Control: retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other recent APIs on systemd Manager On Wed, 21 Nov 2018 at 17:24:41 +0100, Francesco Potortì wrote: > >... so perhaps you have a rule in /usr/share/dbus-1/system.d/*.conf > >or in /etc/dbus-1/system.d/*.conf, with higher precedence, > >that is interfering with those messages? If you search for > >org.freedesktop.systemd1 or GetDynamicUsers in those files, what do > >you get? > > fgrep -i -l org.freedesktop.systemd1 /etc/dbus-1/system.d/*.conf > /usr/share/dbus-1/system.d/*.conf /usr/share/dbus-1/system.conf > /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf > /usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf > /usr/share/dbus-1/system.conf Aha. Yes, in its current form, org.freedesktop.systemd-shim.conf is going to break access to every systemd API that is meant to be public and was added since systemd-shim forked it from systemd, because files in /etc take precedence over files in /usr. Workaround: purge the systemd-shim package (removing it is not enough, because this is a conffile). Real solution: > ===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf=== ... > ... > > org.freedesktop.systemd-shim.conf should not have this Deny line. It's redundant with the implicit default-deny in system.conf, and is going to break the file installed by the real systemd. systemd should perhaps mitigate this bug for buster by moving its bus configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing a filename that is higher precedence than systemd-shim's. (Sorry, I don't immediately know whether that means earlier or later in ASCII order.) smcv