Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines

2018-11-22 Thread Francesco Potortì 
>The problem is, this file
>/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from
>systemd-shim a long time ago
...
>I'm not sure, why Francesco still had this file around, as there is a
>.maintscript file in systemd-shim which was supposed to clean that up:
...
>So I can only guess, that Francesco had removed, but not purged the
>package before the 8-4 update.

I usually do a manual "aptitude full-upgrade" every day.

>From time to time, I happen to remove packages: in that case I usually
purge them with "aptitude purge", but I see that their dependencies are
not purged, only removed.  Maybe I removed or purged a package that had
systemd-shim as a dependency, or maybe a full-upgrade removed it without
purging it.

Anyway, I just did:

# aptitude purge systemd-shim
The following packages will be REMOVED:
  systemd-shim{p}
0 packages upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?] 
(Reading database ... 903812 files and directories currently installed.)
Purging configuration files for systemd-shim (7-1) ...
No diversion 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/d\
bus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim', none removed.
Processing triggers for dbus (1.12.10-1) ...

and now /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf doe not
exist any more.

Should you need to know the contenst of any files before this operation,
just ask and I will recover them from backups.

Thanks for maintaining this

Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines

2018-11-21 Thread Michael Biebl 
Am 21.11.18 um 18:03 schrieb Simon McVittie:

> Real solution:
> 
>> ===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf===
> ...
>> 
> ...
>> 
>> 
> 
> org.freedesktop.systemd-shim.conf should not have this Deny line. It's
> redundant with the implicit default-deny in system.conf, and is going to
> break the file installed by the real systemd.
> 
> systemd should perhaps mitigate this bug for buster by moving its bus
> configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing
> a filename that is higher precedence than systemd-shim's. (Sorry, I don't
> immediately know whether that means earlier or later in ASCII order.)

The problem is, this file
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from
systemd-shim a long time ago

systemd-shim (8-4) unstable; urgency=medium

  * Drop the dbus policy entirely from this package, as discussed in bug
#765101; since the security policy should always be in sync with
systemd's, and since the systemd package ships both logind (the consumer
of systemd-shim) and this dbus policy, there's no reason to ship this
separately rather than relying on the systemd copy.

 -- Steve Langasek   Wed, 22 Oct 2014 04:29:44 +

I'm not sure, why Francesco still had this file around, as there is a
.maintscript file in systemd-shim which was supposed to clean that up:

$ cat debian/systemd-shim.maintscript
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd1.conf 6-2
systemd-shim
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf 8-4
systemd-shim

So I can only guess, that Francesco had removed, but not purged the
package before the 8-4 update.

Changing systemd to move the dbus policy file back to /etc/ seems like a
workaround, which we could never get rid off, as there might always be
users who removed but not purged the package before 8-4.

I guess the only sensible thing we can do at this point if we let the
systemd package itself clean up this mess, and remove
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf
either via systemd.maintscript or just a simple rm -f in postinst.

I'm aware this is not 100% policy compliant, but I can't think of a
better solution atm.

WDYT?

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines

2018-11-21 Thread Debian Bug Tracking System 
Processing control commands:

> reassign -1 systemd-shim
Bug #914285 [dbus] dbus: system bus logs repeated denials for session buses 
calling GetDynamicUsers() on systemd Manager
Bug reassigned from package 'dbus' to 'systemd-shim'.
No longer marked as found in versions dbus/1.12.10-1.
Ignoring request to alter fixed versions of bug #914285 to the same values 
previously set
> severity -1 important
Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session 
buses calling GetDynamicUsers() on systemd Manager
Severity set to 'important' from 'minor'
> retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other recent 
> APIs on systemd Manager
Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session 
buses calling GetDynamicUsers() on systemd Manager
Changed Bug title to 'systemd-shim: prevents calling GetDynamicUsers() and 
other recent APIs on systemd Manager' from 'dbus: system bus logs repeated 
denials for session buses calling GetDynamicUsers() on systemd Manager'.

-- 
914285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines

2018-11-21 Thread Simon McVittie 
Control: reassign -1 systemd-shim
Control: severity -1 important
Control: retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other 
recent APIs on systemd Manager

On Wed, 21 Nov 2018 at 17:24:41 +0100, Francesco Potortì wrote:
> >... so perhaps you have a  rule in /usr/share/dbus-1/system.d/*.conf
> >or in /etc/dbus-1/system.d/*.conf, with higher precedence,
> >that is interfering with those messages? If you search for
> >org.freedesktop.systemd1 or GetDynamicUsers in those files, what do
> >you get?
> 
> fgrep -i -l org.freedesktop.systemd1 /etc/dbus-1/system.d/*.conf  
> /usr/share/dbus-1/system.d/*.conf  /usr/share/dbus-1/system.conf
> /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf
> /usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf
> /usr/share/dbus-1/system.conf

Aha. Yes, in its current form, org.freedesktop.systemd-shim.conf is going
to break access to every systemd API that is meant to be public and was
added since systemd-shim forked it from systemd, because files in /etc
take precedence over files in /usr.

Workaround: purge the systemd-shim package (removing it is not enough,
because this is a conffile).

Real solution:

> ===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf===
...
> 
...
> 
> 

org.freedesktop.systemd-shim.conf should not have this Deny line. It's
redundant with the implicit default-deny in system.conf, and is going to
break the file installed by the real systemd.

systemd should perhaps mitigate this bug for buster by moving its bus
configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing
a filename that is higher precedence than systemd-shim's. (Sorry, I don't
immediately know whether that means earlier or later in ASCII order.)

smcv