Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1058590: getent in polkitd.postinst is broken
209 views
Skip to first unread message
Harald Dunkel
Dec 13, 2023, 8:10:04 AM12/13/23
to
Package: polkitd
Version: 122-3
Problem with polkitd.postinst:
"getent passwd polkitd" can fail, even though polkitd can be found
in /etc/passwd.
Regards
Harri
Version: 122-3
Problem with polkitd.postinst:
"getent passwd polkitd" can fail, even though polkitd can be found
in /etc/passwd.
Regards
Harri
Simon McVittie
Dec 13, 2023, 1:40:04 PM12/13/23
to
On Wed, 13 Dec 2023 at 13:59:03 +0100, Harald Dunkel wrote:
> Problem with polkitd.postinst:
>
> "getent passwd polkitd" can fail, even though polkitd can be found
> in /etc/passwd.
In what situation does this fail?
> Problem with polkitd.postinst:
>
> "getent passwd polkitd" can fail, even though polkitd can be found
> in /etc/passwd.
If you have a better suggestion, please propose a patch?
Thanks,
smcv
Harald Dunkel
Dec 14, 2023, 6:10:05 AM12/14/23
to
Hi Simon,
getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
I would suggest to use
getent -s files passwd polkitd
to query /etc/passwd only and to ignore remote databases based on LDAP
or NIS or similar. polkitd is supposed to be a local system user.
I stumbled over this during the upgrade Debian 11 --> 12 in a chroot.
Somehow polkitd couldn't be installed because the polkitd user and group
were missing. Actually I am not sure how this happened, but after
manually adding local user and group entries for polkitd installation
succeeded.
Regards
Harri
getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
I would suggest to use
getent -s files passwd polkitd
to query /etc/passwd only and to ignore remote databases based on LDAP
or NIS or similar. polkitd is supposed to be a local system user.
I stumbled over this during the upgrade Debian 11 --> 12 in a chroot.
Somehow polkitd couldn't be installed because the polkitd user and group
were missing. Actually I am not sure how this happened, but after
manually adding local user and group entries for polkitd installation
succeeded.
Regards
Harri
Harald Dunkel
Dec 15, 2023, 8:10:05 AM12/15/23
to
I was able to reproduce the problem in a chroot, using the postinst
script with "set -x", and even though the previously suggested fix
was applied:
:
Setting up polkitd (122-4~xgo120+1) ...
+ set -e
+ case "$1" in
+ getent -s files passwd polkitd
+ user_changed=yes
+ command -v systemd-sysusers
+ systemd-sysusers polkitd.conf
Failed to check if group polkitd already exists: Connection refused
+ dpkg --compare-versions '' lt 122-3~
++ getent -s files passwd polkitd
++ cut -d: -f6
+ '[' '' = /var/lib/polkit-1 ']'
++ id -g polkitd
id: 'polkitd': no such user
+ '[' '' = 65534 ']'
+ set_perms polkitd root 700 /etc/polkit-1/rules.d
+ USER=polkitd
+ GROUP=root
+ MODE=700
+ FILE=/etc/polkit-1/rules.d
+ dpkg-statoverride --list /etc/polkit-1/rules.d
+ chown polkitd:root /etc/polkit-1/rules.d
chown: invalid user: 'polkitd:root'
dpkg: error processing package polkitd (--configure):
installed polkitd package post-installation script subprocess returned error exit status 1
:
Apparently the code around systemd-sysusers is to blame here. I
would guess it could not access the remote user database (LDAP/
Kerberos).
Note that the policy-rc.d script was set accordingly for a chroot:
# cat /usr/sbin/policy-rc.d
#!/bin/sh
exit 101
Hope this helps
Harri
script with "set -x", and even though the previously suggested fix
was applied:
:
Setting up polkitd (122-4~xgo120+1) ...
+ set -e
+ case "$1" in
+ getent -s files passwd polkitd
+ user_changed=yes
+ command -v systemd-sysusers
+ systemd-sysusers polkitd.conf
Failed to check if group polkitd already exists: Connection refused
+ dpkg --compare-versions '' lt 122-3~
++ getent -s files passwd polkitd
++ cut -d: -f6
+ '[' '' = /var/lib/polkit-1 ']'
++ id -g polkitd
id: 'polkitd': no such user
+ '[' '' = 65534 ']'
+ set_perms polkitd root 700 /etc/polkit-1/rules.d
+ USER=polkitd
+ GROUP=root
+ MODE=700
+ FILE=/etc/polkit-1/rules.d
+ dpkg-statoverride --list /etc/polkit-1/rules.d
+ chown polkitd:root /etc/polkit-1/rules.d
chown: invalid user: 'polkitd:root'
dpkg: error processing package polkitd (--configure):
installed polkitd package post-installation script subprocess returned error exit status 1
:
Apparently the code around systemd-sysusers is to blame here. I
would guess it could not access the remote user database (LDAP/
Kerberos).
Note that the policy-rc.d script was set accordingly for a chroot:
# cat /usr/sbin/policy-rc.d
#!/bin/sh
exit 101
Hope this helps
Harri
Simon McVittie
Jan 22, 2024, 6:50:05 AM1/22/24
to
On Thu, 14 Dec 2023 at 11:38:16 +0100, Harald Dunkel wrote:
> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
> I would suggest to use
>
> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
> I would suggest to use
>
> getent -s files passwd polkitd
>
>
> to query /etc/passwd only and to ignore remote databases based on LDAP
> or NIS or similar. polkitd is supposed to be a local system user.
Wouldn't this break systems where polkitd is a local system user stored
> or NIS or similar. polkitd is supposed to be a local system user.
in some backend other than the standard flat files, like libnss-db or
libnss-extrausers?
In any case, as per your later reply, it seems that this wouldn't have
been sufficient:
On Fri, 15 Dec 2023 at 13:59:02 +0100, Harald Dunkel wrote:
> + command -v systemd-sysusers
> + systemd-sysusers polkitd.conf
> Failed to check if group polkitd already exists: Connection refused
This seems to be consistent with how
/usr/share/debhelper/autoscripts/postinst-sysusers handles sysusers, so
if there is a bug here, it would affect any package that relies on
sysusers.d, not just polkit.
> chown: invalid user: 'polkitd:root'
unavoidable: we can't not do this. If we skipped this step, polkitd
would not work correctly.
(In current versions of polkitd it would be root:polkitd, but the
principle is the same.)
chown, id and any other standard system utilities that use glibc
interfaces like getpwnam() are always going to do the equivalent of
`getent passwd polkitd` and never the equivalent of
`getent -s files passwd polkitd`, so the equivalents of those calls need
to work, one way or another, while you are doing your upgrade.
smcv
Harald Dunkel
Jan 22, 2024, 10:10:05 AM1/22/24
to
On 2024-01-22 12:41:04, Simon McVittie wrote:
> On Thu, 14 Dec 2023 at 11:38:16 +0100, Harald Dunkel wrote:
>> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
>> I would suggest to use
>>
>> getent -s files passwd polkitd
>>
>> to query /etc/passwd only and to ignore remote databases based on LDAP
>> or NIS or similar. polkitd is supposed to be a local system user.
>
> Wouldn't this break systems where polkitd is a local system user stored
> in some backend other than the standard flat files, like libnss-db or
> libnss-extrausers?
>
I can't help it. The getent was just a suggestion. Maybe it would be wise
> On Thu, 14 Dec 2023 at 11:38:16 +0100, Harald Dunkel wrote:
>> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
>> I would suggest to use
>>
>> getent -s files passwd polkitd
>>
>> to query /etc/passwd only and to ignore remote databases based on LDAP
>> or NIS or similar. polkitd is supposed to be a local system user.
>
> Wouldn't this break systems where polkitd is a local system user stored
> in some backend other than the standard flat files, like libnss-db or
> libnss-extrausers?
>
to ignore all local and remote databases for creating system accounts,
except for the traditional files in /etc?
>
> How is this particular system set up? Is it using a remote user database?
>
chroot. I am updating a clone of the root partition from Debian 11 to
12 to reduce the downtime. /usr/sbin/policy-rc.d is set accordingly.
There is no polkitd account in the remote database, anyway. I checked.
> This seems to be consistent with how
> /usr/share/debhelper/autoscripts/postinst-sysusers handles sysusers, so
> if there is a bug here, it would affect any package that relies on
> sysusers.d, not just polkit.
in Debian 12 ran into this problem. The fix is to manually add polkitd
to the local database on the command line (copy and paste from the
postinst script:
adduser --group --system --gecos 'polkit' \
--no-create-home --home /nonexistent polkitd
) and to try again.
Looking at the code
if command -v systemd-sysusers >/dev/null; then
systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} polkitd.conf
else
adduser --group --system --gecos 'polkit' \
--no-create-home --home /nonexistent polkitd
addgroup --system polkitd
fi
I wonder if the systemd case would be executed in a chroot?
Regards
Harri
0 new messages