Bug#846377: [systemd] /lib/systemd/systemd --user starts dbus-daemon without AFS token

Dirk Heinrichs dirk.heinrichs at altum.de
Wed Nov 30 19:01:51 GMT 2016


Package: systemd
Version: 232-6
Severity: important

--- Please enter the report below this line. ---
I'm running systems with user home directories located in an OpenAFS
network filesystem. This used to work fine for years. However, since
some time now, some desktop environments/applications (KDE, Evolution,
etc.) have trouble writing their config files, while writing to the
same file from within a shell worked fine.

I did some investigation and found out that dbus-daemon is not started
be the pam-authenticated user session anymore, but
via /lib/systemd/systemd --user.

This in itself wouldn't be a problem, but /lib/systemd/systemd --user
has been started by PID 1 and thus doesn't run with an AFS token, which
means that all processes spawned from it don't have one either:

testuser     2013     1  0 18:54 ?        00:00:00 /lib/systemd/systemd
--user
testuser     2015  2013  0 18:54 ?        00:00:00 (sd-pam)
testuser     7783  2013  0 19:29 ?        00:00:01 /usr/bin/dbus-daemon
--session --address=systemd: --nofork --nopidfile --systemd-activation

This means that any application that wants to access files through dbus
fails to do so, for example:

(evolution:9447): dconf-WARNING **: failed to commit changes to dconf:
GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code2:
Cannot open dconf database: Failed to open file
'/afs/altum.de/home/testuser/.config/dconf/user': Permission denied

To verify, I added an AFS ACL entry to each sub-directory of testuser's
home, which allowed write access for system:anyuser. Afterwards, the
errors were gone.

Of course, it's not a solution to grant unauthenticated
users write access to every user's home directory.

So, in it's current form, this setup makes most desktop environments
simply unusable.

--- System information. ---
Architecture: Kernel:       Linux 4.8.0-1-amd64

Debian Release: stretch/sid
  990 testing         www.deb-multimedia.org   990 testing
ftp.de.debian.org   500 syncthing       apt.syncthing.net   500 stable
        update.devolo.com   500 stable          repo.saltstack.com
--- Package information. ---
Depends                           (Version) | Installed
===========================================-+-=========================
libacl1                       (>= 2.2.51-8) | 2.2.52-3
libapparmor1              (>= 2.9.0-3+exp2) | 2.10.95-6
libaudit1                      (>= 1:2.2.1) | 1:2.6.7-1
libblkid1                       (>= 2.19.1) | libc6
        (>= 2.17) | libcap2                         (>= 1:2.10) |
libcryptsetup4                 (>= 2:1.4.3) | libgcrypt20
       (>= 1.7.0) | libgpg-error0                     (>= 1.14) |
libidn11                          (>= 1.13) | libip4tc0
                  | libkmod2                            (>= 5~) |
liblz4-1                      (>= 0.0~r127) | liblzma5           (>=
5.1.1alpha+20120614) | libmount1                       (>= 2.26.2) |
libpam0g                      (>= 0.99.7.1) | libseccomp2
       (>= 2.3.1) | libselinux1                      (>= 2.1.9) |
libsystemd0                       (= 232-6) | util-linux
      (>= 2.27.1) | mount                             (>= 2.26) |
adduser                                     |

Package Status       (Version) | Installed
==============================-+-===========
udev                           | 232-6
dracut                         | initramfs-tools                | 0.125


Recommends          (Version) | Installed
=============================-+-===========
libpam-systemd                | 232-6
dbus                          | 1.10.12-1


Suggests               (Version) | Installed
================================-+-===========
systemd-ui                       | systemd-container                | 232-6
policykit-1                      | 0.105-17



--- Output from package bug script ---




-- 
Dirk Heinrichs <dirk.heinrichs at altum.de>
GPG Public Key CB614542 | Jabber: dirk.heinrichs at altum.de
Tox: heini at toxme.se
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de



More information about the Pkg-systemd-maintainers mailing list