Bug#846377: [systemd] /lib/systemd/systemd --user starts dbus-daemon without AFS token
Dirk Heinrichs
dirk.heinrichs at altum.de
Wed Nov 30 19:01:51 GMT 2016
Package: systemd
Version: 232-6
Severity: important
--- Please enter the report below this line. ---
I'm running systems with user home directories located in an OpenAFS
network filesystem. This used to work fine for years. However, since
some time now, some desktop environments/applications (KDE, Evolution,
etc.) have trouble writing their config files, while writing to the
same file from within a shell worked fine.
I did some investigation and found out that dbus-daemon is not started
be the pam-authenticated user session anymore, but
via /lib/systemd/systemd --user.
This in itself wouldn't be a problem, but /lib/systemd/systemd --user
has been started by PID 1 and thus doesn't run with an AFS token, which
means that all processes spawned from it don't have one either:
testuser 2013 1 0 18:54 ? 00:00:00 /lib/systemd/systemd
--user
testuser 2015 2013 0 18:54 ? 00:00:00 (sd-pam)
testuser 7783 2013 0 19:29 ? 00:00:01 /usr/bin/dbus-daemon
--session --address=systemd: --nofork --nopidfile --systemd-activation
This means that any application that wants to access files through dbus
fails to do so, for example:
(evolution:9447): dconf-WARNING **: failed to commit changes to dconf:
GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code2:
Cannot open dconf database: Failed to open file
'/afs/altum.de/home/testuser/.config/dconf/user': Permission denied
To verify, I added an AFS ACL entry to each sub-directory of testuser's
home, which allowed write access for system:anyuser. Afterwards, the
errors were gone.
Of course, it's not a solution to grant unauthenticated
users write access to every user's home directory.
So, in it's current form, this setup makes most desktop environments
simply unusable.
--- System information. ---
Architecture: Kernel: Linux 4.8.0-1-amd64
Debian Release: stretch/sid
990 testing www.deb-multimedia.org 990 testing
ftp.de.debian.org 500 syncthing apt.syncthing.net 500 stable
update.devolo.com 500 stable repo.saltstack.com
--- Package information. ---
Depends (Version) | Installed
===========================================-+-=========================
libacl1 (>= 2.2.51-8) | 2.2.52-3
libapparmor1 (>= 2.9.0-3+exp2) | 2.10.95-6
libaudit1 (>= 1:2.2.1) | 1:2.6.7-1
libblkid1 (>= 2.19.1) | libc6
(>= 2.17) | libcap2 (>= 1:2.10) |
libcryptsetup4 (>= 2:1.4.3) | libgcrypt20
(>= 1.7.0) | libgpg-error0 (>= 1.14) |
libidn11 (>= 1.13) | libip4tc0
| libkmod2 (>= 5~) |
liblz4-1 (>= 0.0~r127) | liblzma5 (>=
5.1.1alpha+20120614) | libmount1 (>= 2.26.2) |
libpam0g (>= 0.99.7.1) | libseccomp2
(>= 2.3.1) | libselinux1 (>= 2.1.9) |
libsystemd0 (= 232-6) | util-linux
(>= 2.27.1) | mount (>= 2.26) |
adduser |
Package Status (Version) | Installed
==============================-+-===========
udev | 232-6
dracut | initramfs-tools | 0.125
Recommends (Version) | Installed
=============================-+-===========
libpam-systemd | 232-6
dbus | 1.10.12-1
Suggests (Version) | Installed
================================-+-===========
systemd-ui | systemd-container | 232-6
policykit-1 | 0.105-17
--- Output from package bug script ---
--
Dirk Heinrichs <dirk.heinrichs at altum.de>
GPG Public Key CB614542 | Jabber: dirk.heinrichs at altum.de
Tox: heini at toxme.se
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de
More information about the Pkg-systemd-maintainers
mailing list