Bug#912525: systemd: nobody group is created by systemd-sysusers automatically
Martin Pitt
mpitt at debian.org
Fri Nov 16 17:32:09 GMT 2018
Hello Keh-Ming Luoh, hello Michael,
sorry for the delay!
Keh-Ming Luoh [2018-10-31 19:22 -0700]:
> When I upgrade my systemd, I found there is a "nobody" group created
> automatically.
Thanks for tracking this down!
> -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
> +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
This is not quite correct. If you specify the GID explicitly, then it needs to
exist before, i. e. the script would also need to be changed to create groups
like "sys:3" explicitly. I. e. the conditional
# only take groups whose name+gid != the corresponding user in passwd.master
part would need to become unconditional. This would work, but would make both
the group and passwd list more unwieldy.
As all static Debian users and groups *except* nobody:nogroup have the same
name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as it's
generally the right thing to do and more robust. So instead I'd like to
handle the "nogroup" special-case as such.
With the attached patch I seem to get the correct behaviour. The effective diff
of the generated sysusers.d is
-u nobody 65534 - /nonexistent /usr/sbin/nologin
+u nobody 65534:65534 - /nonexistent /usr/sbin/nologin
and nothing else. With current 239-11:
# systemd-sysusers
Creating group nobody with gid 999.
and with this patched /usr/lib/sysusers.d/basic.conf:
# systemd-sysusers
# grep nobody /etc/group
#
i. e. it stops creating the group.
I also added some postinst cleanup with some reasonable defensiveness.
(Double-checking it now)
@Michael, does that seem ok to you?
Thanks,
Martin
-------------- next part --------------
>From b74313718d817e224e807b7979dd6434ba2fc120 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin at piware.de>
Date: Fri, 16 Nov 2018 18:21:29 +0100
Subject: [PATCH] Fix wrong "nobody" group from sysusers.d
Fix our make-sysusers-basic sysusers.d generator to special-case the
nobody group. "nobody" user and "nogroup" group both have the same ID
65534, which is the only special case for Debian's static users/groups.
So specify the gid explicitly, to avoid systemd-sysusers creating a
dynamic system group for "nobody".
Also clean up the group on upgrades.
Thanks to Keh-Ming Luoh for the original patch!
Closes: #912525
---
debian/extra/make-sysusers-basic | 3 ++-
debian/systemd.postinst | 9 +++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic
index 0aaa65cc5c..8ff1b15900 100755
--- a/debian/extra/make-sysusers-basic
+++ b/debian/extra/make-sysusers-basic
@@ -14,4 +14,5 @@ done < /usr/share/base-passwd/group.master
echo
-awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
+# treat "nobody:nogroup" specially: same ID, but different name, so prevent creating a "nobody" group
+awk -F: '{ i = ($3 == $4 && $4 != 65534) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master
diff --git a/debian/systemd.postinst b/debian/systemd.postinst
index 21210baab8..70f0b2334d 100644
--- a/debian/systemd.postinst
+++ b/debian/systemd.postinst
@@ -155,4 +155,13 @@ if dpkg --compare-versions "$2" lt-nl "236-1~"; then
rm -f /var/lib/systemd/clock
fi
+if dpkg --compare-versions "$2" lt-nl "239-12~"; then
+ # clean up bogus "nobody" group from #912525; ensure that it's a system group
+ gid=$(grep '^nobody:x:' /etc/group | cut -f3 -d:)
+ if [ -n "$gid" ] && [ "$gid" -gt 0 ] && [ "$gid" -lt 1000 ]; then
+ echo "Cleaning up erroneous nobody group"
+ sed -i '/^nobody:x:/d' /etc/group
+ fi
+fi
+
#DEBHELPER#
--
2.19.1
More information about the Pkg-systemd-maintainers
mailing list