Bug#912525: systemd: nobody group is created by systemd-sysusers automatically

Fri Nov 16 17:32:09 GMT 2018

Hello Keh-Ming Luoh, hello Michael,

sorry for the delay!

Keh-Ming Luoh [2018-10-31 19:22 -0700]:
> When I upgrade my systemd, I found there is a "nobody" group created
> automatically.

Thanks for tracking this down!

> -awk -F:  '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master
> +awk -F:  '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master

This is not quite correct. If you specify the GID explicitly, then it needs to
exist before, i. e. the script would also need to be changed to create groups
like "sys:3" explicitly. I. e. the conditional

   # only take groups whose name+gid != the corresponding user in passwd.master

part would need to become unconditional. This would work, but would make both
the group and passwd list more unwieldy.

As all static Debian users and groups *except* nobody:nogroup have the same
name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as it's
generally the right thing to do and more robust. So instead I'd like to
handle the "nogroup" special-case as such.

With the attached patch I seem to get the correct behaviour. The effective diff
of the generated sysusers.d is

-u nobody     65534   - /nonexistent         /usr/sbin/nologin
+u nobody     65534:65534 - /nonexistent         /usr/sbin/nologin

and nothing else. With current 239-11:

  # systemd-sysusers
  Creating group nobody with gid 999.

and with this patched /usr/lib/sysusers.d/basic.conf:

  # systemd-sysusers
  # grep nobody /etc/group
  #

i. e. it stops creating the group.

I also added some postinst cleanup with some reasonable defensiveness.
(Double-checking it now)

@Michael, does that seem ok to you?

Thanks,

Martin
-------------- next part --------------
>From b74313718d817e224e807b7979dd6434ba2fc120 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin at piware.de>
Date: Fri, 16 Nov 2018 18:21:29 +0100
Subject: [PATCH] Fix wrong "nobody" group from sysusers.d

Fix our make-sysusers-basic sysusers.d generator to special-case the
nobody group. "nobody" user and "nogroup" group both have the same ID
65534, which is the only special case for Debian's static users/groups.
So specify the gid explicitly, to avoid systemd-sysusers creating a
dynamic system group for "nobody".

Also clean up the group on upgrades.

Thanks to Keh-Ming Luoh for the original patch!

Closes: #912525
---
 debian/extra/make-sysusers-basic | 3 ++-
 debian/systemd.postinst          | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic
index 0aaa65cc5c..8ff1b15900 100755
--- a/debian/extra/make-sysusers-basic
+++ b/debian/extra/make-sysusers-basic
@@ -14,4 +14,5 @@ done < /usr/share/base-passwd/group.master
 
 echo
 
-awk -F:  '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master
+# treat "nobody:nogroup" specially: same ID, but different name, so prevent creating a "nobody" group
+awk -F:  '{ i = ($3 == $4 && $4 != 65534) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master
diff --git a/debian/systemd.postinst b/debian/systemd.postinst
index 21210baab8..70f0b2334d 100644
--- a/debian/systemd.postinst
+++ b/debian/systemd.postinst
@@ -155,4 +155,13 @@ if dpkg --compare-versions "$2" lt-nl "236-1~"; then
     rm -f /var/lib/systemd/clock
 fi
 
+if dpkg --compare-versions "$2" lt-nl "239-12~"; then
+    # clean up bogus "nobody" group from #912525; ensure that it's a system group
+    gid=$(grep '^nobody:x:' /etc/group | cut -f3 -d:)
+    if [ -n "$gid" ] && [ "$gid" -gt 0 ] && [ "$gid" -lt 1000 ]; then
+        echo "Cleaning up erroneous nobody group"
+        sed -i '/^nobody:x:/d' /etc/group
+    fi
+fi
+
 #DEBHELPER#
-- 
2.19.1

