Fwd: Archived bug #1002993 seems to be related to unprivileged containers

[Michael Biebl]

-------- Weitergeleitete Nachricht --------
Betreff: Archived bug #1002993 seems to be related to unprivileged 
containers
Datum: Tue, 3 Sep 2024 21:24:25 +0200
Von: Dr. Lars Hanke <lars at lhanke.de>
An: biebl at debian.org

Dear Michael,

well, I know the bug has been archived, but  I just saw exactly the same
behavior updating Debian11 to systemd 247.3-7+deb11u6 on amd64. Updates
on privileged containers produced no issues. It happens with
libudev1:amd64. This is from the apt upgrade log:


Vorbereitung zum Entpacken von .../5-libudev1_247.3-7+deb11u6_amd64.deb ...
Entpacken von libudev1:amd64 (247.3-7+deb11u6) über (247.3-7+deb11u5)...
libudev1:amd64 (247.3-7+deb11u6) wird eingerichtet ...
systemd (247.3-7+deb11u6) wird eingerichtet ...
Setting access ACL
"u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on
/var/log/journal failed: Invalid argument
Setting access ACL
"u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on
/var/log/journal/50c8cff5a8de4c2fa08f91b6525115a5 failed: Invalid argument
Setting access ACL
"u::rw-,g::r-x,g:adm:r--,g:4294967295:r-x,m::r--,o::---" on
/var/log/journal/50c8cff5a8de4c2fa08f91b6525115a5/system.journal failed:
Invalid argument
(Lese Datenbank ... 23418 Dateien und Verzeichnisse sind derzeit
installiert.)

Entering the container I can display the ACL and actually set the
requested ACL, which adds the ACL for group "adm":

root at saraswati:/var/log/journal# getfacl .
# file: .
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:4294967295:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:4294967295:r-x
default:mask::r-x
default:other::r-x

root at saraswati:/var/log/journal# setfacl --set
"u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" .
root at saraswati:/var/log/journal# getfacl .
# file: .
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:4294967295:r-x
default:mask::r-x
default:other::r-x

So, there seems to be something wierd in the setup scripts, which does
not work in unprivileged containers.

A sidenote: At first I tried to use "-m" instead of "--set", which
failed with "double entry in entry 4" (translated from German). I don't
know if this is the expected behavior or a quirk of the container.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240904/434749af/attachment.sig>