[Pkg-utopia-maintainers] Bug#1058590: getent in polkitd.postinst is broken

Harald Dunkel harald.dunkel at aixigo.com
Mon Jan 22 14:54:24 GMT 2024 

On 2024-01-22 12:41:04, Simon McVittie wrote:
> On Thu, 14 Dec 2023 at 11:38:16 +0100, Harald Dunkel wrote:
>> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
>> I would suggest to use
>>
>> 	getent -s files passwd polkitd
>>
>> to query /etc/passwd only and to ignore remote databases based on LDAP
>> or NIS or similar. polkitd is supposed to be a local system user.
> 
> Wouldn't this break systems where polkitd is a local system user stored
> in some backend other than the standard flat files, like libnss-db or
> libnss-extrausers?
> 

I can't help it. The getent was just a suggestion. Maybe it would be wise
to ignore all local and remote databases for creating system accounts,
except for the traditional files in /etc?

> 
> How is this particular system set up? Is it using a remote user database?
> 

It would be using a remote database (FreeIPA, i.e LDAP), but this is a
chroot. I am updating a clone of the root partition from Debian 11 to
12 to reduce the downtime. /usr/sbin/policy-rc.d is set accordingly.

There is no polkitd account in the remote database, anyway. I checked.

> This seems to be consistent with how
> /usr/share/debhelper/autoscripts/postinst-sysusers handles sysusers, so
> if there is a bug here, it would affect any package that relies on
> sysusers.d, not just polkit.

I have updated quite a number of hosts already, but only polkitd postinst
in Debian 12 ran into this problem. The fix is to manually add polkitd
to the local database on the command line (copy and paste from the
postinst script:

             adduser --group --system --gecos 'polkit' \
                 --no-create-home --home /nonexistent polkitd

) and to try again.

Looking at the code

         if command -v systemd-sysusers >/dev/null; then
             systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} polkitd.conf
         else
             adduser --group --system --gecos 'polkit' \
                 --no-create-home --home /nonexistent polkitd
             addgroup --system polkitd
         fi

I wonder if the systemd case would be executed in a chroot?


Regards

Harri

More information about the Pkg-utopia-maintainers mailing list