Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible

To: Michael Biebl <biebl@debian.org>, 994006@bugs.debian.org
Subject: Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
From: Aurelien Jarno <aurel32@debian.org>
Date: Mon, 13 Sep 2021 22:59:32 +0200
Message-id: <[🔎] YT+7tFIIg3zHGsLH@aurel32.net>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 994006@bugs.debian.org
In-reply-to: <[🔎] 6e39a1bd3d8254206463fb58569339d756960a82.camel@debian.org>
References: <[🔎] 163120477979.55329.17024209394569625767.reportbug@ohm.local> <[🔎] YTo66s9rx12Zu4of@aurel32.net> <[🔎] 163120477979.55329.17024209394569625767.reportbug@ohm.local> <[🔎] 6e39a1bd3d8254206463fb58569339d756960a82.camel@debian.org> <[🔎] 163120477979.55329.17024209394569625767.reportbug@ohm.local>

Hi Michael,

On 2021-09-13 19:13, Michael Biebl wrote:
> Hi Aurelien,
> 
> thanks for the bug report
> 
> On Thu, 9 Sep 2021 18:48:42 +0200 Aurelien Jarno <aurel32@debian.org> wrote:
> 
> > One way to workaround the issue would be to force systemd-logind to do a
> > NSS lookup, just like it it s already the case when a user log onto the
> > system.
> 
> Before the upgrade, I assume, i.e. in libc6.preinst? 

Yes, exactly.

> Have you already tested this? If so, what did you use?
> Should we construct something based on systemd-run maybe?

Unfortunately it's not easy. loginctl is doing a lot of checks before
calling systemd-logind, and systemd-logind is doing a lot of tests
before doing a call to NSS functions. Most notably, it needs to be a
real login associated with a seat, so faking a login is not possible.

The only thing I have found is to ask systemd-logind to enable or
disable lingering. To avoid actually changing the configuration, the two
following options works:
- running the operation on an existing user, but without the associated
  permission. For instance running "loginctl enable-linger root" as user
  nobody.
- running the operation on a non-existing user, but as loginctl does a
  check that the user exists, it has to be done directly with the dbus
  API, for instance "gdbus call --system --dest org.freedesktop.login1
  --object-path /org/freedesktop/login1 --method
  org.freedesktop.login1.Manager.SetUserLinger 12345678 true true"

The latest is more a bit more complex to do (especially that
libglib2.0-bin is not necessarily installed on the system), but has the
advantage of exercising all configured NSS modules.

In any case we can probably check if the above trick is needed by
running something like "grep -E 'libnss_(compat|db|files)'
/proc/$(systemctl show --property MainPID --value
systemd-logind.service)/maps"

I haven't test the full pattern by including this in the preinst, but so
far I have been running the above snippet before doing the upgrade, and
I has worked.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
  - From: Simon McVittie <smcv@debian.org>

References:
- Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
  - From: Michael Biebl <biebl@debian.org>

Prev by Date: [bts-link] source package glibc
Next by Date: Processed: affects 994006
Previous by thread: Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
Next by thread: Bug#994006: libc6: NSS modules changes require a restart of systemd-logind, which is not possible
Index(es):
- Date
- Thread