[Bug 1934393] Re: systemd-logind network access is blocked, and breaks remote authentication configurations
Dan Streetman
1934393 at bugs.launchpad.net
Thu Oct 14 23:49:49 UTC 2021
Ok let's go with option #1 then, just open up systemd-logind to network
access directly by editing the service file.
@mbiebl, do you want to patch this in Debian too, should I open a merge
request in salsa? Obviously if Debian is patched first, that's ideal.
Assuming you're ok with directly patching systemd-logind to open network
access, instead of putting a drop-in file in the nis package.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network access is blocked, and breaks remote
authentication configurations
Status in systemd:
Fix Released
Status in nis package in Ubuntu:
Confirmed
Status in openldap package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Confirmed
Status in nis package in Debian:
Fix Released
Bug description:
[impact]
starting in focal, systemd-logind runs sandboxed without any network
access, which breaks any configuration that uses remote servers for
user data, e.g. ldap, nis, etc
A more full discussion is available in the upstream bug report as well
as the debian bug report, see other info section below
[test case]
many possible ways to reproduce this; there are reproducers in some of
the bugs reported before that are caused by this, e.g. bug 1915502 or
bug 1916235
[regression potential]
failure to authenticate when using remote user data, incorrect
authentication, security issues due to un-sandboxing of systemd-logind
[scope]
this is needed in f and later
before focal, systemd-logind was not sandboxed so this did not apply
[other info]
this isn't actually a bug in systemd, this is a by-design security feature; see links below (and/or comment 13 in this bug) to upstream comments about how systemd's position is that no NSS module should ever perform network access, and any NSS module that does needs to also adjust the restrictions of systemd services such as systemd-logind, systemd-userdbd, and possibly others that might need to make NSS calls into glibc.
https://github.com/systemd/systemd/issues/7074#issuecomment-338157851
https://github.com/systemd/systemd/issues/15705#issuecomment-624125354
this may also can cause systemd-udevd failures in some cases as well.
https://github.com/systemd/systemd/pull/7343#issuecomment-344800313
For reference, upstream discussion around the systemd-logind sandboxing specifically:
https://github.com/systemd/systemd/issues/7074
upstream updated doc PR explaining the upstream position:
https://github.com/systemd/systemd/pull/7343
Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878625
Note that while this Debian bug is marked as fix released, I don't think it actually fixes the problem, from the final comment it seems like the only change was to add Recommends: nscd, which doesn't really solve things if someone doesn't use nscd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions
More information about the foundations-bugs
mailing list