[Bug 1934393] Re: systemd-logind network access is blocked, and breaks remote authentication configurations
Dan Streetman
1934393 at bugs.launchpad.net
Thu Sep 2 14:59:20 UTC 2021
> > Other than the obvious approach of enabling systemd-userdb for Ubuntu,
>
> I don't see how that would help, given that sytemd-userdb.service has
>
> RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
>
> You basically have the same issue as with systemd-logind.service. Or am I missing something here?
I may be misunderstanding how upstream intends it all to work, but I
believe that since the userdb service does include AF_INET/AF_INET6 in
RestrictAddressFamilies, those are *allowed* families for the userdb
service. The naming of the parameter doesn't seem great to me, at first
read it's hard to understand if the assigned families are *allowed* or
*restricted*...but I'm pretty sure the assigned families are *allowed*
and all other (unlisted) families are *restricted* (blocked), meaning
userdb is allowed to make inet/inet6 connections, unlike logind, which
has only:
RestrictAddressFamilies=AF_UNIX AF_NETLINK
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network access is blocked, and breaks remote
authentication configurations
Status in systemd:
Fix Released
Status in nis package in Ubuntu:
Confirmed
Status in openldap package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Won't Fix
Status in nis package in Debian:
Fix Released
Bug description:
[impact]
starting in focal, systemd-logind runs sandboxed without any network
access, which breaks any configuration that uses remote servers for
user data, e.g. ldap, nis, etc
A more full discussion is available in the upstream bug report as well
as the debian bug report, see other info section below
[test case]
many possible ways to reproduce this; there are reproducers in some of
the bugs reported before that are caused by this, e.g. bug 1915502 or
bug 1916235
[regression potential]
failure to authenticate when using remote user data, incorrect
authentication, security issues due to un-sandboxing of systemd-logind
[scope]
this is needed in f and later
before focal, systemd-logind was not sandboxed so this did not apply
[other info]
this isn't actually a bug in systemd, this is a by-design security
feature, and the intended upstream design is for systemd-logind to
talk to systemd-userdb, so that systemd-logind can remain network-
sandboxed while systemd-userdb performs any needed network access for
user/auth data. However, Debian and Ubuntu don't enable/provide
systemd-userdb, so that design does not work for Debian/Ubuntu.
this also can cause systemd-udevd failures in some cases as well,
apparently (based on upstream and debian discussion comments)
For reference, upstream discussion around the systemd-logind sandboxing specifically:
https://github.com/systemd/systemd/issues/7074
upstream updated doc PR explaining the upstream position:
https://github.com/systemd/systemd/pull/7343
Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878625
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions
More information about the foundations-bugs
mailing list