[Bug 1934393] Re: systemd-logind network access is blocked, and breaks remote authentication configurations

[Michael Rutter]

I think Dan's summary above is very good. For clarification I would add
a couple of points.

The issue is not just remote logins. xdm behaves in the same way, and
the absence of a systemd-logind session may mean that sound is then
unavailable to the user logged in at the console. (Mentioned to help
people searching for local sound issues.)

Comments 12 and 16 of bug #1915502 also mention ProtectHostname=no which
I don't understand.

My understanding of nscd is that, even on cache misses, it will perform
the lookup itself, and, being a separate process outside the systemd-
logind sandbox, it will succeed. I am not convinced that mandating the
use of nscd would be a good idea though, especially as some
distributions are moving away from it, e.g.
https://fedoraproject.org/wiki/Changes/RemoveNSCD  I suspect a lot of
NIS/LDAP users do use some version of nscd, which is why there are not
more people caught by this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393

Title:
  systemd-logind network access is blocked, and breaks remote
  authentication configurations

Status in systemd:
  Fix Released
Status in nis package in Ubuntu:
  Confirmed
Status in openldap package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Won't Fix
Status in nis package in Debian:
  Fix Released

Bug description:
  [impact]

  starting in focal, systemd-logind runs sandboxed without any network
  access, which breaks any configuration that uses remote servers for
  user data, e.g. ldap, nis, etc

  A more full discussion is available in the upstream bug report as well
  as the debian bug report, see other info section below

  [test case]

  many possible ways to reproduce this; there are reproducers in some of
  the bugs reported before that are caused by this, e.g. bug 1915502 or
  bug 1916235

  [regression potential]

  failure to authenticate when using remote user data, incorrect
  authentication, security issues due to un-sandboxing of systemd-logind

  [scope]

  this is needed in f and later

  before focal, systemd-logind was not sandboxed so this did not apply

  [other info]

  this isn't actually a bug in systemd, this is a by-design security
  feature, and the intended upstream design is for systemd-logind to
  talk to systemd-userdb, so that systemd-logind can remain network-
  sandboxed while systemd-userdb performs any needed network access for
  user/auth data. However, Debian and Ubuntu don't enable/provide
  systemd-userdb, so that design does not work for Debian/Ubuntu.

  this also can cause systemd-udevd failures in some cases as well,
  apparently (based on upstream and debian discussion comments)

  For reference, upstream discussion around the systemd-logind sandboxing specifically:
  https://github.com/systemd/systemd/issues/7074
  upstream updated doc PR explaining the upstream position:
  https://github.com/systemd/systemd/pull/7343

  Debian bug report:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878625

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions