Discussion:
Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines
Simon McVittie
2018-11-21 17:03:13 UTC
Permalink
Control: reassign -1 systemd-shim
Control: severity -1 important
Control: retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other recent APIs on systemd Manager
... so perhaps you have a <deny> rule in /usr/share/dbus-1/system.d/*.conf
or in /etc/dbus-1/system.d/*.conf, with higher precedence,
that is interfering with those messages? If you search for
org.freedesktop.systemd1 or GetDynamicUsers in those files, what do
you get?
fgrep -i -l org.freedesktop.systemd1 /etc/dbus-1/system.d/*.conf /usr/share/dbus-1/system.d/*.conf /usr/share/dbus-1/system.conf
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf
/usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf
/usr/share/dbus-1/system.conf
Aha. Yes, in its current form, org.freedesktop.systemd-shim.conf is going
to break access to every systemd API that is meant to be public and was
added since systemd-shim forked it from systemd, because files in /etc
take precedence over files in /usr.

Workaround: purge the systemd-shim package (removing it is not enough,
because this is a conffile).
===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf===
...
<busconfig>
...
<policy context="default">
<deny send_destination="org.freedesktop.systemd1"/>
org.freedesktop.systemd-shim.conf should not have this Deny line. It's
redundant with the implicit default-deny in system.conf, and is going to
break the file installed by the real systemd.

systemd should perhaps mitigate this bug for buster by moving its bus
configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing
a filename that is higher precedence than systemd-shim's. (Sorry, I don't
immediately know whether that means earlier or later in ASCII order.)

smcv
Debian Bug Tracking System
2018-11-21 17:06:07 UTC
Permalink
Post by Simon McVittie
reassign -1 systemd-shim
Bug #914285 [dbus] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager
Bug reassigned from package 'dbus' to 'systemd-shim'.
No longer marked as found in versions dbus/1.12.10-1.
Ignoring request to alter fixed versions of bug #914285 to the same values previously set
Post by Simon McVittie
severity -1 important
Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager
Severity set to 'important' from 'minor'
Post by Simon McVittie
retitle -1 systemd-shim: prevents calling GetDynamicUsers() and other recent APIs on systemd Manager
Bug #914285 [systemd-shim] dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager
Changed Bug title to 'systemd-shim: prevents calling GetDynamicUsers() and other recent APIs on systemd Manager' from 'dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager'.
--
914285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914285
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Michael Biebl
2018-11-21 20:20:16 UTC
Permalink
Post by Simon McVittie
===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf===
...
<busconfig>
...
<policy context="default">
<deny send_destination="org.freedesktop.systemd1"/>
org.freedesktop.systemd-shim.conf should not have this Deny line. It's
redundant with the implicit default-deny in system.conf, and is going to
break the file installed by the real systemd.
systemd should perhaps mitigate this bug for buster by moving its bus
configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing
a filename that is higher precedence than systemd-shim's. (Sorry, I don't
immediately know whether that means earlier or later in ASCII order.)
The problem is, this file
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from
systemd-shim a long time ago

systemd-shim (8-4) unstable; urgency=medium

* Drop the dbus policy entirely from this package, as discussed in bug
#765101; since the security policy should always be in sync with
systemd's, and since the systemd package ships both logind (the consumer
of systemd-shim) and this dbus policy, there's no reason to ship this
separately rather than relying on the systemd copy.

-- Steve Langasek <***@debian.org> Wed, 22 Oct 2014 04:29:44 +0000

I'm not sure, why Francesco still had this file around, as there is a
.maintscript file in systemd-shim which was supposed to clean that up:

$ cat debian/systemd-shim.maintscript
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd1.conf 6-2
systemd-shim
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf 8-4
systemd-shim

So I can only guess, that Francesco had removed, but not purged the
package before the 8-4 update.

Changing systemd to move the dbus policy file back to /etc/ seems like a
workaround, which we could never get rid off, as there might always be
users who removed but not purged the package before 8-4.

I guess the only sensible thing we can do at this point if we let the
systemd package itself clean up this mess, and remove
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf
either via systemd.maintscript or just a simple rm -f in postinst.

I'm aware this is not 100% policy compliant, but I can't think of a
better solution atm.

WDYT?

Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
Francesco Potortì
2018-11-22 15:31:27 UTC
Permalink
Post by Michael Biebl
The problem is, this file
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from
systemd-shim a long time ago
...
Post by Michael Biebl
I'm not sure, why Francesco still had this file around, as there is a
...
Post by Michael Biebl
So I can only guess, that Francesco had removed, but not purged the
package before the 8-4 update.
I usually do a manual "aptitude full-upgrade" every day.
Post by Michael Biebl
From time to time, I happen to remove packages: in that case I usually
purge them with "aptitude purge", but I see that their dependencies are
not purged, only removed. Maybe I removed or purged a package that had
systemd-shim as a dependency, or maybe a full-upgrade removed it without
purging it.

Anyway, I just did:

# aptitude purge systemd-shim
The following packages will be REMOVED:
systemd-shim{p}
0 packages upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Do you want to continue? [Y/n/?]
(Reading database ... 903812 files and directories currently installed.)
Purging configuration files for systemd-shim (7-1) ...
No diversion 'diversion of /usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to /usr/share/d\
bus-1/system-services/org.freedesktop.systemd1.service.systemd by systemd-shim', none removed.
Processing triggers for dbus (1.12.10-1) ...

and now /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf doe not
exist any more.

Should you need to know the contenst of any files before this operation,
just ask and I will recover them from backups.

Thanks for maintaining this

Loading...