Ubuntu
systemd package

Duplicated root and nobody returned by getent on Focal

Bug #1902236 reported by Simon Déziel
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd
Fix Released
Unknown
systemd (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Medium
Dan Streetman

Bug Description

[impact]

getent password or getent group returns duplicate, false/synthesized, entries for root and nobody

[test case]

root@lp1902236-f:~# getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
root@lp1902236-f:~# getent group | grep root
root:x:0:
root:x:0:

root@lp1902236-f:~# getent passwd | grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/:/usr/sbin/nologin
root@lp1902236-f:~# getent group | grep nogroup
nogroup:x:65534:
nogroup:x:65534:

[regression potential]

any regression would likely result in incorrect results to calls to getent or other programs using libnss-systemd

[scope]

this is needed only for f

this was fixed upstream by commit 9494da41c271bb9519d3484b6016526a72cc6be5 which was included first in v246, so this is fixed in g and later already.

b and earlier doesn't show the duplication.

[original description]

* Summary

systemd's NSS integration causes getent passwd/group to return duplicated entries for root/root and nobody/nogroup. The root account also gets a different shell (/bin/sh instead of /bin/bash).

* Steps to reproduce:

1) create a container
$ lxc launch images:ubuntu/focal test-nobody
2) check the root and nobody accounts
$ lxc exec test-nobody -- getent passwd | grep -E '^(root|nobody):'
3) check the root and nogroup groups
$ lxc exec test-nobody -- getent group | grep -E '^(root|nogroup):'

2 and 3 should report a single entry for each account/group but they return dups like this:

root:x:0:0:root:/root:/bin/bash
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/sh
nobody:x:65534:65534:nobody:/:/usr/sbin/nologin

* Description

The problem seems to come from the NSS integration:

$ lxc exec test-nobody -- grep -wF systemd /etc/nsswitch.conf
passwd: files systemd
group: files systemd

as the /etc/passwd and /etc/group file contain no dups:

$ lxc exec test-nobody -- grep ^nobody: /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
$ lxc exec test-nobody -- grep ^nogroup: /etc/group
nogroup:x:65534:

Removing systemd from /etc/nsswitch.conf indeed removes the dup.

An alternative way of seeing what systemd adds on top of the flat files:

$ lxc exec test-nobody -- bash -c 'diff -u /etc/passwd <(getent passwd)'
--- /etc/passwd 2020-10-30 13:07:52.219261001 +0000
+++ /dev/fd/63 2020-10-30 13:29:38.396928732 +0000
@@ -24,3 +24,5 @@
 _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
 ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
 systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+root:x:0:0:root:/root:/bin/sh
+nobody:x:65534:65534:nobody:/:/usr/sbin/nologin

$ lxc exec test-nobody -- bash -c 'diff -u /etc/group <(getent group)'
--- /etc/group 2020-10-30 13:07:52.211261089 +0000
+++ /dev/fd/63 2020-10-30 13:29:45.892846747 +0000
@@ -50,3 +50,5 @@
 ubuntu:x:1000:
 ssh:x:111:
 systemd-coredump:x:999:
+root:x:0:
+nogroup:x:65534:

* Additional information

This bug seems to occur on Focal alone as Bionic and Groovy are not affected.

$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04

$ apt-cache policy base-passwd systemd
base-passwd:
  Installed: 3.5.47
  Candidate: 3.5.47
  Version table:
 *** 3.5.47 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
systemd:
  Installed: 245.4-4ubuntu3.2
  Candidate: 245.4-4ubuntu3.2
  Version table:
 *** 245.4-4ubuntu3.2 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     245.4-4ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

See original description
Simon Déziel (sdeziel)
description: updated
Revision history for this message
Dan Streetman (ddstreet) wrote :

per comment in bug description, marking as affecting only focal

Changed in systemd (Ubuntu):
status: New → Fix Released
Dan Streetman (ddstreet)
description: updated
Dan Streetman (ddstreet)
Changed in systemd (Ubuntu):
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium
assignee: Dan Streetman (ddstreet) → nobody
importance: Medium → Undecided
Changed in systemd (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Dan Streetman (ddstreet)
Bug Watch Updater (bug-watch-updater)
Changed in systemd:
status: Unknown → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Simon, or anyone else affected,

Accepted systemd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Simon Déziel (sdeziel) wrote :

Verification procedure on Focal:

$ lxc launch focal lp1902236-f
Creating lp1902236-f
Starting lp1902236-f
$ lxc exec lp1902236-f bash
root@lp1902236-f:~# getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
root@lp1902236-f:~# getent passwd | grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/:/usr/sbin/nologin

# Enable proposed
root@lp1902236-f:~# vim /etc/apt/sources.list

root@lp1902236-f:~# apt update && apt-get dist-upgrade
Calculating upgrade... Done
The following packages will be upgraded:
   libnss-systemd (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   libpam-systemd (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   libsystemd0 (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   libudev1 (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   systemd (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   systemd-sysv (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   systemd-timesyncd (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
   udev (245.4-4ubuntu3.4 => 245.4-4ubuntu3.5)
8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5845 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 libnss-systemd amd64 245.4-4ubuntu3.5 [95.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 udev amd64 245.4-4ubuntu3.5 [1366 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 libudev1 amd64 245.4-4ubuntu3.5 [81.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 systemd-sysv amd64 245.4-4ubuntu3.5 [10.3 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 systemd-timesyncd amd64 245.4-4ubuntu3.5 [28.1 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 libpam-systemd amd64 245.4-4ubuntu3.5 [186 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 systemd amd64 245.4-4ubuntu3.5 [3805 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 libsystemd0 amd64 245.4-4ubuntu3.5 [274 kB]
Fetched 5845 kB in 2s (2391 kB/s)
...
Setting up libnss-systemd:amd64 (245.4-4ubuntu3.5) ...
Setting up libpam-systemd:amd64 (245.4-4ubuntu3.5) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
Processing triggers for dbus (1.12.16-2ubuntu2.1) ...

root@lp1902236-f:~# getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
root@lp1902236-f:~# getent passwd | grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/245.4-4ubuntu3.5)

All autopkgtests for the newly accepted systemd (245.4-4ubuntu3.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

prometheus-apache-exporter/0.7.0+ds-1 (arm64)
udisks2/2.8.4-1ubuntu1 (amd64, ppc64el)
munin/2.0.56-1ubuntu1 (arm64)
docker.io/19.03.8-0ubuntu1.20.04.2 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 245.4-4ubuntu3.5

---------------
systemd (245.4-4ubuntu3.5) focal; urgency=medium

  [ Ioanna Alifieraki ]
  * d/p/lp1911187-systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch:
    Do not shutdown immediately when scheduled shutdown fails (LP: #1911187)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3899c9d5c171e84fc503c6ab46aea7cc9def7235

  [ Dimitri John Ledkov ]
  * d/p/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch:
    meson: initialize time-epoch to reproducible builds compatible value
    (LP: #1878969)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=84212797d21ed08031e1d71fe5e118bdd9873c0f

  [ Dan Streetman ]
  * d/p/lp1913189-test-accept-that-char-device-0-0-can-now-be-created-.patch:
    - Fix failing test case under 5.8 kernel (LP: #1913189)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=782a382017ce188dbf9a40adabd265943d7db119
  * d/p/lp1913423-hashmap-make-sure-to-initialize-shared-hash-key-atom.patch:
    Thread-safe init of hashmap shared key (LP: #1913423)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fc8dde7c4b1944d1583866f61c2314174b4dd06a
  * d/p/lp1902236-nss-systemd-don-t-synthesize-root-nobody-when-iterat.patch:
    Don't synthesize root/nobody when iterating (LP: #1902236)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4d20e415ecd5b0fd032b4cf45bd9fd344cc434ac
  * d/p/debian/patches/lp1880258-log-nxdomain-as-debug.patch:
    Change NXDOMAIN 'errors' to log level debug (LP: #1880258)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=80163a2097aa876fe73b6071495ae4ad8749d04e
  * d/p/lp1913763-udev-rules-add-rule-to-create-dev-ptp_hyperv.patch:
    Create symlink for hyperv-provided ptp device (LP: #1913763)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b02053da2ff3fee6221bd8310488af0f52b140f1

 -- Ioanna Alifieraki <email address hidden> Tue, 23 Feb 2021 00:18:57 +0000

Changed in systemd (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.