systemd/backport-sysusers-handle-NSS-errors-gracefully.patch

From 0f518750a44dc4b2987ecc0cea4b3d848ac46ee9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 4 Jul 2024 10:23:04 +0100
Subject: [PATCH] sysusers: handle NSS errors gracefully

If the io.systemd.DynamicUser or io.systemd.Machine files exist,
but nothing is listening on them, the nss-systemd module returns
ECONNREFUSED and systemd-sysusers fails to creat the user/group.

This is problematic when ran by packaging scripts, as the package
assumes that after this has run, the user/group exist and can
be used. adduser does not fail in the same situation.

Change sysusers to print a loud warning but otherwise continue
when NSS returns an error.

(cherry picked from commit fc9938d6f8e7081df5420bf88bf98f683b1391c0)
(cherry picked from commit abba1e6bc29b7e07354ca23906c6f485ba245a1a)

Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/0f518750a44dc4b2987ecc0cea4b3d848ac46ee9
---
 src/sysusers/sysusers.c                  | 12 ++++++------
 test/units/TEST-74-AUX-UTILS.sysusers.sh | 24 ++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 6 deletions(-)
 create mode 100755 test/units/TEST-74-AUX-UTILS.sysusers.sh

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 514f3c7935..794e09ce53 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -1064,7 +1064,7 @@ static int uid_is_ok(
                 if (p)
                         return 0;
                 if (!IN_SET(errno, 0, ENOENT))
-                        return -errno;
+                        log_warning_errno(errno, "Unexpected failure while looking up UID '" UID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
 
                 if (check_with_gid) {
                         errno = 0;
@@ -1073,7 +1073,7 @@ static int uid_is_ok(
                                 if (!streq(g->gr_name, name))
                                         return 0;
                         } else if (!IN_SET(errno, 0, ENOENT))
-                                return -errno;
+                                log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
                 }
         }
 
@@ -1179,7 +1179,7 @@ static int add_user(Context *c, Item *i) {
                         return 0;
                 }
                 if (!errno_is_not_exists(errno))
-                        return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);
+                        log_warning_errno(errno, "Unexpected failure while looking up user '%s' via NSS, assuming it doesn't exist: %m", i->name);
         }
 
         /* Try to use the suggested numeric UID */
@@ -1301,7 +1301,7 @@ static int gid_is_ok(
                 if (g)
                         return 0;
                 if (!IN_SET(errno, 0, ENOENT))
-                        return -errno;
+                        log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
 
                 if (check_with_uid) {
                         errno = 0;
@@ -1309,7 +1309,7 @@ static int gid_is_ok(
                         if (p)
                                 return 0;
                         if (!IN_SET(errno, 0, ENOENT))
-                                return -errno;
+                                log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
                 }
         }
 
@@ -1344,7 +1344,7 @@ static int get_gid_by_name(
                         return 0;
                 }
                 if (!errno_is_not_exists(errno))
-                        return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);
+                        log_warning_errno(errno, "Unexpected failure while looking up group '%s' via NSS, assuming it doesn't exist: %m", name);
         }
 
         return -ENOENT;
diff --git a/test/units/TEST-74-AUX-UTILS.sysusers.sh b/test/units/TEST-74-AUX-UTILS.sysusers.sh
new file mode 100755
index 0000000000..dcd29938b5
--- /dev/null
+++ b/test/units/TEST-74-AUX-UTILS.sysusers.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+at_exit() {
+    set +e
+    userdel -r foobarbaz
+    umount /run/systemd/userdb/
+}
+
+# Check that we indeed run under root to make the rest of the test work
+[[ "$(id -u)" -eq 0 ]]
+
+trap at_exit EXIT
+
+# Ensure that a non-responsive NSS socket doesn't make sysusers fail
+mount -t tmpfs tmpfs /run/systemd/userdb/
+touch /run/systemd/userdb/io.systemd.DynamicUser
+echo 'u foobarbaz' | SYSTEMD_LOG_LEVEL=debug systemd-sysusers -
+grep -q foobarbaz /etc/passwd
-- 
2.33.0
sync patches from systemd community 2024-12-24 16:16:41 +08:00			`From 0f518750a44dc4b2987ecc0cea4b3d848ac46ee9 Mon Sep 17 00:00:00 2001`
			`From: Luca Boccassi <bluca@debian.org>`
			`Date: Thu, 4 Jul 2024 10:23:04 +0100`
			`Subject: [PATCH] sysusers: handle NSS errors gracefully`

			`If the io.systemd.DynamicUser or io.systemd.Machine files exist,`
			`but nothing is listening on them, the nss-systemd module returns`
			`ECONNREFUSED and systemd-sysusers fails to creat the user/group.`

			`This is problematic when ran by packaging scripts, as the package`
			`assumes that after this has run, the user/group exist and can`
			`be used. adduser does not fail in the same situation.`

			`Change sysusers to print a loud warning but otherwise continue`
			`when NSS returns an error.`

			`(cherry picked from commit fc9938d6f8e7081df5420bf88bf98f683b1391c0)`
			`(cherry picked from commit abba1e6bc29b7e07354ca23906c6f485ba245a1a)`

			`Conflict:NA`
			`Reference:https://github.com/systemd/systemd-stable/commit/0f518750a44dc4b2987ecc0cea4b3d848ac46ee9`
			`---`
			`src/sysusers/sysusers.c \| 12 ++++++------`
			`test/units/TEST-74-AUX-UTILS.sysusers.sh \| 24 ++++++++++++++++++++++++`
			`2 files changed, 30 insertions(+), 6 deletions(-)`
			`create mode 100755 test/units/TEST-74-AUX-UTILS.sysusers.sh`

			`diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c`
			`index 514f3c7935..794e09ce53 100644`
			`--- a/src/sysusers/sysusers.c`
			`+++ b/src/sysusers/sysusers.c`
			`@@ -1064,7 +1064,7 @@ static int uid_is_ok(`
			`if (p)`
			`return 0;`
			`if (!IN_SET(errno, 0, ENOENT))`
			`- return -errno;`
			`+ log_warning_errno(errno, "Unexpected failure while looking up UID '" UID_FMT "' via NSS, assuming it doesn't exist: %m", uid);`

			`if (check_with_gid) {`
			`errno = 0;`
			`@@ -1073,7 +1073,7 @@ static int uid_is_ok(`
			`if (!streq(g->gr_name, name))`
			`return 0;`
			`} else if (!IN_SET(errno, 0, ENOENT))`
			`- return -errno;`
			`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", uid);`
			`}`
			`}`

			`@@ -1179,7 +1179,7 @@ static int add_user(Context c, Item i) {`
			`return 0;`
			`}`
			`if (!errno_is_not_exists(errno))`
			`- return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);`
			`+ log_warning_errno(errno, "Unexpected failure while looking up user '%s' via NSS, assuming it doesn't exist: %m", i->name);`
			`}`

			`/* Try to use the suggested numeric UID */`
			`@@ -1301,7 +1301,7 @@ static int gid_is_ok(`
			`if (g)`
			`return 0;`
			`if (!IN_SET(errno, 0, ENOENT))`
			`- return -errno;`
			`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);`

			`if (check_with_uid) {`
			`errno = 0;`
			`@@ -1309,7 +1309,7 @@ static int gid_is_ok(`
			`if (p)`
			`return 0;`
			`if (!IN_SET(errno, 0, ENOENT))`
			`- return -errno;`
			`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);`
			`}`
			`}`

			`@@ -1344,7 +1344,7 @@ static int get_gid_by_name(`
			`return 0;`
			`}`
			`if (!errno_is_not_exists(errno))`
			`- return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);`
			`+ log_warning_errno(errno, "Unexpected failure while looking up group '%s' via NSS, assuming it doesn't exist: %m", name);`
			`}`

			`return -ENOENT;`
			`diff --git a/test/units/TEST-74-AUX-UTILS.sysusers.sh b/test/units/TEST-74-AUX-UTILS.sysusers.sh`
			`new file mode 100755`
			`index 0000000000..dcd29938b5`
			`--- /dev/null`
			`+++ b/test/units/TEST-74-AUX-UTILS.sysusers.sh`
			`@@ -0,0 +1,24 @@`
			`+#!/usr/bin/env bash`
			`+# SPDX-License-Identifier: LGPL-2.1-or-later`
			`+set -eux`
			`+set -o pipefail`
			`+`
			`+# shellcheck source=test/units/util.sh`
			`+. "$(dirname "$0")"/util.sh`
			`+`
			`+at_exit() {`
			`+ set +e`
			`+ userdel -r foobarbaz`
			`+ umount /run/systemd/userdb/`
			`+}`
			`+`
			`+# Check that we indeed run under root to make the rest of the test work`
			`+[[ "$(id -u)" -eq 0 ]]`
			`+`
			`+trap at_exit EXIT`
			`+`
			`+# Ensure that a non-responsive NSS socket doesn't make sysusers fail`
			`+mount -t tmpfs tmpfs /run/systemd/userdb/`
			`+touch /run/systemd/userdb/io.systemd.DynamicUser`
			`+echo 'u foobarbaz' \| SYSTEMD_LOG_LEVEL=debug systemd-sysusers -`
			`+grep -q foobarbaz /etc/passwd`
			`--`
			`2.33.0`