** Changed in: systemd (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network access is
btw, I no longer work for Canonical, and this bug doesn't personally
affect me, so it's unlikely I will follow up on this; if anyone does
care about this bug, please feel free to take this over
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
Ok let's go with option #1 then, just open up systemd-logind to network
access directly by editing the service file.
@mbiebl, do you want to patch this in Debian too, should I open a merge
request in salsa? Obviously if Debian is patched first, that's ideal.
Assuming you're ok with directly
I initially preferred your option two, a drop-in file in whichever nis
and ldap binary packages, on principle of trying to keep the mitigations
in place if we can.
But your case for a difficult debugging session is persuasive. Reading
the various bug reports around this, option three seems pretty
One good point in favor of including systemd-userdbd in Debian/Ubuntu
would be that we only need to adjust the restrictions for that service;
all other systemd-provided services would use (or at least, *should*
use...) systemd-userdbd to get user records. I'm not sure if that is
actually worth
** Description changed:
[impact]
starting in focal, systemd-logind runs sandboxed without any network
access, which breaks any configuration that uses remote servers for user
data, e.g. ldap, nis, etc
A more full discussion is available in the upstream bug report as well
as the
> @Dan: have you actually confirmed, that building and running userdbd
solves those issues with NIS and LDAP?
sorry for the delay in getting back to this.
So, you're correct, userdb doesn't actually help this, it only moves the
problem.
While systemd-userdbd.service does (currently, at least)
I have to add, that I don't have such a NIS or LDAP setup to test this
myself.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network
@Dan: have you actually confirmed, that building and running userdbd
solves those issues with NIS and LDAP?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
I think Dan's summary above is very good. For clarification I would add
a couple of points.
The issue is not just remote logins. xdm behaves in the same way, and
the absence of a systemd-logind session may mean that sound is then
unavailable to the user logged in at the console. (Mentioned to
Just to summarize the specific flow of this bug:
1. an application is started for a user session, e.g. sshd handles a user
connecting.
2. the application uses pam for authentication, which by default includes
pam_systemd as an (optional) module.
3. pam invokes pam_systemd as part of session
> > Other than the obvious approach of enabling systemd-userdb for Ubuntu,
>
> I don't see how that would help, given that sytemd-userdb.service has
>
> RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
>
> You basically have the same issue as with systemd-logind.service. Or am I
>
Xubuntu-20.04, 20.10 and 21.04 are not usable with ldap authentication - very
bad!
Not usable for us.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openldap (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
> Other than the obvious approach of enabling systemd-userdb for Ubuntu,
I don't see how that would help, given that sytemd-userdb.service has
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
You basically have the same issue as with systemd-logind.service. Or am I
missing
1) Include drop-in conf files for systemd-logind and systemd-udevd to
remove the networking sandbox
Those drop-in configs should be shipped in the nis package. I don't see
a reason to ship a drop-in for systemd-udevd, fwiw.
--
You received this bug notification because you are a member of
Other than the obvious approach of enabling systemd-userdb for Ubuntu,
which is a much larger discussion/decision, I think there are really
only 2 ways to address this:
1) Include drop-in conf files for systemd-logind and systemd-udevd to remove
the networking sandbox
2) add configuration
** Also affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network
** Changed in: nis (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network access is blocked,
** Changed in: systemd
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393
Title:
systemd-logind network access is blocked, and
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: nis (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
The Debian bug is marked as fixed, however unfortunately it seems to
have 'fixed' the problem simply by adding Recommends: nscd to the
ypbind-mt package, which only actually fixes things if the systemd admin
does install/use nscd. If the admin chooses not to use nscd, this bug
still exists.
--
22 matches
Mail list logo
