[Touch-packages] [Bug 1871593] Re: User receives prompt on login: "Authentication is required to create a color managed device"
Hi Sam, The popup is "needed" because special permission is required to "create a color managed device." This is typically relevant to fancy color- corrected computer displays and the like. The problem is that when you are logging in via a remote connection like VNC or RDP, there is no directly-connected monitor, and thus little point to the request. If you agree and provide the auth info, the system will probably be able to create that "color managed device," but it is unlikely to be noticeable in any useful way. If you don't agree, I believe nothing is harmed, and you can proceed with your session as usual. What it boils down to is that the system is asking you for authentication to do something that is entirely unnecessary in the context of your (remote) login session. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to colord in Ubuntu. https://bugs.launchpad.net/bugs/1871593 Title: User receives prompt on login: "Authentication is required to create a color managed device" Status in colord package in Ubuntu: Confirmed Bug description: This concerns colord 1.4.4-2 in Ubuntu focal. (xiccd 0.3.0-1 may also be relevant.) I log into the Xfce desktop environment, and immediately see an "Authenticate" window pop up: Authentication is required to create a color managed device Password for root: Action: org.freedesktop.color-manager.create-device Vendor: System Color Manager I see this in syslog: Apr 8 05:38:30 test-ubuntu64 dbus-daemon[573]: [system] Activating via systemd: service name='org.freedesktop.ColorManager' unit='colord.service' requested by ':1.35' (uid=1000 pid=1475 comm="xiccd " label="unconfined") This prompt is confusing to ordinary users, and I do not understand why it should even be necessary. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/colord/+bug/1871593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Important context from https://lists.debian.org/debian-security- announce/2024/msg00057.html : Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library. Right now no Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.launchpad.net/bugs/2059417 Title: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Status in xz-utils package in Ubuntu: Won't Fix Bug description: Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass. Additionally, this fixes a small typo for the man pages translations for Brazilian Portuguese, German, French, Korean, Romanian, and Ukrainian, and removes the need for patches applied for version 5.6.0-0.2. The other bugfixes in this release have no impact on Ubuntu. They involve building with CMake or when building on a system without Landlock system calls defined (these are defined in Ubuntu). Changelog entries since current noble version 5.6.0-0.2: xz-utils (5.6.1-1) unstable; urgency=medium * Non-maintainer upload. * Import 5.6.1 (Closes: #1067708). * Takeover maintenance of the package. -- Sebastian Andrzej Siewior Wed, 27 Mar 2024 22:53:21 +0100 Excerpt from the NEWS entry from upstream: 5.6.1 (2024-03-09) * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC) with GCC. The more serious bug caused a program linked with liblzma to crash on start up if the flag -fprofile-generate was used to build liblzma. The second bug caused liblzma to falsely report an invalid write to Valgrind when loading liblzma. * xz: Changed the messages for thread reduction due to memory constraints to only appear under the highest verbosity level. * Build: - Fixed a build issue when the header file was present on the system but the Landlock system calls were not defined in . - The CMake build now warns and disables NLS if both gettext tools and pre-created .gmo files are missing. Previously, this caused the CMake build to fail. * Minor improvements to man pages. * Minor improvements to tests. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056302] Re: tar(1) on noble gives EPERM [Operation not permitted] errors when extracting symlinks
Tracked down the cause to the Docker host, which runs on jammy, not
knowing about fchmodat2(). The syscall should normally return ENOTSUP
when called with AT_SYMLINK_NOFOLLOW on Linux, but the Docker seccomp
profile causes it to return EPERM, which confuses tar(1). Closing.
** Changed in: tar (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2056302
Title:
tar(1) on noble gives EPERM [Operation not permitted] errors when
extracting symlinks
Status in tar package in Ubuntu:
Invalid
Bug description:
This concerns tar 1.35+dfsg-3 in Ubuntu noble. This does NOT affect
tar 1.34+dfsg-1.2ubuntu1.1 in mantic.
I'm seeing errors like this:
$ tar xvJf /extern/source/chromium_122.0.6261.111.orig.tar.xz --wildcards
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca\*
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca
tar: chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca:
Cannot change mode to rwxr-xr-x: Operation not permitted
(I am running this in a noble Docker container environment, and the
command is extracting into normal user file space.)
This is what strace shows:
23symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
23utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
23newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
23fchmodat2(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", 0755,
AT_SYMLINK_NOFOLLOW) = -1 EPERM (Operation not permitted)
The fchmodat(2) man page has the following verbiage:
AT_SYMLINK_NOFOLLOW
If pathname is a symbolic link, do not dereference it: instead
operate on the link itself. This flag is not currently imple‐
mented.
For comparison, this is what happens on mantic:
24symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
24utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
24newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
24openat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 3
24newfstatat(3, "", {st_mode=S_IFLNK|0777, st_size=12, ...},
AT_EMPTY_PATH) = 0
24close(3) = 0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2056302/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056302] [NEW] tar(1) on noble gives EPERM [Operation not permitted] errors when extracting symlinks
Public bug reported:
This concerns tar 1.35+dfsg-3 in Ubuntu noble. This does NOT affect tar
1.34+dfsg-1.2ubuntu1.1 in mantic.
I'm seeing errors like this:
$ tar xvJf /extern/source/chromium_122.0.6261.111.orig.tar.xz --wildcards
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca\*
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca
tar: chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca: Cannot
change mode to rwxr-xr-x: Operation not permitted
(I am running this in a noble Docker container environment, and the
command is extracting into normal user file space.)
This is what strace shows:
23symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
23utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
23newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
23fchmodat2(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", 0755,
AT_SYMLINK_NOFOLLOW) = -1 EPERM (Operation not permitted)
The fchmodat(2) man page has the following verbiage:
AT_SYMLINK_NOFOLLOW
If pathname is a symbolic link, do not dereference it: instead
operate on the link itself. This flag is not currently imple‐
mented.
For comparison, this is what happens on mantic:
24symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
24utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
24newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
24openat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 3
24newfstatat(3, "", {st_mode=S_IFLNK|0777, st_size=12, ...}, AT_EMPTY_PATH)
= 0
24close(3) = 0
** Affects: tar (Ubuntu)
Importance: Undecided
Status: New
** Tags: noble
** Summary changed:
- tar(1) gives EPERM errors when extracting symlinks
+ tar(1) on noble gives EPERM [Operation not permitted] errors when extracting
symlinks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2056302
Title:
tar(1) on noble gives EPERM [Operation not permitted] errors when
extracting symlinks
Status in tar package in Ubuntu:
New
Bug description:
This concerns tar 1.35+dfsg-3 in Ubuntu noble. This does NOT affect
tar 1.34+dfsg-1.2ubuntu1.1 in mantic.
I'm seeing errors like this:
$ tar xvJf /extern/source/chromium_122.0.6261.111.orig.tar.xz --wildcards
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca\*
chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca
tar: chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca:
Cannot change mode to rwxr-xr-x: Operation not permitted
(I am running this in a noble Docker container environment, and the
command is extracting into normal user file space.)
This is what strace shows:
23symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
23utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
23newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
23fchmodat2(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", 0755,
AT_SYMLINK_NOFOLLOW) = -1 EPERM (Operation not permitted)
The fchmodat(2) man page has the following verbiage:
AT_SYMLINK_NOFOLLOW
If pathname is a symbolic link, do not dereference it: instead
operate on the link itself. This flag is not currently imple‐
mented.
For comparison, this is what happens on mantic:
24symlinkat("utils/cca.py", AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca") = 0
24utimensat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca", [UTIME_OMIT,
{tv_sec=1709684076, tv_nsec=0} /* 2024-03-06T00:14:36+ */],
AT_SYMLINK_NOFOLLOW) = 0
24newfstatat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/resources/cca",
{st_mode=S_IFLNK|0777, st_size=12, ...}, AT_SYMLINK_NOFOLLOW) = 0
24openat(AT_FDCWD,
"chromium-122.0.6261.111/ash/webui/camera_app_ui/reso
[Touch-packages] [Bug 2049960] [NEW] polkitd.postinst script refers to non-existent /usr/libexec/polkitd
Public bug reported: I am seeing this on Ubuntu noble with polkitd 123-3. After debootstrap'ing a minimal system, I run # apt-get install linux-generic which pulls in polkitd as a dependency. In the output, I see the following: Setting up polkitd (123-3) ... Creating group 'polkitd' with GID 994. Creating user 'polkitd' (polkit) with UID 994 and GID 994. Running in chroot, ignoring request. * Reloading system message bus config... Failed to open connection to "system" message bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory invoke-rc.d: initscript dbus, action "reload" failed. start-stop-daemon: unable to stat /usr/libexec/polkitd (No such file or directory) There is indeed no file there: # ls -l /usr/libexec/polkitd ls: cannot access '/usr/libexec/polkitd': No such file or directory The binary appears to be installed at /usr/lib/polkit-1/polkitd . ** Affects: policykit-1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/2049960 Title: polkitd.postinst script refers to non-existent /usr/libexec/polkitd Status in policykit-1 package in Ubuntu: New Bug description: I am seeing this on Ubuntu noble with polkitd 123-3. After debootstrap'ing a minimal system, I run # apt-get install linux-generic which pulls in polkitd as a dependency. In the output, I see the following: Setting up polkitd (123-3) ... Creating group 'polkitd' with GID 994. Creating user 'polkitd' (polkit) with UID 994 and GID 994. Running in chroot, ignoring request. * Reloading system message bus config... Failed to open connection to "system" message bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory invoke-rc.d: initscript dbus, action "reload" failed. start-stop-daemon: unable to stat /usr/libexec/polkitd (No such file or directory) There is indeed no file there: # ls -l /usr/libexec/polkitd ls: cannot access '/usr/libexec/polkitd': No such file or directory The binary appears to be installed at /usr/lib/polkit-1/polkitd . To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/2049960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1660316] Re: apparmor denial of CUPS
Reopening this issue as I am still observing the net_admin denial in jammy. ** Changed in: cups (Ubuntu) Status: Expired => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1660316 Title: apparmor denial of CUPS Status in cups package in Ubuntu: Confirmed Bug description: Printing is enabled when doing sudo aa-complain cupsd Here is an extract of /var/log/syslog: Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929457] audit: type=1400 audit(1485776519.269:37): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6932 comm="apparmor_parser" Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929744] audit: type=1400 audit(1485776519.269:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6932 comm="apparmor_parser" Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.945422] audit: type=1400 audit(1485776519.285:39): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6932 comm="apparmor_parser" Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817070] audit: type=1400 audit(1485776530.158:40): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6941 comm="apparmor_parser" Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817342] audit: type=1400 audit(1485776530.158:41): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6941 comm="apparmor_parser" Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.837254] audit: type=1400 audit(1485776530.178:42): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6941 comm="apparmor_parser" Jan 30 12:42:16 dag-TS-P500 zeitgeist-datah[3706]: downloads-directory-provider.vala:120: Couldn't process /home/dag/.glvndcEQzqA: Error when getting information for file '/home/dag/.glvndcEQzqA': No such file or directory Jan 30 12:42:23 dag-TS-P500 dbus[996]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Jan 30 12:42:23 dag-TS-P500 systemd[1]: Starting Hostname Service... Jan 30 12:42:24 dag-TS-P500 dbus[996]: [system] Successfully activated service 'org.freedesktop.hostname1' Jan 30 12:42:24 dag-TS-P500 systemd[1]: Started Hostname Service. Jan 30 12:42:26 dag-TS-P500 kernel: [ 895.746636] audit: type=1400 audit(1485776546.086:43): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6967 comm="lpd" capability=12 capname="net_admin" Jan 30 12:42:54 dag-TS-P500 systemd[1]: Starting Cleanup of Temporary Directories... Jan 30 12:42:54 dag-TS-P500 systemd-tmpfiles[6973]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring. Jan 30 12:42:54 dag-TS-P500 systemd[1]: Started Cleanup of Temporary Directories. Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.OneConf' Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.OneConf' Jan 30 12:44:03 dag-TS-P500 com.ubuntu.OneConf[2707]: WARNING:oneconf.hosts:Error in loading other_hosts file: [Errno 2] No such file or directory: '/home/dag/.cache/oneconf/d2fc3bf30c9f4976b441a8f14de53bda/other_hosts' Jan 30 12:44:23 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.sso' Jan 30 12:44:24 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.sso' Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.685842] audit: type=1400 audit(1485776751.028:44): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=7024 comm="apparmor_parser" Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.686099] audit: type=1400 audit(1485776751.028:45): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=7024 comm="apparmor_parser" Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.700446] audit: type=1400 audit(1485776751.044:46): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=7024 comm="apparmor_parser" Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940891] audit: type=1400 audit(1485776757.284:47): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin" Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940938] audit: type=1400 audit(1485776757.284:48): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin" ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: cups 2.2.0-2 ProcVersionSignature: Ubuntu 4.8.0-34.36-generic 4.8.11 Uname: Linux 4.8.0-34-generic x86_64 NonfreeKernelModules: nvidi
[Touch-packages] [Bug 1922414] Re: ssh-agent fails to start (has_option: command not found)
** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1922414 Title: ssh-agent fails to start (has_option: command not found) Status in Light Display Manager: New Status in gdm3 package in Ubuntu: Fix Released Status in lightdm package in Ubuntu: New Status in xorg package in Ubuntu: Confirmed Bug description: Hi, I have been using ssh-agent for years and since I upgraded my system to Ubuntu 21.04/groovy, ssh-agent fails to start. Here is the error message: # journalctl | grep ssh-agent [...] Apr 02 20:16:32 vougeot /usr/libexec/gdm-x-session[3752]: /etc/X11/Xsession.d/90x11-common_ssh-agent: line 9: has_option: command not found ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: x11-common 1:7.7+22ubuntu1 Uname: Linux 5.11.11-05-lowlatency x86_64 ApportVersion: 2.20.11-0ubuntu61 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None CurrentDesktop: KDE Date: Sat Apr 3 09:02:46 2021 Dependencies: lsb-base 11.1.0ubuntu2 DistUpgraded: Fresh install DistroCodename: hirsute DistroVariant: ubuntu DkmsStatus: tuxedo-keyboard, 3.0.4, 5.11.0-13-generic, x86_64: installed tuxedo-keyboard, 3.0.4, 5.11.0-13-lowlatency, x86_64: installed tuxedo-keyboard, 3.0.4, 5.11.11-05-lowlatency, x86_64: installed ExtraDebuggingInterest: No GraphicsCard: Intel Corporation TigerLake GT2 [Iris Xe Graphics] [8086:9a49] (rev 01) (prog-if 00 [VGA controller]) Subsystem: CLEVO/KAPOK Computer Iris Xe Graphics [1558:51a1] MachineType: TUXEDO TUXEDO InfinityBook S 15 Gen6 PackageArchitecture: all ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.11.11-05-lowlatency root=/dev/mapper/MonVolume2-UbuntuRacine ro vsyscall=none security=apparmor quiet splash vt.handoff=7 SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 09/07/2020 dmi.bios.release: 7.3 dmi.bios.vendor: INSYDE Corp. dmi.bios.version: 1.07.03RTR dmi.board.name: NS50MU dmi.board.vendor: TUXEDO dmi.board.version: Not Applicable dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Notebook dmi.chassis.version: N/A dmi.ec.firmware.release: 7.2 dmi.modalias: dmi:bvnINSYDECorp.:bvr1.07.03RTR:bd09/07/2020:br7.3:efr7.2:svnTUXEDO:pnTUXEDOInfinityBookS15Gen6:pvrNotApplicable:rvnTUXEDO:rnNS50MU:rvrNotApplicable:cvnNotebook:ct10:cvrN/A: dmi.product.family: Not Applicable dmi.product.name: TUXEDO InfinityBook S 15 Gen6 dmi.product.sku: Not Applicable dmi.product.version: Not Applicable dmi.sys.vendor: TUXEDO version.compiz: compiz 1:0.9.14.1+20.10.20200813-0ubuntu4 version.libdrm2: libdrm2 2.4.104-1build1 version.libgl1-mesa-dri: libgl1-mesa-dri 21.0.1-1 version.libgl1-mesa-glx: libgl1-mesa-glx 21.0.1-1 version.xserver-xorg-core: xserver-xorg-core 2:1.20.10-3ubuntu5 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.6-2build1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2 version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-1 To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1922414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404172] Re: lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
*** This bug is a duplicate of bug 1949970 *** https://bugs.launchpad.net/bugs/1949970 This appears to have been addressed in bug #1949970 by making use of a feature of the PAM config. In /etc/pam.d/lightdm, I see e.g. -authoptionalpam_gnome_keyring.so -authoptionalpam_kwallet.so -authoptionalpam_kwallet5.so >From the pam.conf(5) man page: If the *type* value from the list above is prepended with a - character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session. I'll mark this issue as a duplicate of the newer one, even though it should be the other way around. ** This bug has been marked a duplicate of bug 1949970 attempt to dlopen nonexistent pam_kwallet.so spams log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1404172 Title: lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Status in One Hundred Papercuts: Confirmed Status in Light Display Manager: Confirmed Status in systemd: New Status in lightdm package in Ubuntu: Confirmed Bug description: auth.log complaints: Dec 19 07:24:42 u32 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 19 07:24:42 u32 lightdm: PAM adding faulty module: pam_kwallet.so Dec 19 07:24:42 u32 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 19 07:24:42 u32 systemd-logind[656]: New session c1 of user lightdm. Dec 19 07:24:42 u32 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 19 07:24:46 u32 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 19 07:24:46 u32 lightdm: PAM adding faulty module: pam_kwallet.so Dec 19 07:24:46 u32 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "oem" Dec 19 07:24:53 u32 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 19 07:24:53 u32 lightdm: pam_unix(lightdm:session): session opened for user oem by (uid=0) As per lp:1309535 #18 comment such 'warnings' should be silenced (as they scared unawared users about the both needs of pam's gnome/kde) ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: lightdm 1.13.0-0ubuntu2 ProcVersionSignature: Ubuntu 3.18.0-7.8-generic 3.18.0 Uname: Linux 3.18.0-7-generic i686 NonfreeKernelModules: nvidia ApportVersion: 2.15.1-0ubuntu1 Architecture: i386 CurrentDesktop: GNOME Date: Fri Dec 19 10:47:07 2014 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1404172/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1918410] Re: isc-dhcp-client denied by apparmor
Note to everyone watching this bug:
The file that John modified above is in the "extra profiles" section of
the upstream AppArmor source repository. It may be found on an Ubuntu
system at
/usr/share/apparmor/extra-profiles/sbin.dhclient
and in jammy, it has his fix.
However, the isc-dhcp-client package provides its own separate profile,
which is installed at
/etc/apparmor.d/sbin.dhclient
and is quite different.
Most people are likely going to be using this latter one, as it is
enabled by default. So they will not receive the benefit of John's fix.
I've confirmed that the original "DENIED" messages still occur on jammy.
** Tags added: jammy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-client denied by apparmor
Status in isc-dhcp package in Ubuntu:
Triaged
Bug description:
Hi, I get weird errors in the audit log, seeing dhclient is being
denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162):
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an
IPv4 on this interface. Note that it happened to other, see this
comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal,
because running it manually *does* succeed in getting an IP. And running it in
strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace:
Process 1095211 attached
) = -1 EACCES (Permission non accordée)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1934933] Re: cloud-init dhclient apparmor denied with noexec on /var/tmp
This message...
type=AVC msg=audit(1625678140.496:1898): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/8537/task/8540/comm" pid=8537 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
...is actually for a different issue, discussed at LP: #1918410.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1934933
Title:
cloud-init dhclient apparmor denied with noexec on /var/tmp
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
Hello - we are seeing an issue on multiple Azure hosts where there is
a long delay during bootup. This appears to be related to an apparmor
issue with dhclient executed via cloud-init when /var is mounted
noexec. Because /var is noexec, the original dhclient is executed
rather than the copy in /var/tmp/cloud-init, which causes the AppArmor
profile to be applied.
This prevents the instance from being able to record the DHCP lease
information to /var/tmp/cloud-init/cloud-init-dhcp-*, which prevents
the instance from being able to obtain goalstate information, and with
cloud-init 21.2-3 or later, results in an extended delay during boot
due to a recent change in azure.py
(https://github.com/canonical/cloud-init/pull/842).
This issue does not occur in default Ubuntu installations (including
the Ubuntu 20.04 default Azure image), as the dhcp.py script in cloud-
init behaves differently, copying /usr/sbin/dhclient to
/var/tmp/cloud-init/cloud-init-dhcp-x/dhclient when /var allows
executables, and the apparmor profiles then do not apply to the copied
executable.
The syslog will show the following entry when the instance boots up:
cloud-init[820]: 2021-07-07 14:50:40,661 - dhcp.py[WARNING]: dhclient did not
produce expected files: dhcp.leases, dhclient.pid
The cloud-init.log file will show this entry when this issue is occurring.
Since the instance has no IP address at this stage of the boot process, an
unreachable network is to be expected:
azure.py[DEBUG]: Failed HTTP request with Azure endpoint
http://168.63.129.16/machine/?comp=goalstate during attempt 240 with exception:
HTTPConnectionPool(host='168.63.129.16', port=80): Max retries exceeded with
url: /machine/?comp=goalstate (Caused by
NewConnectionError(': Failed to establish a new connection: [Errno 101] Network is
unreachable'))
With the timeouts in azure.py described above, the instance will not
boot for around 20 minutes until all 240 connection attempts are
completed.
This is logged in /var/log/audit/audit.log, showing that the dhclient process
executed from cloud-init is unable to write the dhclient.pid and dhcp.leases
files that are needed to continue the datasource retrieval process:
type=AVC msg=audit(1625678140.496:1898): apparmor="DENIED" operation="open"
profile="/{,usr/}sbin/dhclient" name="/proc/8537/task/8540/comm" pid=8537
comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Adding the following file resolves the issue:
/etc/apparmor.d/local/sbin.dhclient
/var/tmp/cloud-init/cloud-init-dhcp-*/dhclient.pid lrw,
/var/tmp/cloud-init/cloud-init-dhcp-*/dhcp.leases lrw,
This allows dhclient executed via cloud-init to write the dhclient.pid
and dhcp.leases files to /var/tmp/cloud-init and the instance to boot
normally.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1934933/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961413] Re: [BLUEFIELD] dmesg is flooded with apparmor="DENIED" for dhclient messages
Note that the /proc/XX/task/YY/comm denials are addressed in LP:
#1918410.
That leaves two of this sort:
audit: type=1400 audit(1645193286.560:2012): apparmor="DENIED"
operation="mknod" profile="/{,usr/}sbin/dhclient"
name="/run/NetworkManager/dhclient-oob_net0.pid" pid=103303
comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1961413
Title:
[BLUEFIELD] dmesg is flooded with apparmor="DENIED" for dhclient
messages
Status in isc-dhcp package in Ubuntu:
New
Bug description:
Ubuntu 20.04.3
Kernel: 5.4.0-1028-bluefield
ii isc-dhcp-client4.4.1-2.1ubuntu5.20.04.2
arm64DHCP client for
automatically obtaining an IP address
ii isc-dhcp-common4.4.1-2.1ubuntu5.20.04.2
arm64common manpages relevant
to all of the isc-dhcp packages
ii apparmor 2.13.3-7ubuntu5.1
arm64user-space parser
utility for AppArmor
ii libapparmor1:arm64 2.13.3-7ubuntu5.1
arm64changehat AppArmor
library
ii network-manager1.22.10-1ubuntu2.3
arm64network management framework (daemon and userspace tools)
Configuration:
--
# cat /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
oob_net0:
dhcp4: true
tmfifo_net0:
addresses:
- 192.168.100.2/30
dhcp4: false
nameservers:
addresses:
- 192.168.100.1
routes:
- metric: 1025
to: 0.0.0.0/0
via: 192.168.100.1
renderer: NetworkManager
version: 2
Dmesg:
-
[59685.099760] audit: type=1400 audit(1645193286.508:2011): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/103303/task/103306/comm" pid=103303 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59685.148687] audit: type=1400 audit(1645193286.560:2012): apparmor="DENIED"
operation="mknod" profile="/{,usr/}sbin/dhclient"
name="/run/NetworkManager/dhclient-oob_net0.pid" pid=103303 comm="dhclient"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[59926.641500] audit: type=1400 audit(1645193528.052:2013): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104083/task/104084/comm" pid=104083 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59926.641685] audit: type=1400 audit(1645193528.052:2014): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104083/task/104085/comm" pid=104083 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59926.641776] audit: type=1400 audit(1645193528.052:2015): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104083/task/104086/comm" pid=104083 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59931.623506] audit: type=1400 audit(1645193533.032:2016): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104158/task/104159/comm" pid=104158 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59931.623665] audit: type=1400 audit(1645193533.032:2017): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104158/task/104160/comm" pid=104158 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[59931.623758] audit: type=1400 audit(1645193533.032:2018): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104158/task/104161/comm" pid=104158 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[60030.017642] audit: type=1400 audit(1645193631.428:2019): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104353/task/104354/comm" pid=104353 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[60030.017810] audit: type=1400 audit(1645193631.428:2020): apparmor="DENIED"
operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/104353/task/104355/comm" pid=104353 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[60030.017907] audit: type=140
[Touch-packages] [Bug 1965923] Re: rc.apparmor.functions should not mount /sys/kernel/security inside a chroot environment
** Tags added: jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1965923 Title: rc.apparmor.functions should not mount /sys/kernel/security inside a chroot environment Status in apparmor package in Ubuntu: New Bug description: This concerns apparmor 3.0.4-2ubuntu2 in Ubuntu jammy. When I run a command like aa-teardown(8), it will mount securityfs on /sys/kernel/security if this is not already mounted. On bare metal, this is reasonable. But in a chroot environment, the command should probably exit without taking any action, not unlike what systemd does: "Running in chroot, ignoring command 'daemon- reload'". I see that the functions script already has logic addressing AppArmor in container environments, but it appears that the chroot scenario has not been addressed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1965923/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1965923] [NEW] rc.apparmor.functions should not mount /sys/kernel/security inside a chroot environment
Public bug reported: This concerns apparmor 3.0.4-2ubuntu2 in Ubuntu jammy. When I run a command like aa-teardown(8), it will mount securityfs on /sys/kernel/security if this is not already mounted. On bare metal, this is reasonable. But in a chroot environment, the command should probably exit without taking any action, not unlike what systemd does: "Running in chroot, ignoring command 'daemon-reload'". I see that the functions script already has logic addressing AppArmor in container environments, but it appears that the chroot scenario has not been addressed. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1965923 Title: rc.apparmor.functions should not mount /sys/kernel/security inside a chroot environment Status in apparmor package in Ubuntu: New Bug description: This concerns apparmor 3.0.4-2ubuntu2 in Ubuntu jammy. When I run a command like aa-teardown(8), it will mount securityfs on /sys/kernel/security if this is not already mounted. On bare metal, this is reasonable. But in a chroot environment, the command should probably exit without taking any action, not unlike what systemd does: "Running in chroot, ignoring command 'daemon- reload'". I see that the functions script already has logic addressing AppArmor in container environments, but it appears that the chroot scenario has not been addressed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1965923/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1853164] Re: systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error
FWIW, the fix in focal-proposed looks good on my end as well.
I can confirm that the /etc/dhcp/dhclient-enter-hooks.d/resolved script
now has the is-enabled check, and while I won't be able to test out
resolvconf, I regard the updated conditional as equivalent to my
previous known-good workaround (renaming the script to
resolved.DISABLED, so it is not sourced by dhclient-script).
Greatly appreciate the bug squash!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1853164
Title:
systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Bionic:
New
Status in systemd source package in Focal:
Fix Committed
Bug description:
[impact]
with systemd-resolved disabled, dhclient doesn't correctly notify
resolvconf about dns server(s)
[test case]
install resolvconf and ifupdown and disable systemd-resolved and
systemd-networkd, use ifupdown to get a dhcp address where the lease
includes a dns nameserver, verify resolvconf is using that dhcp-
provided nameserver
[regression potential]
failure to correctly notify systemd-resolved about new dhclient-
provided nameserver(s)
[scope]
this is needed for f and earlier
in g and later the hook script is moved to the isc-dhcp package, and
edited to correctly check is-enabled systemd-resolved instead of only
checking for the existence of the binary
[original description]
The functionality exists to allow users to revert to the traditional ifupdown
package for network configuration. Alongside this, systemd's often-buggy
resolver can be disabled. However, there's a logic error in the systemd-
supplied /etc/dhcp/dhclient-enter-hooks.d/resolved that prevents the system
from populating /etc/resolv.conf properly when systemd-resolved is disabled.
The issue is here:
if [ -x /lib/systemd/systemd-resolved ] ; then
Instead of checking to see if the systemd-resolved service is enabled or
active, which would be the correct behaviour, this checks for the existence of
a binary, assuming that if it exists it's supposed to be used.
I've not tested this in the absence of resolvconf, but if systemd-resolved
isn't enabled, it's difficult to imagine this code wanting to run. I've tested
this with resolvconf and ifupdown driving dhclient, and it corrects the
behaviour that was broken with the introduction of systemd-resolved.
I'm attaching a patch, and am also including it here for easy access:
*** resolved.broken 2019-11-19 15:01:28.785588838 +
--- resolved2019-11-19 15:08:06.519430073 +
***
*** 14,20
# (D) = master script downs interface
# (-) = master script does nothing with this
! if [ -x /lib/systemd/systemd-resolved ] ; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
--- 14,21
# (D) = master script downs interface
# (-) = master script does nothing with this
! systemctl is-active systemd-resolved > /dev/null 2>&1
! if [ $? -eq 0 ]; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1853164/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871726] Re: "systemd --user" and child processes fail to exit when user logs out
Yes, it is still an issue in focal. Was there an update since last year that should have addressed this? ** Changed in: systemd (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1871726 Title: "systemd --user" and child processes fail to exit when user logs out Status in systemd package in Ubuntu: New Bug description: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?Sl 17:56 0:00 /usr/libexec/geoclue-2.0/demos/agent skunk 1186 0.0 0.8 59324 34792 ?S17:56 0:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py skunk 1201 0.0 0.6 391676 25688 ?Ssl 17:56 0:00 /usr/libexec/evolution-source-registry skunk 1224 0.0 0.8 616644 35492 ?Sl 17:56 0:00 /usr/libexec/goa-daemon skunk 1235 0.0 0.7 708928 30512 ?Ssl 17:56 0:00 /usr/libexec/evolution-calendar-factory skunk 1243 0.0 0.2 314744 8980 ?Sl 17:56 0:00 /usr/libexec/goa-identity-service skunk 1271 0.0 0.7 681460 29344 ?Ssl 17:56 0:00 /usr/libexec/evolution-addressbook-factory skunk 1302 0.0 0.1 43968 6432 ?Ss 17:56 0:00 /usr/lib/bluetooth/obexd skunk 1322 0.0 0.2 313872 9076 ?Ssl 17:56 0:00 /usr/libexec/gvfs-udisks2-volume-monitor skunk 1327 0.0 0.1 235684 6468 ?Ssl 17:56 0:00 /usr/libexec/gvfs-mtp-volume-monitor skunk 1331 0.0 0.1 237956 6876 ?Ssl 17:56 0:00 /usr/libexec/gvfs-gphoto2-volume-monitor skunk 1335 0.0 0.1 235864 5760 ?Ssl 17:56 0:00 /usr/libexec/gvfs-goa-volume-monitor skunk 1339 0.0 0.2 316716 8800 ?Ssl 17:56 0:00 /usr/libexec/gvfs-afc-volume-monitor skunk 1347 0.0 0.1 313684 7836 ?Sl 17:56 0:00 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 skunk 1353 0.0 0.1 162128 6028 ?Ssl 17:56 0:00 /usr/libexec/gvfsd-metadata When a user logs out of the system, all processes associated with the login session should be terminated (barring the use of nohup(1) or the like). If I sent a SIGINT to the "systemd --user" process above (PID 853), then all the processes promptly go away. This needs to occur on logout. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1871726/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1853164] Re: systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error
Thank you @ddstreet, I'm happy to see this as well. I'd like to get rid
of the workaround I've been using for this issue:
# dpkg-divert --divert /etc/dhcp/dhclient-enter-
hooks.d/resolved.DISABLED --rename /etc/dhcp/dhclient-enter-
hooks.d/resolved
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1853164
Title:
systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Focal:
In Progress
Bug description:
[impact]
with systemd-resolved disabled, dhclient doesn't correctly notify
resolvconf about dns server(s)
[test case]
install resolvconf and ifupdown and disable systemd-resolved and
systemd-networkd, use ifupdown to get a dhcp address where the lease
includes a dns nameserver, verify resolvconf is using that dhcp-
provided nameserver
[regression potential]
failure to correctly notify systemd-resolved about new dhclient-
provided nameserver(s)
[scope]
this is needed for f and earlier
in g and later the hook script is moved to the isc-dhcp package, and
edited to correctly check is-enabled systemd-resolved instead of only
checking for the existence of the binary
[original description]
The functionality exists to allow users to revert to the traditional ifupdown
package for network configuration. Alongside this, systemd's often-buggy
resolver can be disabled. However, there's a logic error in the systemd-
supplied /etc/dhcp/dhclient-enter-hooks.d/resolved that prevents the system
from populating /etc/resolv.conf properly when systemd-resolved is disabled.
The issue is here:
if [ -x /lib/systemd/systemd-resolved ] ; then
Instead of checking to see if the systemd-resolved service is enabled or
active, which would be the correct behaviour, this checks for the existence of
a binary, assuming that if it exists it's supposed to be used.
I've not tested this in the absence of resolvconf, but if systemd-resolved
isn't enabled, it's difficult to imagine this code wanting to run. I've tested
this with resolvconf and ifupdown driving dhclient, and it corrects the
behaviour that was broken with the introduction of systemd-resolved.
I'm attaching a patch, and am also including it here for easy access:
*** resolved.broken 2019-11-19 15:01:28.785588838 +
--- resolved2019-11-19 15:08:06.519430073 +
***
*** 14,20
# (D) = master script downs interface
# (-) = master script does nothing with this
! if [ -x /lib/systemd/systemd-resolved ] ; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
--- 14,21
# (D) = master script downs interface
# (-) = master script does nothing with this
! systemctl is-active systemd-resolved > /dev/null 2>&1
! if [ $? -eq 0 ]; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1853164/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1881357] [NEW] abstractions/X needs new ICEauthority path
Public bug reported: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. Saw this during a Firefox test run: May 29 17:25:32 test-ubuntu64 kernel: [ 818.399967] audit: type=1400 audit(1590787532.023:69): apparmor="DENIED" operation="open" profile="firefox" name="/run/user/1000/ICEauthority" pid=1791 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 This comparison was interesting: $ ls -l ~/.ICEauthority /run/user/1000/ICEauthority -rw--- 1 skunk skunk 0 May 29 17:43 /home/skunk/.ICEauthority -rw--- 1 skunk skunk 350 May 29 17:43 /run/user/1000/ICEauthority Is the /run path a new canonical location for the ICEauthority file? The X abstraction would need to know about it. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1881357 Title: abstractions/X needs new ICEauthority path Status in apparmor package in Ubuntu: New Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. Saw this during a Firefox test run: May 29 17:25:32 test-ubuntu64 kernel: [ 818.399967] audit: type=1400 audit(1590787532.023:69): apparmor="DENIED" operation="open" profile="firefox" name="/run/user/1000/ICEauthority" pid=1791 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 This comparison was interesting: $ ls -l ~/.ICEauthority /run/user/1000/ICEauthority -rw--- 1 skunk skunk 0 May 29 17:43 /home/skunk/.ICEauthority -rw--- 1 skunk skunk 350 May 29 17:43 /run/user/1000/ICEauthority Is the /run path a new canonical location for the ICEauthority file? The X abstraction would need to know about it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1881357/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1880841] [NEW] usr.sbin.nscd needs unix socket access to @userdb-*
Public bug reported: This concerns apparmor-profiles 2.13.3-7ubuntu5 in Ubuntu focal. I use the usr.sbin.nscd profile in enforce mode, and am seeing the following messages in /var/log/syslog . I don't know if the SIGABRT is related: May 27 04:39:56 test-ubuntu64 kernel: [ 199.392521] audit: type=1400 audit(1590568796.975:76): apparmor="DENIED" operation="bind" profile="nscd" pid=1679 comm="nscd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-4a5d3fdcfb9afbd7fc75948800519358" May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Main process exited, code=killed, status=6/ABRT May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Failed with result 'signal'. May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Scheduled restart job, restart counter is at 9. The @userdb-* binding looks like a systemd thing. Should a rule for this go into /etc/apparmor.d/abstractions/nameservice ? ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1880841 Title: usr.sbin.nscd needs unix socket access to @userdb-* Status in apparmor package in Ubuntu: New Bug description: This concerns apparmor-profiles 2.13.3-7ubuntu5 in Ubuntu focal. I use the usr.sbin.nscd profile in enforce mode, and am seeing the following messages in /var/log/syslog . I don't know if the SIGABRT is related: May 27 04:39:56 test-ubuntu64 kernel: [ 199.392521] audit: type=1400 audit(1590568796.975:76): apparmor="DENIED" operation="bind" profile="nscd" pid=1679 comm="nscd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-4a5d3fdcfb9afbd7fc75948800519358" May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Main process exited, code=killed, status=6/ABRT May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Failed with result 'signal'. May 27 04:40:17 test-ubuntu64 systemd[1]: nscd.service: Scheduled restart job, restart counter is at 9. The @userdb-* binding looks like a systemd thing. Should a rule for this go into /etc/apparmor.d/abstractions/nameservice ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1880841/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1878333] Re: AppArmor cache entries not removed when profile is deleted
That's why I hedged on having something like "apparmor unload". What you're saying explains why "restart" and "reload" are distinct actions (I'd never been clear on this), so having a new action that is "like 'stop' but actually does stop apparmor, even though that is not usually what you want" makes similar sense. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1878333 Title: AppArmor cache entries not removed when profile is deleted Status in apparmor package in Ubuntu: Confirmed Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1878333] Re: AppArmor cache entries not removed when profile is deleted
A related issue: "/etc/init.d/apparmor stop" should invoke aa- teardown(8). Depending on the semantics of the apparmor "service," this could also be "/etc/init.d/apparmor unload" or the like. I was surprised to find that "apparmor stop" was not actually unloading the profiles, as I had assumed. >From the perspective of a sysadmin, I rely on the init scripts to manage daemons/services without having to know the specific technical details of how to interact with each one. A major reason why those scripts exist is to translate a simple start/stop logic into whatever that reasonably means for a particular daemon or service. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1878333 Title: AppArmor cache entries not removed when profile is deleted Status in apparmor package in Ubuntu: Confirmed Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1878333] Re: AppArmor cache entries not removed when profile is deleted
Thanks. I am in complete agreement. I don't need (or even want) AppArmor to automagically update the kernel state right after changing something under /etc/apparmor.d/, because having to do a SIGHUP/restart/etc. is already normal practice. But I do expect that a reboot/reload will take care of that for me, as it does for other services. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1878333 Title: AppArmor cache entries not removed when profile is deleted Status in apparmor package in Ubuntu: Confirmed Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1877528] Re: Applet does not terminate at end of X desktop session
Aaaand the upstream has decided they can't/won't fix this issue. One thing that bothers me about this whole situation is that, in order for background services like this one to be cleaned up after logout, they need to behave "correctly." From my point of view, this is backwards. When the system is preparing to reboot, it first sends SIGTERM to all user processes, waits a few seconds, and then sends SIGKILL. Processes that behave correctly are allowed to close down cleanly, and those that don't, are terminated forcibly. If you didn't have that SIGKILL part, then one badly-behaving process could delay the reboot indefinitely. By doing things this way, good behavior is rewarded, but not required. Something like that should be the case for user sessions, although there are exceptions (screen, tmux, nohup), and SIGKILL might be excessive. The upstream bug mentioned a few other processes that remained visible under session-status, and I myself have seen similar behavior from at- spi2-core (haven't determined yet if a bug report is in order for that one). We're going to be fighting a losing battle if every single desktop background service in Ubuntu has to do things correctly in order to avoid keeping the session open after logout. There needs to be a failsafe of some kind. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1877528 Title: Applet does not terminate at end of X desktop session Status in System Config Printer: New Status in lightdm package in Ubuntu: New Status in sddm package in Ubuntu: New Status in system-config-printer package in Ubuntu: Triaged Status in systemd package in Ubuntu: Invalid Status in system-config-printer package in Debian: Unknown Bug description: This concerns system-config-printer 1.5.12-0ubuntu1 in Ubuntu focal. I log into the Xfce desktop, and then logout. The screen returns to the LightDM login screen. A few minutes later, "loginctl list-sessions" shows the following: SESSION UID USERSEAT TTY 90 root c2 1000 skunk seat0 c3 116 lightdm seat0 3 sessions listed. Output from "loginctl session-status c2": c2 - skunk (1000) Since: Fri 2020-05-08 03:09:05 EDT; 9min ago Leader: 2530 Seat: seat0; vc7 Display: :0 Service: lightdm; type x11; class user Desktop: xubuntu State: closing Unit: session-c2.scope └─2856 /usr/bin/python3 /usr/share/system-config-printer/applet.py This process sticks around forever until I kill it, or its parent "systemd --user" process. Only then does the session disappear from list-sessions. When I run "session-status" while I'm logged in, I see a list of nearly 30 desktop-related processes. All of them except this one go away on logout. This one should too. To manage notifications about this bug go to: https://bugs.launchpad.net/system-config-printer/+bug/1877528/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1878333] Re: AppArmor cache entries not removed when profile is deleted
Hello John, I did not take any specific action to unload a profile from the kernel. Instead, I rebooted the system, under the assumption that this would wipe the slate clean, with everything reloading cleanly from /etc/apparmor.d/. The new profile I developed was under a new filename, because I did not want to modify the stock file. Specifically (assuming the profile is "usr.bin.foo"), I created usr.bin.foo.new, and symlinked usr.bin.foo from disable/. It appears to me that aa-remove-unknown (or something like it) should be invoked on startup. The cache is supposed to be an implementation detail (so that the system doesn't spend much time compiling the profiles every time they are loaded), but in this case, it is behaving as a sort of opaque "shadow config" outside of /etc, which is very bad. I can understand that if I edit a file under /etc, the change may not take effect as soon as I save it. Sometimes I have to send a SIGHUP, sometimes I have to restart the daemon, etc. But if I reboot the system, then I think it is reasonable to assume that the entire system config is reloaded (or behaves as if it were reloaded) from /etc. The cache should be properly updated by the system in that situation---it should not require additional action by the user. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1878333 Title: AppArmor cache entries not removed when profile is deleted Status in apparmor package in Ubuntu: Confirmed Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1878333] [NEW] AppArmor cache entries not removed when profile is deleted
Public bug reported: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1878333 Title: AppArmor cache entries not removed when profile is deleted Status in apparmor package in Ubuntu: New Bug description: This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal. If I delete a profile from /etc/apparmor.d/, reboot the system, and then look in /var/cache/apparmor/.0/, I still see a file for the compiled form of the profile. The same occurs if the profile is "deleted" by other means, such as symlinking it from /etc/apparmor.d/disable/. This behavior caused me some consternation as I was developing an alternate profile for a program that already had one, and I continued to see old behavior even though I had removed the old profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Thanks for being on top of this, Sergio. I'm surprised that a LP search
for "boot_id" in this project did not turn up this existing bug report.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random/boot_id rule missing from
abstractions/nameservice
Status in apparmor package in Ubuntu:
Fix Committed
Status in apparmor source package in Focal:
Confirmed
Bug description:
[Impact]
On a default Focal install, systemd is used when looking up passwd and
group information:
# grep systemd /etc/nsswitch.conf
passwd: files systemd
group: files systemd
Daemons confined by Apparmor that also query those "databases" will
cause this Apparmor denial:
audit: type=1400 audit(1586825456.411:247): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id"
pid=7370 comm="named" requested_mask="r" denied_mask="r" fsuid=100
ouid=100
Many daemons confined by Apparmor also happen to downgrade their
privileges so they always end up looking up user/group information.
To fix
[Test Case]
In order to reproduce the bug, one can:
1) launch a Focal container (named fb1 here)
$ lxc launch images:ubuntu/focal fb1
2) setup apparmor inside the container (already done on official Ubuntu
images)
$ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y
3) install bind9
$ lxc exec fb1 -- apt install bind9 -y
4) check kernel logs for DENIED
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F
'profile="/usr/sbin/named"'
or, depending on how logging is configured:
$ dmesg | grep 'apparmor="DENIED"' | grep -F
'profile="/usr/sbin/named"'
Step 4, should not return anything. Because systemd is involved in the
user/group lookups, it currently returns the following:
audit: type=1400 audit(1586826072.115:266): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756
comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100
audit: type=1400 audit(1586826072.115:267): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756
comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100
audit: type=1400 audit(1586826072.115:268): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756
comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100
audit: type=1400 audit(1586826072.115:269): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756
comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100
audit: type=1400 audit(1586826072.115:270): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756
comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100
[Regression Potential]
In order to fix this issue, 3 separate patches had to be backported.
They are simple and self-contained, especially two of them, whose
purposes are to add the definition of the @{run} variable and then to
add a trailing slash at the end of the "/run" pathname.
The other patch, albeit very simple, adds three statements to the
'nameservice' profile in order to let processes access (read-only)
files under "/run/systemd/userdb" and
"/proc/sys/kernel/random/boot_id". After thinking about the possible
cases, the only possible problem I could envision was for a program
that, not being able to access some of these files before, will now be
able to do that and therefore exercise a part of its codebase which
was not being used, possibly uncovering latent bugs in this software.
But this is not a regression of apparmor per se.
[Original Description]
(Description and Test Case were moved above)
# Workaround
1) remove systemd from nsswitch.conf
$ lxc exec fb1 -- sed -i 's/ systemd$/ # systemd/' /etc/nsswitch.conf
2) restart named
$ lxc exec fb1 -- service named restart
3) notice no more denials in kernel logs
# Additional information
root@fb1:~# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu4
Candidate: 2.13.3-7ubuntu4
Version table:
*** 2.13.3-7ubuntu4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
root@fb1:~# uname -a
Linux fb1 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@fb1:~# lsb_release -rd
Description: Ubuntu Foc
[Touch-packages] [Bug 1878175] [NEW] Abstraction needs access to @{PROC}/sys/kernel/random/boot_id
Public bug reported:
This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal.
I have AppArmor actively enforcing policy on my system. In
/var/log/syslog, I see a number of the following two sorts of messages:
May 12 04:44:21 image-ubuntu64 kernel: [ 26.667094] audit: type=1400
audit(1589273061.296:63): apparmor="DENIED" operation="open"
profile="nscd" name="/proc/sys/kernel/random/boot_id" pid=655
comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 12 04:44:26 image-ubuntu64 kernel: [ 32.107018] audit: type=1400
audit(1589273066.730:99): apparmor="DENIED" operation="open"
profile="/usr/sbin/nslcd" name="/proc/sys/kernel/random/boot_id"
pid=1004 comm="nslcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
The following line is needed in an abstraction somewhere:
@{PROC}/sys/kernel/random/boot_id r,
I've added it locally to /etc/apparmor.d/abstractions/nameservice, and
that took care of the above errors for me. AppArmor upstream has added
it to abstractions/nss-systemd, but this file does not exist in Ubuntu's
apparmor package.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1878175
Title:
Abstraction needs access to @{PROC}/sys/kernel/random/boot_id
Status in apparmor package in Ubuntu:
New
Bug description:
This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal.
I have AppArmor actively enforcing policy on my system. In
/var/log/syslog, I see a number of the following two sorts of
messages:
May 12 04:44:21 image-ubuntu64 kernel: [ 26.667094] audit: type=1400
audit(1589273061.296:63): apparmor="DENIED" operation="open"
profile="nscd" name="/proc/sys/kernel/random/boot_id" pid=655
comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 12 04:44:26 image-ubuntu64 kernel: [ 32.107018] audit: type=1400
audit(1589273066.730:99): apparmor="DENIED" operation="open"
profile="/usr/sbin/nslcd" name="/proc/sys/kernel/random/boot_id"
pid=1004 comm="nslcd" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
The following line is needed in an abstraction somewhere:
@{PROC}/sys/kernel/random/boot_id r,
I've added it locally to /etc/apparmor.d/abstractions/nameservice, and
that took care of the above errors for me. AppArmor upstream has added
it to abstractions/nss-systemd, but this file does not exist in
Ubuntu's apparmor package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1878175/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404172] Re: lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
This issue persists in lightdm 1.30.0-0ubuntu3.1 in Ubuntu focal. I see the warnings not only for pam_kwallet.so, but also its successor pam_kwallet5.so, as well as pam_gnome_keyring.so (which I do not have installed). All three of these are referenced in /etc/pam.d/lightdm and /etc/pam.d/lightdm-greeter as "optional" modules. I attempted to eliminate the warnings by replacing the "optional" keyword with "[success=ok module_unknown=ignore default=ignore]", but that had no visible effect. The entries referring to these modules need to be removed from LightDM's PAM config files. If libpam-gnome-keyring is installed, it will already make itself known to PAM via a pam-auth-update profile, which is the correct approach. The libpam-kwallet5 package has no pam-auth-update profile, but that is an issue for that package, not this one. ** Tags added: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1404172 Title: lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Status in One Hundred Papercuts: Confirmed Status in Light Display Manager: Confirmed Status in systemd: New Status in lightdm package in Ubuntu: Confirmed Bug description: auth.log complaints: Dec 19 07:24:42 u32 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 19 07:24:42 u32 lightdm: PAM adding faulty module: pam_kwallet.so Dec 19 07:24:42 u32 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 19 07:24:42 u32 systemd-logind[656]: New session c1 of user lightdm. Dec 19 07:24:42 u32 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 19 07:24:46 u32 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 19 07:24:46 u32 lightdm: PAM adding faulty module: pam_kwallet.so Dec 19 07:24:46 u32 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "oem" Dec 19 07:24:53 u32 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 19 07:24:53 u32 lightdm: pam_unix(lightdm:session): session opened for user oem by (uid=0) As per lp:1309535 #18 comment such 'warnings' should be silenced (as they scared unawared users about the both needs of pam's gnome/kde) ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: lightdm 1.13.0-0ubuntu2 ProcVersionSignature: Ubuntu 3.18.0-7.8-generic 3.18.0 Uname: Linux 3.18.0-7-generic i686 NonfreeKernelModules: nvidia ApportVersion: 2.15.1-0ubuntu1 Architecture: i386 CurrentDesktop: GNOME Date: Fri Dec 19 10:47:07 2014 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1404172/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1877532] Re: at-spi-bus-launcher does not terminate at end of X session
This bug has LP: 1871726 as a quasi-parent. Those two processes shown in session-status are deceptive; ps(1) shows a much larger number of processes still remaining from the login session. When the two processes go away, however, all the others follow. The impact of this issue, then, is not limited to a mere two lingering processes. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to at-spi2-core in Ubuntu. https://bugs.launchpad.net/bugs/1877532 Title: at-spi-bus-launcher does not terminate at end of X session Status in at-spi2-core package in Ubuntu: New Bug description: This concerns at-spi2-core 2.36.0-2 in Ubuntu focal. I log into the Xfce desktop as "skunk" via xrdp, and then logout. A few minutes later, "loginctl list-sessions" shows the following: SESSION UID USER SEAT TTY 9 0 root c10 1000 skunk c9 116 lightdm seat0 3 sessions listed. Output from "loginctl session-status c10": c10 - skunk (1000) Since: Fri 2020-05-08 04:03:51 EDT; 6min ago Leader: 6009 Display: :11 Service: xrdp-sesman; type x11; class user State: closing Unit: session-c10.scope ├─6184 /usr/libexec/at-spi-bus-launcher --launch-immediately └─6199 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 These two processes stick around forever until I kill them, or their parent "systemd --user" process. Only then does the session disappear from list-sessions. When I run "session-status" while I'm logged in, I see a list of about 20 desktop-related processes. All of them except these two go away on logout. These should too. (Note that this problem does not occur when I log in/out via LightDM on the console.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/at-spi2-core/+bug/1877532/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871726] Re: "systemd --user" and child processes fail to exit when user logs out
Also related: LP: #1877532 It's possible that all the lingering processes are due to a couple of misbehaving applications. This isn't a great state of affairs (the cleanup process should not be so fragile that non-cooperative processes can stop it completely), but it might explain what's going on. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1871726 Title: "systemd --user" and child processes fail to exit when user logs out Status in systemd package in Ubuntu: New Bug description: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?Sl 17:56 0:00 /usr/libexec/geoclue-2.0/demos/agent skunk 1186 0.0 0.8 59324 34792 ?S17:56 0:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py skunk 1201 0.0 0.6 391676 25688 ?Ssl 17:56 0:00 /usr/libexec/evolution-source-registry skunk 1224 0.0 0.8 616644 35492 ?Sl 17:56 0:00 /usr/libexec/goa-daemon skunk 1235 0.0 0.7 708928 30512 ?Ssl 17:56 0:00 /usr/libexec/evolution-calendar-factory skunk 1243 0.0 0.2 314744 8980 ?Sl 17:56 0:00 /usr/libexec/goa-identity-service skunk 1271 0.0 0.7 681460 29344 ?Ssl 17:56 0:00 /usr/libexec/evolution-addressbook-factory skunk 1302 0.0 0.1 43968 6432 ?Ss 17:56 0:00 /usr/lib/bluetooth/obexd skunk 1322 0.0 0.2 313872 9076 ?Ssl 17:56 0:00 /usr/libexec/gvfs-udisks2-volume-monitor skunk 1327 0.0 0.1 235684 6468 ?Ssl 17:56 0:00 /usr/libexec/gvfs-mtp-volume-monitor skunk 1331 0.0 0.1 237956 6876 ?Ssl 17:56 0:00 /usr/libexec/gvfs-gphoto2-volume-monitor skunk 1335 0.0 0.1 235864 5760 ?Ssl 17:56 0:00 /usr/libexec/gvfs-goa-volume-monitor skunk 1339 0.0 0.2 316716 8800 ?Ssl 17:56 0:00 /usr/libexec/gvfs-afc-volume-monitor skunk 1347 0.0 0.1 313684 7836 ?Sl 17:56 0:00 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 skunk 1353 0.0 0.1 162128 6028 ?Ssl 17:56 0:00 /usr/libexec/gvfsd-metadata When a user logs out of the system, all processes associated with the login session should be terminated (barring the use of nohup(1) or the like). If I sent a SIGINT to the "systemd --user" process above (PID 853), then all the processes promptly go away. This needs to occur on logout. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1871726/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1877532] [NEW] at-spi-bus-launcher does not terminate at end of X session
Public bug reported: This concerns at-spi2-core 2.36.0-2 in Ubuntu focal. I log into the Xfce desktop as "skunk" via xrdp, and then logout. A few minutes later, "loginctl list-sessions" shows the following: SESSION UID USER SEAT TTY 9 0 root c10 1000 skunk c9 116 lightdm seat0 3 sessions listed. Output from "loginctl session-status c10": c10 - skunk (1000) Since: Fri 2020-05-08 04:03:51 EDT; 6min ago Leader: 6009 Display: :11 Service: xrdp-sesman; type x11; class user State: closing Unit: session-c10.scope ├─6184 /usr/libexec/at-spi-bus-launcher --launch-immediately └─6199 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 These two processes stick around forever until I kill them, or their parent "systemd --user" process. Only then does the session disappear from list-sessions. When I run "session-status" while I'm logged in, I see a list of about 20 desktop-related processes. All of them except these two go away on logout. These should too. (Note that this problem does not occur when I log in/out via LightDM on the console.) ** Affects: at-spi2-core (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to at-spi2-core in Ubuntu. https://bugs.launchpad.net/bugs/1877532 Title: at-spi-bus-launcher does not terminate at end of X session Status in at-spi2-core package in Ubuntu: New Bug description: This concerns at-spi2-core 2.36.0-2 in Ubuntu focal. I log into the Xfce desktop as "skunk" via xrdp, and then logout. A few minutes later, "loginctl list-sessions" shows the following: SESSION UID USER SEAT TTY 9 0 root c10 1000 skunk c9 116 lightdm seat0 3 sessions listed. Output from "loginctl session-status c10": c10 - skunk (1000) Since: Fri 2020-05-08 04:03:51 EDT; 6min ago Leader: 6009 Display: :11 Service: xrdp-sesman; type x11; class user State: closing Unit: session-c10.scope ├─6184 /usr/libexec/at-spi-bus-launcher --launch-immediately └─6199 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 These two processes stick around forever until I kill them, or their parent "systemd --user" process. Only then does the session disappear from list-sessions. When I run "session-status" while I'm logged in, I see a list of about 20 desktop-related processes. All of them except these two go away on logout. These should too. (Note that this problem does not occur when I log in/out via LightDM on the console.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/at-spi2-core/+bug/1877532/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871726] Re: "systemd --user" and child processes fail to exit when user logs out
Related: LP: #1877528 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1871726 Title: "systemd --user" and child processes fail to exit when user logs out Status in systemd package in Ubuntu: New Bug description: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?Sl 17:56 0:00 /usr/libexec/geoclue-2.0/demos/agent skunk 1186 0.0 0.8 59324 34792 ?S17:56 0:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py skunk 1201 0.0 0.6 391676 25688 ?Ssl 17:56 0:00 /usr/libexec/evolution-source-registry skunk 1224 0.0 0.8 616644 35492 ?Sl 17:56 0:00 /usr/libexec/goa-daemon skunk 1235 0.0 0.7 708928 30512 ?Ssl 17:56 0:00 /usr/libexec/evolution-calendar-factory skunk 1243 0.0 0.2 314744 8980 ?Sl 17:56 0:00 /usr/libexec/goa-identity-service skunk 1271 0.0 0.7 681460 29344 ?Ssl 17:56 0:00 /usr/libexec/evolution-addressbook-factory skunk 1302 0.0 0.1 43968 6432 ?Ss 17:56 0:00 /usr/lib/bluetooth/obexd skunk 1322 0.0 0.2 313872 9076 ?Ssl 17:56 0:00 /usr/libexec/gvfs-udisks2-volume-monitor skunk 1327 0.0 0.1 235684 6468 ?Ssl 17:56 0:00 /usr/libexec/gvfs-mtp-volume-monitor skunk 1331 0.0 0.1 237956 6876 ?Ssl 17:56 0:00 /usr/libexec/gvfs-gphoto2-volume-monitor skunk 1335 0.0 0.1 235864 5760 ?Ssl 17:56 0:00 /usr/libexec/gvfs-goa-volume-monitor skunk 1339 0.0 0.2 316716 8800 ?Ssl 17:56 0:00 /usr/libexec/gvfs-afc-volume-monitor skunk 1347 0.0 0.1 313684 7836 ?Sl 17:56 0:00 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 skunk 1353 0.0 0.1 162128 6028 ?Ssl 17:56 0:00 /usr/libexec/gvfsd-metadata When a user logs out of the system, all processes associated with the login session should be terminated (barring the use of nohup(1) or the like). If I sent a SIGINT to the "systemd --user" process above (PID 853), then all the processes promptly go away. This needs to occur on logout. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1871726/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1782275] Re: Conflict between resolvconf and systemd-resolved dhclient scripts
This issue is still present in Ubuntu focal. Here is what I see that needs to happen: systemd: The /etc/dhcp/dhclient-enter-hooks.d/resolved script should be renamed to something like 00resolved or aaa_resolved, so that other packages that install scripts into that directory will have their scripts override whatever definitions are in the "resolved" script. (It is notable that the avahi-autoipd package installs a file named "zzz_avahi-autoipd" into /etc/dhcp/dhclient-exit-hooks.d/, apparently so that it always runs last.) systemd: The "resolved" script itself is obviously a modified version of the one shipped with resolvconf; a comment at the top still even names the original project. There is a conditional at the top that checks for the presence of /lib/systemd/systemd-resolved (exactly where the original checks for /sbin/resolvconf), but this check is pointless---the systemd-resolved file not only belongs to the same package as the script, the package in question is systemd, which for all intents and purposes cannot be removed. Instead, the check should be on whether systemd-resolved is enabled, e.g. if systemctl is-enabled systemd-resolved | fgrep -q enabled ; then systemd: In general, the "resolved" script could use some cleanup, particularly on removing bits related to resolvconf that do not apply to systemd-resolved. resolvconf: It may be worthwhile for this package to disable systemd- resolved upon installation (and re-enable it upon renewal), as that presumably would be the intent of anyone installing it. ** Tags added: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1782275 Title: Conflict between resolvconf and systemd-resolved dhclient scripts Status in resolvconf package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Confirmed Bug description: I am setting up an Ubuntu 18.04 (bionic) system with ifupdown instead of netplan, as the latter does not meet my needs. I am using resolvconf to update /etc/resolv.conf from DHCP, as in earlier releases. Unfortunately, I am not seeing /etc/resolv.conf (actually a symlink to /run/resolvconf/resolv.conf) being updated; it is only the boilerplate from /etc/resolvconf/resolv.conf.d/head with no server information appended. (My "base" and "tail" files are empty.) I poked around the scripts in /etc, and believe I have found the problem. When resolvconf is installed, the following two files are present: /etc/dhcp/dhclient-enter-hooks.d/resolvconf /etc/dhcp/dhclient-enter-hooks.d/resolved Both of these scripts define the make_resolv_conf() shell function. What I am seeing is that dhclient runs these two scripts in the (alphabetical) order shown, and as the resolved script runs second, it overwrites the resolvconf version of the shell function with its own. As a result, dhclient does not invoke the appropriate update command for resolvconf, even though the hook script was installed correctly. Normally, I would remove the package that is providing the "resolved" script, but this package is systemd, which cannot be removed. I am not sure which of the two packages (resolvconf or systemd) needs to make an accommodation for the other, but it is clear that the current approach does not work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1782275/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871726] Re: "systemd --user" and child processes fail to exit when user logs out
Could you try this using lightdm? It's possible that this may be a display-manager issue. I did notice that in a different (customized) configuration of Xubuntu, the user processes still remained after logout, but then killing the "systemd --user" process resulted in the login session ending. Anyway, here is the output you requested, in the original test environment: # LC_ALL=C loginctl user-status skunk | cat skunk (1000) Since: Fri 2020-04-10 18:40:19 EDT; 3min 11s ago State: closing Sessions: *c2 Linger: no Unit: user-1000.slice |-session-c2.scope | |-1288 /usr/libexec/geoclue-2.0/demos/agent | `-1345 /usr/bin/python3 /usr/share/system-config-printer/applet.py `-user@1000.service |-at-spi-dbus-bus.service | |-1131 /usr/libexec/at-spi-bus-launcher | `-1136 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 |-dbus.service | |-1042 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only | |-1140 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd | |-1291 /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd | |-1302 /usr/libexec/dconf-service | |-1391 /usr/libexec/goa-daemon | `-1404 /usr/libexec/goa-identity-service |-evolution-addressbook-factory.service | `-1438 /usr/libexec/evolution-addressbook-factory |-evolution-calendar-factory.service | `-1396 /usr/libexec/evolution-calendar-factory |-evolution-source-registry.service | `-1374 /usr/libexec/evolution-source-registry |-gvfs-afc-volume-monitor.service | `-1501 /usr/libexec/gvfs-afc-volume-monitor |-gvfs-daemon.service | |-1153 /usr/libexec/gvfsd | |-1158 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes | `-1509 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 |-gvfs-goa-volume-monitor.service | `-1497 /usr/libexec/gvfs-goa-volume-monitor |-gvfs-gphoto2-volume-monitor.service | `-1493 /usr/libexec/gvfs-gphoto2-volume-monitor |-gvfs-metadata.service | `-1515 /usr/libexec/gvfsd-metadata |-gvfs-mtp-volume-monitor.service | `-1489 /usr/libexec/gvfs-mtp-volume-monitor |-gvfs-udisks2-volume-monitor.service | `-1484 /usr/libexec/gvfs-udisks2-volume-monitor |-init.scope | |-1017 /lib/systemd/systemd --user | `-1018 (sd-pam) `-obex.service `-1464 /usr/lib/bluetooth/obexd Apr 10 18:41:21 test-ubuntu64 systemd[1017]: Stopped Indicator Application Service. Apr 10 18:41:21 test-ubuntu64 systemd[1017]: indicator-keyboard.service: Succeeded. Apr 10 18:41:21 test-ubuntu64 systemd[1017]: Stopped Indicator Keyboard Backend. Apr 10 18:41:21 test-ubuntu64 systemd[1017]: Stopping Indicator Session Service... Apr 10 18:41:21 test-ubuntu64 systemd[1017]: indicator-session.service: Succeeded. Apr 10 18:41:21 test-ubuntu64 systemd[1017]: Stopped Indicator Session Service. Apr 10 18:41:22 test-ubuntu64 indicator-sound[1250]: g_object_ref: assertion 'old_val > 0' failed Apr 10 18:41:22 test-ubuntu64 systemd[1017]: pulseaudio.service: Succeeded. Apr 10 18:41:22 test-ubuntu64 systemd[1017]: indicator-sound.service: Succeeded. Apr 10 18:41:22 test-ubuntu64 systemd[1017]: Stopped Indicator Sound Service. If I kill the "systemd --user" process, the output slims down to this: # LC_ALL=C loginctl user-status skunk | cat skunk (1000) Since: Fri 2020-04-10 18:40:19 EDT; 5min ago State: closing Sessions: *c2 Linger: no Unit: user-1000.slice `-session-c2.scope `-1288 /usr/libexec/geoclue-2.0/demos/agent Apr 10 18:45:14 test-ubuntu64 systemd[1017]: pk-debconf-helper.socket: Succeeded. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: Closed debconf communication socket. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: pulseaudio.socket: Succeeded. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: Closed Sound System. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: snapd.session-agent.socket: Succeeded. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: Closed REST API socket for snapd user session agent. Apr 10 18:45:14 test-ubuntu64 systemd[1017]: Reached target Shutdown. Apr 10 18:45:14 test-ubuntu64 systemd[10
[Touch-packages] [Bug 1871726] Re: "systemd --user" and child processes fail to exit when user logs out
This occurs whether the user logs in (through lightdm) on the console, or remotely via xrdp. Running that command, as root, after the user (skunk) has logged in via lightdm: # loginctl list-sessions SESSION UID USER SEAT TTY 20 root c2 1000 skunk seat0 2 sessions listed. After logout: # loginctl list-sessions SESSION UID USERSEAT TTY 20 root c2 1000 skunk seat0 c3 107 lightdm seat0 3 sessions listed. Even after SIGINT to "systemd --user", even after all the user processes go away, the c2 session remains present. The output from loginctl for an xrdp login is similar. After logout: # loginctl list-sessions SESSION UID USERSEAT TTY 20 root c1 107 lightdm seat0 c2 1000 skunk -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1871726 Title: "systemd --user" and child processes fail to exit when user logs out Status in systemd package in Ubuntu: New Bug description: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?Sl 17:56 0:00 /usr/libexec/geoclue-2.0/demos/agent skunk 1186 0.0 0.8 59324 34792 ?S17:56 0:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py skunk 1201 0.0 0.6 391676 25688 ?Ssl 17:56 0:00 /usr/libexec/evolution-source-registry skunk 1224 0.0 0.8 616644 35492 ?Sl 17:56 0:00 /usr/libexec/goa-daemon skunk 1235 0.0 0.7 708928 30512 ?Ssl 17:56 0:00 /usr/libexec/evolution-calendar-factory skunk 1243 0.0 0.2 314744 8980 ?Sl 17:56 0:00 /usr/libexec/goa-identity-service skunk 1271 0.0 0.7 681460 29344 ?Ssl 17:56 0:00 /usr/libexec/evolution-addressbook-factory skunk 1302 0.0 0.1 43968 6432 ?Ss 17:56 0:00 /usr/lib/bluetooth/obexd skunk 1322 0.0 0.2 313872 9076 ?Ssl 17:56 0:00 /usr/libexec/gvfs-udisks2-volume-monitor skunk 1327 0.0 0.1 235684 6468 ?Ssl 17:56 0:00 /usr/libexec/gvfs-mtp-volume-monitor skunk 1331 0.0 0.1 237956 6876 ?Ssl 17:56 0:00 /usr/libexec/gvfs-gphoto2-volume-monitor skunk 1335 0.0 0.1 235864 5760 ?Ssl 17:56 0:00 /usr/libexec/gvfs-goa-volume-monitor skunk 1339 0.0 0.2 316716 8800 ?Ssl 17:56 0:00 /usr/libexec/gvfs-afc-volume-monitor skunk 1347 0.0 0.1 313684 7836 ?Sl 17:56 0:00 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 skunk 1353 0.0 0.1 162128 6028 ?Ssl 17:56 0:00 /usr/libexec/gvfsd-metadata When a user logs out of the system, all processes associated with the login session should be terminated (barring the use of nohup(1) or the like). If I sent a SIGINT to the "systemd --user" process above (PID 853), then all the processes promptly go away. This needs to occur on logout. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1871726/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871593] Re: User receives prompt on login: "Authentication is required to create a color managed device"
Note: My use case involves logging into the desktop remotely, via XRDP. This issue appears to affect other remote-login implementations as well. Related: https://github.com/TurboVNC/turbovnc/issues/47 https://bugzilla.redhat.com/show_bug.cgi?id=1149893 https://gitlab.gnome.org/GNOME/gnome-settings-daemon/issues/273 ** Bug watch added: github.com/TurboVNC/turbovnc/issues #47 https://github.com/TurboVNC/turbovnc/issues/47 ** Bug watch added: Red Hat Bugzilla #1149893 https://bugzilla.redhat.com/show_bug.cgi?id=1149893 ** Bug watch added: gitlab.gnome.org/GNOME/gnome-settings-daemon/issues #273 https://gitlab.gnome.org/GNOME/gnome-settings-daemon/issues/273 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to colord in Ubuntu. https://bugs.launchpad.net/bugs/1871593 Title: User receives prompt on login: "Authentication is required to create a color managed device" Status in colord package in Ubuntu: New Bug description: This concerns colord 1.4.4-2 in Ubuntu focal. (xiccd 0.3.0-1 may also be relevant.) I log into the Xfce desktop environment, and immediately see an "Authenticate" window pop up: Authentication is required to create a color managed device Password for root: Action: org.freedesktop.color-manager.create-device Vendor: System Color Manager I see this in syslog: Apr 8 05:38:30 test-ubuntu64 dbus-daemon[573]: [system] Activating via systemd: service name='org.freedesktop.ColorManager' unit='colord.service' requested by ':1.35' (uid=1000 pid=1475 comm="xiccd " label="unconfined") This prompt is confusing to ordinary users, and I do not understand why it should even be necessary. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/colord/+bug/1871593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871726] [NEW] "systemd --user" and child processes fail to exit when user logs out
Public bug reported: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?Sl 17:56 0:00 /usr/libexec/geoclue-2.0/demos/agent skunk 1186 0.0 0.8 59324 34792 ?S17:56 0:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py skunk 1201 0.0 0.6 391676 25688 ?Ssl 17:56 0:00 /usr/libexec/evolution-source-registry skunk 1224 0.0 0.8 616644 35492 ?Sl 17:56 0:00 /usr/libexec/goa-daemon skunk 1235 0.0 0.7 708928 30512 ?Ssl 17:56 0:00 /usr/libexec/evolution-calendar-factory skunk 1243 0.0 0.2 314744 8980 ?Sl 17:56 0:00 /usr/libexec/goa-identity-service skunk 1271 0.0 0.7 681460 29344 ?Ssl 17:56 0:00 /usr/libexec/evolution-addressbook-factory skunk 1302 0.0 0.1 43968 6432 ?Ss 17:56 0:00 /usr/lib/bluetooth/obexd skunk 1322 0.0 0.2 313872 9076 ?Ssl 17:56 0:00 /usr/libexec/gvfs-udisks2-volume-monitor skunk 1327 0.0 0.1 235684 6468 ?Ssl 17:56 0:00 /usr/libexec/gvfs-mtp-volume-monitor skunk 1331 0.0 0.1 237956 6876 ?Ssl 17:56 0:00 /usr/libexec/gvfs-gphoto2-volume-monitor skunk 1335 0.0 0.1 235864 5760 ?Ssl 17:56 0:00 /usr/libexec/gvfs-goa-volume-monitor skunk 1339 0.0 0.2 316716 8800 ?Ssl 17:56 0:00 /usr/libexec/gvfs-afc-volume-monitor skunk 1347 0.0 0.1 313684 7836 ?Sl 17:56 0:00 /usr/libexec/gvfsd-trash --spawner :1.13 /org/gtk/gvfs/exec_spaw/0 skunk 1353 0.0 0.1 162128 6028 ?Ssl 17:56 0:00 /usr/libexec/gvfsd-metadata When a user logs out of the system, all processes associated with the login session should be terminated (barring the use of nohup(1) or the like). If I sent a SIGINT to the "systemd --user" process above (PID 853), then all the processes promptly go away. This needs to occur on logout. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1871726 Title: "systemd --user" and child processes fail to exit when user logs out Status in systemd package in Ubuntu: New Bug description: This concerns systemd 245.2-1ubuntu2 in Ubuntu focal. I am using the Xfce desktop. After the user logs out from a desktop session, numerous desktop-related processes are left over. Here is a listing, taken over twenty minutes after logout: skunk853 0.0 0.2 18912 10300 ?Ss 17:55 0:00 /lib/systemd/systemd --user skunk854 0.0 0.0 103304 3496 ?S17:55 0:00 (sd-pam) skunk881 0.0 0.1 8076 5324 ?Ss 17:55 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only skunk970 0.0 0.1 305364 6776 ?Ssl 17:55 0:00 /usr/libexec/at-spi-bus-launcher skunk975 0.0 0.1 7352 4452 ?S17:55 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 skunk979 0.0 0.1 230196 5900 ?Sl 17:55 0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd skunk992 0.0 0.1 239704 7676 ?Ssl 17:55 0:00 /usr/libexec/gvfsd skunk997 0.0 0.1 378332 6444 ?Sl 17:55 0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes skunk 1133 0.0 0.1 156116 5596 ?Sl 17:56 0:00 /usr/libexec/dconf-service skunk 1139 0.0 0.1 236884 4828 ?
[Touch-packages] [Bug 1871593] [NEW] User receives prompt on login: "Authentication is required to create a color managed device"
Public bug reported: This concerns colord 1.4.4-2 in Ubuntu focal. (xiccd 0.3.0-1 may also be relevant.) I log into the Xfce desktop environment, and immediately see an "Authenticate" window pop up: Authentication is required to create a color managed device Password for root: Action: org.freedesktop.color-manager.create-device Vendor: System Color Manager I see this in syslog: Apr 8 05:38:30 test-ubuntu64 dbus-daemon[573]: [system] Activating via systemd: service name='org.freedesktop.ColorManager' unit='colord.service' requested by ':1.35' (uid=1000 pid=1475 comm="xiccd " label="unconfined") This prompt is confusing to ordinary users, and I do not understand why it should even be necessary. ** Affects: colord (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to colord in Ubuntu. https://bugs.launchpad.net/bugs/1871593 Title: User receives prompt on login: "Authentication is required to create a color managed device" Status in colord package in Ubuntu: New Bug description: This concerns colord 1.4.4-2 in Ubuntu focal. (xiccd 0.3.0-1 may also be relevant.) I log into the Xfce desktop environment, and immediately see an "Authenticate" window pop up: Authentication is required to create a color managed device Password for root: Action: org.freedesktop.color-manager.create-device Vendor: System Color Manager I see this in syslog: Apr 8 05:38:30 test-ubuntu64 dbus-daemon[573]: [system] Activating via systemd: service name='org.freedesktop.ColorManager' unit='colord.service' requested by ':1.35' (uid=1000 pid=1475 comm="xiccd " label="unconfined") This prompt is confusing to ordinary users, and I do not understand why it should even be necessary. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/colord/+bug/1871593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1853861] Re: [SRU] Unattended-upgrades silently does not apply updates when MinimalSteps is disabled and there are autoremovable kernels
Thanks Balint. I've installed the bionic-proposed package, and have not observed any silently-failed upgrades as before (but of course verifying it in my use case is tantamount to proving a negative). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1853861 Title: [SRU] Unattended-upgrades silently does not apply updates when MinimalSteps is disabled and there are autoremovable kernels Status in unattended-upgrades package in Ubuntu: Fix Released Status in unattended-upgrades source package in Xenial: Fix Committed Status in unattended-upgrades source package in Bionic: Fix Committed Status in unattended-upgrades source package in Disco: Fix Released Status in unattended-upgrades source package in Eoan: Fix Released Bug description: [Impact] * When autoremovable kernel packages are present on the system, there are updates to apply and Unattended-Upgrade::MinimalSteps is set to "false", the autoremovable kernel packages are not removed and the updates are not applied. * The root cause is u-u not cleaning the dirty cache between operations and also relying on having a cache with packages marked to be installed when applying updates in one shot. * The fix is clearing the cache between operations and marking packages before installing them in one shot. [Test Case] * Install kernel-related packages, mark them as automatically installed to make them auto-removable ones. * Downgrade a few packages to a version lower than what is present in the security pocket. * Set Unattended-Upgrade::MinimalSteps to "false": # echo 'Unattended-Upgrade::MinimalSteps "false";' > /etc/apt/apt.conf.d/51unattended-upgrades-oneshot * Run u-u: # unattended-upgrade --verbose --debug * Observe fixed versions removing the kernel packages properly and also upgrading packages. [Regression Potential] * The changes introduce marking packages to install/upgrade and clearing the cache more often. The added operations slow down u-u, but clearing the cache adds a few 100 milliseconds on typical hardware and marking upgradable packages is also in the same range. * Functional regressions are unlikely due to those changes since the fixes are present in 19.04 and later releases and the extensive autopkgtest also covers when upgrades are performed in minimal steps. [Other Info] * While this bug has a security impact by holding back installation of security updates I don't recommend releasing the fix via the security pocket because this bug occurs only when the local configuration file of u-u is changed and u-u does not hold back upgrades with UCF-managed config file conflicts. See: https://github.com/mvo5/unattended-upgrades/issues/168 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1853861/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1599646] Re: E-mail report contains repeated "Reading database ... NN%" lines
Could this be SRU'ed into Bionic? 18.04LTS currently has version 1.1, so the "Reading database ..." lines will otherwise afflict it for quite some time to come. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1599646 Title: E-mail report contains repeated "Reading database ... NN%" lines Status in unattended-upgrades package in Ubuntu: Fix Released Status in apt package in Debian: New Bug description: This concerns unattended-upgrades 0.90 in Xenial. Here is an excerpt from an e-mail report sent out by u-u after the upgrade process is completed: Package installation log: Log started: 2016-07-06 17:24:21 Preconfiguring packages ... (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 314949 files and directories currently installed.) Preparing to unpack .../tzdata_2016f-0ubuntu0.16.04_all.deb ... Unpacking tzdata (2016f-0ubuntu0.16.04) over (2016d-0ubuntu0.16.04) ... Preparing to unpack .../libgimp2.0_2.8.16-1ubuntu1.1_i386.deb ... All but the last "Reading database ..." line should be elided from the message. As a matter of fact, those lines do not appear in messages mailed out from current Trusty systems (u-u version 0.82.1ubuntu2.4), so this appears to be a regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1599646/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784499] Re: AppArmor treats regular NFS file access as network op
Thanks for looking into this Markus. I'm surprised that the kernel pieces needed to make this work as expected have yet to be fully integrated. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op Status in apparmor package in Ubuntu: Confirmed Bug description: I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic. I have the usr.bin.man profile enforced, and home directories in NFS. The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.) It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise. Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 audit(1532986715.866:223): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2788 com
[Touch-packages] [Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial
Arrgh... this is not a great way of working (malware could write to that
location and then load in code), but as it is what we've got, I've added
the rule to a forthcoming Firefox profile update.
Incidentally, Olivier, if you've got a line on who's responsible for the
Firefox profile there, it would be very helpful. The profile is no
longer maintained by the AppArmor folks, and I'm not sure of a better
place to send an update aside from here.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1777070
Title:
firefox plugin libwidevinecdm.so crashes due to apparmor denial
Status in apparmor package in Ubuntu:
New
Status in firefox package in Ubuntu:
Confirmed
Bug description:
Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:
Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400
audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400
audit(1529046802.585:247): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault
at 0 ip 7fcdfdaa76af sp 7ffc1ff03e28 error 6 in
libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400
audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400
audit(1529046804.994:249): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault
at 0 ip 7fe3b57f46af sp 7ffe6dc0b488 error 6 in
libxul.so[7fe3b34c7000+6111000]
Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400
audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400
audit(1529046808.895:251): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault
at 0 ip 7fcf32ae06af sp 7ffeb8a136c8 error 6 in
libxul.so[7fcf307b3000+6111000]
Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328:
[hamster] bad exit code 1
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400
audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400
audit(1529046809.263:253): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault
at 0 ip 7fe5667c66af sp 7fffe8cc0da8 error 6 in
libxul.so[7fe564499000+6111000]
Jun 15
[Touch-packages] [Bug 557818] Re: cups-client does not create /etc/cups directory, let alone client.conf
Bug persists in Ubuntu 18.04/bionic: # ls /etc/cups ls: cannot access '/etc/cups': No such file or directory # apt-get install cups-client Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: cups-common libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libcupsfilters1 libcupsimage2 libjbig0 libjpeg-turbo8 libjpeg8 libtiff5 Suggested packages: cups xpp cups-bsd smbclient The following NEW packages will be installed: cups-client cups-common libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libcupsfilters1 libcupsimage2 libjbig0 libjpeg-turbo8 libjpeg8 libtiff5 0 upgraded, 12 newly installed, 0 to remove and 0 not upgraded. Need to get 1,043 kB of archives. After this operation, 6,575 kB of additional disk space will be used. Do you want to continue? [Y/n] [...] Setting up libcupsfilters1:amd64 (1.20.2-0ubuntu3) ... Setting up libcupsimage2:amd64 (2.2.7-1ubuntu2.1) ... Setting up cups-client (2.2.7-1ubuntu2.1) ... Adding group `lpadmin' (GID 111) ... Done. Processing triggers for libc-bin (2.27-3ubuntu1) ... # ls /etc/cups ls: cannot access '/etc/cups': No such file or directory ** Changed in: cups (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/557818 Title: cups-client does not create /etc/cups directory, let alone client.conf Status in cups package in Ubuntu: New Bug description: Binary package hint: cups-client This concerns cups-client 1.4.2-10 in Lucid beta1. When you install the cups-client package, there is no sign whatsoever of the all-important /etc/cups/client.conf file; even the /etc/cups directory is not present. The package should install a client.conf file, with helpful comments therein, as is customary for other client-type programs (e.g. dumb MTAs). This is particularly relevant for sites that use a central CUPS server (i.e. the "cups" package is not locally installed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/557818/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial
I think we're going to need more information on how this plugin got in
there in the first place. Being able to map a library in a user-writable
directory doesn't sound terribly safe...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1777070
Title:
firefox plugin libwidevinecdm.so crashes due to apparmor denial
Status in apparmor package in Ubuntu:
New
Status in firefox package in Ubuntu:
New
Bug description:
Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:
Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400
audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400
audit(1529046802.585:247): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault
at 0 ip 7fcdfdaa76af sp 7ffc1ff03e28 error 6 in
libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400
audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400
audit(1529046804.994:249): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault
at 0 ip 7fe3b57f46af sp 7ffe6dc0b488 error 6 in
libxul.so[7fe3b34c7000+6111000]
Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400
audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400
audit(1529046808.895:251): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault
at 0 ip 7fcf32ae06af sp 7ffeb8a136c8 error 6 in
libxul.so[7fcf307b3000+6111000]
Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328:
[hamster] bad exit code 1
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!!
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400
audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000
ouid=1000
Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400
audit(1529046809.263:253): apparmor="DENIED" operation="ptrace"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox"
requested_mask="trace" denied_mask="trace"
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault
at 0 ip 7fe5667c66af sp 7fffe8cc0da8 error 6 in
libxul.so[7fe564499000+6111000]
Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400
audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwid
[Touch-packages] [Bug 1575438] Re: usr.sbin.nscd needs r/w access to nslcd socket
An update to the "ldapclient" abstraction has been merged upstream:
https://gitlab.com/apparmor/apparmor/merge_requests/153/diffs?commit_id=ac1d0545f458b11728f2bcb4a7de0567538fa94a
** Changed in: apparmor
Status: New => Fix Committed
** Changed in: apparmor (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575438
Title:
usr.sbin.nscd needs r/w access to nslcd socket
Status in AppArmor:
Fix Committed
Status in apparmor package in Ubuntu:
Fix Committed
Bug description:
I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via
LDAP.
It is typical to configure nslcd to connect to the actual LDAP server,
and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
type lookups in /etc/nsswitch.conf) with a server URI of
ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk
with the LDAP server, rather than every application that wants to do
getpwent() et al.
Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
results in NSS LDAP lookups not working when the profile is enforced
in this configuration.
This is the new line that is needed:
/{,var/}run/nslcd/socket rw,
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1575438/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784499] [NEW] AppArmor treats regular NFS file access as network op
Public bug reported: I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic. I have the usr.bin.man profile enforced, and home directories in NFS. The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.) It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise. Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 audit(1532986715.866:223): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2788 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.066437] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.066462] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067504] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067535] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067548
[Touch-packages] [Bug 1784499] Re: AppArmor treats regular NFS file access as network op
I have an additional test case that is perhaps more immediate. Attempting to view a roff file in NFS directly: $ man ./zlib.3 man: ./zlib.3: Permission denied No manual entry for ./zlib.3 This fails despite the permissive "/** mrixwlk" rule in the AppArmor profile. Similar output in the log as above; the denials are network- related, not file-access-related. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op Status in apparmor package in Ubuntu: New Bug description: I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic. I have the usr.bin.man profile enforced, and home directories in NFS. The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.) It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise. Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar
[Touch-packages] [Bug 1782641] Re: Request: Rename "ubuntu-keyring" package to "ubuntu-archive-keyring" for consistency with Debian
Dimitri, thank you for laying out the rationale behind the package name. Since there is good reason for things to be the way they are here, I've opened a bug on the Debian side for them to address the naming inconsistency: https://bugs.debian.org/904152 ** Bug watch added: Debian Bug tracker #904152 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904152 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1782641 Title: Request: Rename "ubuntu-keyring" package to "ubuntu-archive-keyring" for consistency with Debian Status in ubuntu-keyring package in Ubuntu: Opinion Bug description: The package that Ubuntu calls "ubuntu-keyring" is present in Debian as "ubuntu-archive-keyring". Debian has separate "debian-keyring" and "debian-archive-keyring" packages, described as follows: d-k: GnuPG keys of Debian Developers and Maintainers d-a-k: GnuPG archive keys of the Debian archive IMO this is a reasonable distinction, as the keys of developers/maintainers are rarely needed by end users, and the d-k package is significantly larger (on the order of 30 MB). Thus, the current "ubuntu-keyring" package would be better named "ubuntu-archive-keyring", not only so that the equivalent package has the same name in both distros, but also to maintain the same distinction between developer keys and archive keys. (Ubuntu could potentially decide to ship a package containing Ubuntu developer keys in the future, and it would be awkward if this needed to be named e.g. "ubuntu-devel-keyring" or the like.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1782641/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1782275] Re: Conflict between resolvconf and systemd-resolved dhclient scripts
This issue can be addressed with a manual action, but first you have to dig into the scripts to diagnose the problem, and really if resolvconf is installed then it should just work. Part of this setup involves disabling systemd-resolved, in favor of a "direct" /etc/resolv.conf, to match the network configuration of other systems at my site. We've also found resolvconf to be a good solution to allow flexibility in how the dynamic resolv.conf file is assembled. There are at least two issues that I can see here: 1. When there is more than one script in /etc/dhcp/dhclient-enter- hooks.d/ that defines the make_resolv_conf() shell function, the last definition is the one that "wins." If the "resolvconf" script is renamed to e.g. "zz-resolvconf", then it works correctly. This may be a case for renaming systemd's "resolved" script to something like "00resolved" (borrowing an idea from /etc/X11/Xsession.d/), since it is always present in an out-of-the-box install. 2. The "resolved" script takes effect if the /lib/systemd/systemd- resolved executable is present, when it should probably also check that systemd-resolved is enabled. Currently, the script runs even if systemd- resolved is not active, effectively turning into a no-op (albeit a no-op that clobbers resolvconf's functionality). That would also fix another use case, where systemd-resolved is disabled and resolvconf is absent. In that scenario, the default make_resolv_conf() function from /sbin/dhclient-script should be used. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1782275 Title: Conflict between resolvconf and systemd-resolved dhclient scripts Status in resolvconf package in Ubuntu: New Status in systemd package in Ubuntu: New Bug description: I am setting up an Ubuntu 18.04 (bionic) system with ifupdown instead of netplan, as the latter does not meet my needs. I am using resolvconf to update /etc/resolv.conf from DHCP, as in earlier releases. Unfortunately, I am not seeing /etc/resolv.conf (actually a symlink to /run/resolvconf/resolv.conf) being updated; it is only the boilerplate from /etc/resolvconf/resolv.conf.d/head with no server information appended. (My "base" and "tail" files are empty.) I poked around the scripts in /etc, and believe I have found the problem. When resolvconf is installed, the following two files are present: /etc/dhcp/dhclient-enter-hooks.d/resolvconf /etc/dhcp/dhclient-enter-hooks.d/resolved Both of these scripts define the make_resolv_conf() shell function. What I am seeing is that dhclient runs these two scripts in the (alphabetical) order shown, and as the resolved script runs second, it overwrites the resolvconf version of the shell function with its own. As a result, dhclient does not invoke the appropriate update command for resolvconf, even though the hook script was installed correctly. Normally, I would remove the package that is providing the "resolved" script, but this package is systemd, which cannot be removed. I am not sure which of the two packages (resolvconf or systemd) needs to make an accommodation for the other, but it is clear that the current approach does not work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1782275/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1782641] [NEW] Request: Rename "ubuntu-keyring" package to "ubuntu-archive-keyring" for consistency with Debian
Public bug reported: The package that Ubuntu calls "ubuntu-keyring" is present in Debian as "ubuntu-archive-keyring". Debian has separate "debian-keyring" and "debian-archive-keyring" packages, described as follows: d-k: GnuPG keys of Debian Developers and Maintainers d-a-k: GnuPG archive keys of the Debian archive IMO this is a reasonable distinction, as the keys of developers/maintainers are rarely needed by end users, and the d-k package is significantly larger (on the order of 30 MB). Thus, the current "ubuntu-keyring" package would be better named "ubuntu-archive-keyring", not only so that the equivalent package has the same name in both distros, but also to maintain the same distinction between developer keys and archive keys. (Ubuntu could potentially decide to ship a package containing Ubuntu developer keys in the future, and it would be awkward if this needed to be named e.g. "ubuntu-devel- keyring" or the like.) ** Affects: ubuntu-keyring (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1782641 Title: Request: Rename "ubuntu-keyring" package to "ubuntu-archive-keyring" for consistency with Debian Status in ubuntu-keyring package in Ubuntu: New Bug description: The package that Ubuntu calls "ubuntu-keyring" is present in Debian as "ubuntu-archive-keyring". Debian has separate "debian-keyring" and "debian-archive-keyring" packages, described as follows: d-k: GnuPG keys of Debian Developers and Maintainers d-a-k: GnuPG archive keys of the Debian archive IMO this is a reasonable distinction, as the keys of developers/maintainers are rarely needed by end users, and the d-k package is significantly larger (on the order of 30 MB). Thus, the current "ubuntu-keyring" package would be better named "ubuntu-archive-keyring", not only so that the equivalent package has the same name in both distros, but also to maintain the same distinction between developer keys and archive keys. (Ubuntu could potentially decide to ship a package containing Ubuntu developer keys in the future, and it would be awkward if this needed to be named e.g. "ubuntu-devel-keyring" or the like.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1782641/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1782275] [NEW] Conflict between resolvconf and systemd-resolved dhclient scripts
Public bug reported: I am setting up an Ubuntu 18.04 (bionic) system with ifupdown instead of netplan, as the latter does not meet my needs. I am using resolvconf to update /etc/resolv.conf from DHCP, as in earlier releases. Unfortunately, I am not seeing /etc/resolv.conf (actually a symlink to /run/resolvconf/resolv.conf) being updated; it is only the boilerplate from /etc/resolvconf/resolv.conf.d/head with no server information appended. (My "base" and "tail" files are empty.) I poked around the scripts in /etc, and believe I have found the problem. When resolvconf is installed, the following two files are present: /etc/dhcp/dhclient-enter-hooks.d/resolvconf /etc/dhcp/dhclient-enter-hooks.d/resolved Both of these scripts define the make_resolv_conf() shell function. What I am seeing is that dhclient runs these two scripts in the (alphabetical) order shown, and as the resolved script runs second, it overwrites the resolvconf version of the shell function with its own. As a result, dhclient does not invoke the appropriate update command for resolvconf, even though the hook script was installed correctly. Normally, I would remove the package that is providing the "resolved" script, but this package is systemd, which cannot be removed. I am not sure which of the two packages (resolvconf or systemd) needs to make an accommodation for the other, but it is clear that the current approach does not work. ** Affects: resolvconf (Ubuntu) Importance: Undecided Status: New ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to resolvconf in Ubuntu. https://bugs.launchpad.net/bugs/1782275 Title: Conflict between resolvconf and systemd-resolved dhclient scripts Status in resolvconf package in Ubuntu: New Status in systemd package in Ubuntu: New Bug description: I am setting up an Ubuntu 18.04 (bionic) system with ifupdown instead of netplan, as the latter does not meet my needs. I am using resolvconf to update /etc/resolv.conf from DHCP, as in earlier releases. Unfortunately, I am not seeing /etc/resolv.conf (actually a symlink to /run/resolvconf/resolv.conf) being updated; it is only the boilerplate from /etc/resolvconf/resolv.conf.d/head with no server information appended. (My "base" and "tail" files are empty.) I poked around the scripts in /etc, and believe I have found the problem. When resolvconf is installed, the following two files are present: /etc/dhcp/dhclient-enter-hooks.d/resolvconf /etc/dhcp/dhclient-enter-hooks.d/resolved Both of these scripts define the make_resolv_conf() shell function. What I am seeing is that dhclient runs these two scripts in the (alphabetical) order shown, and as the resolved script runs second, it overwrites the resolvconf version of the shell function with its own. As a result, dhclient does not invoke the appropriate update command for resolvconf, even though the hook script was installed correctly. Normally, I would remove the package that is providing the "resolved" script, but this package is systemd, which cannot be removed. I am not sure which of the two packages (resolvconf or systemd) needs to make an accommodation for the other, but it is clear that the current approach does not work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1782275/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1782274] [NEW] resolvconf package needs dependency on ifupdown
Public bug reported: When I install resolvconf on a minimal install of Ubuntu 18.04 (bionic), I see this: # apt-get install resolvconf Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: resolvconf 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/48.2 kB of archives. After this operation, 187 kB of additional disk space will be used. Preconfiguring packages ... /tmp/resolvconf.config.XleExb: 13: /tmp/resolvconf.config.XleExb: ifquery: not found /tmp/resolvconf.config.XleExb: 13: /tmp/resolvconf.config.XleExb: ifquery: not found Selecting previously unselected package resolvconf. (Reading database ... 90542 files and directories currently installed.) Preparing to unpack .../resolvconf_1.79ubuntu10_all.deb ... Unpacking resolvconf (1.79ubuntu10) ... Processing triggers for ureadahead (0.100.0-20) ... Processing triggers for systemd (237-3ubuntu10) ... Processing triggers for man-db (2.8.3-2) ... Setting up resolvconf (1.79ubuntu10) ... /var/lib/dpkg/info/resolvconf.config: 13: /var/lib/dpkg/info/resolvconf.config: ifquery: not found /var/lib/dpkg/info/resolvconf.config: 13: /var/lib/dpkg/info/resolvconf.config: ifquery: not found Created symlink /etc/systemd/system/sysinit.target.wants/resolvconf.service → /lib/systemd/system/resolvconf.service. Created symlink /etc/systemd/system/systemd-resolved.service.wants/resolvconf-pull-resolved.path → /lib/systemd/system/resolvconf-pull-resolved.path. resolvconf-pull-resolved.service is a disabled or a static unit, not starting it. resolvconf-pull-resolved.service is a disabled or a static unit, not starting it. Processing triggers for systemd (237-3ubuntu10) ... Processing triggers for ureadahead (0.100.0-20) ... Processing triggers for resolvconf (1.79ubuntu10) ... The "ifquery" program is provided by the ifupdown package. Therefore, resolvconf needs to include ifupdown in its Depends: clause. (Currently, ifupdown is mentioned in Enhances:) ** Affects: resolvconf (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to resolvconf in Ubuntu. https://bugs.launchpad.net/bugs/1782274 Title: resolvconf package needs dependency on ifupdown Status in resolvconf package in Ubuntu: New Bug description: When I install resolvconf on a minimal install of Ubuntu 18.04 (bionic), I see this: # apt-get install resolvconf Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: resolvconf 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/48.2 kB of archives. After this operation, 187 kB of additional disk space will be used. Preconfiguring packages ... /tmp/resolvconf.config.XleExb: 13: /tmp/resolvconf.config.XleExb: ifquery: not found /tmp/resolvconf.config.XleExb: 13: /tmp/resolvconf.config.XleExb: ifquery: not found Selecting previously unselected package resolvconf. (Reading database ... 90542 files and directories currently installed.) Preparing to unpack .../resolvconf_1.79ubuntu10_all.deb ... Unpacking resolvconf (1.79ubuntu10) ... Processing triggers for ureadahead (0.100.0-20) ... Processing triggers for systemd (237-3ubuntu10) ... Processing triggers for man-db (2.8.3-2) ... Setting up resolvconf (1.79ubuntu10) ... /var/lib/dpkg/info/resolvconf.config: 13: /var/lib/dpkg/info/resolvconf.config: ifquery: not found /var/lib/dpkg/info/resolvconf.config: 13: /var/lib/dpkg/info/resolvconf.config: ifquery: not found Created symlink /etc/systemd/system/sysinit.target.wants/resolvconf.service → /lib/systemd/system/resolvconf.service. Created symlink /etc/systemd/system/systemd-resolved.service.wants/resolvconf-pull-resolved.path → /lib/systemd/system/resolvconf-pull-resolved.path. resolvconf-pull-resolved.service is a disabled or a static unit, not starting it. resolvconf-pull-resolved.service is a disabled or a static unit, not starting it. Processing triggers for systemd (237-3ubuntu10) ... Processing triggers for ureadahead (0.100.0-20) ... Processing triggers for resolvconf (1.79ubuntu10) ... The "ifquery" program is provided by the ifupdown package. Therefore, resolvconf needs to include ifupdown in its Depends: clause. (Currently, ifupdown is mentioned in Enhances:) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1782274/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1766317] Re: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1
This bug appears to have been fixed in 8.32.0-1ubuntu4. Looks like this was an issue with the Apparmor profile. rsyslog (8.32.0-1ubuntu4) bionic; urgency=medium [ Jamie Strandboge ] * debian/usr.sbin.rsyslogd: updates for bionic (LP: #1766600) - allow rsyslog modules in multiarch directories - allow writing temporary pidfile [ Dimitri John Ledkov ] * Tolerate installing rsyslog, on systems without systemd installed. LP: #1766574 -- Dimitri John Ledkov Tue, 24 Apr 2018 15:47:41 +0100 If anyone is still seeing this issue, please re-open. ** Changed in: rsyslog (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1766317 Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 Status in rsyslog package in Ubuntu: Fix Released Bug description: Setting up rsyslog (8.32.0-1ubuntu3) ... Installing new version of config file /etc/init.d/rsyslog ... Installing new version of config file /etc/logrotate.d/rsyslog ... Installing new version of config file /etc/rsyslog.conf ... The user `syslog' is already a member of `adm'. Job for rsyslog.service failed because the control process exited with error code. See "systemctl status rsyslog.service" and "journalctl -xe" for details. invoke-rc.d: initscript rsyslog, action "restart" failed. ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Mon 2018-04-23 19:40:06 CEST; 8ms ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Process: 31888 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=1/FAILURE) Main PID: 31888 (code=exited, status=1/FAILURE) dpkg: error processing package rsyslog (--configure): installed rsyslog package post-installation script subprocess returned error exit status 1 ProblemType: Package DistroRelease: Ubuntu 18.04 Package: rsyslog 8.32.0-1ubuntu3 Uname: Linux 4.16.3-041603-generic x86_64 ApportVersion: 2.20.9-0ubuntu6 Architecture: amd64 Date: Mon Apr 23 19:40:06 2018 ErrorMessage: installed rsyslog package post-installation script subprocess returned error exit status 1 Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3 PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1 RelatedPackageVersions: dpkg 1.19.0.5ubuntu2 apt 1.6.1 SourcePackage: rsyslog Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1766317/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1766317] Re: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1
Hi Brian, This is actually the same issue. I am seeing the same error message quoted by the original reporter, but that message is filtered through systemd---it is not direct output from rsyslogd. What I provided was the direct output, that actually shows what's going on. I think this needs to be bumped up to at least High, as it breaks logging. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1766317 Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 Status in rsyslog package in Ubuntu: Confirmed Bug description: Setting up rsyslog (8.32.0-1ubuntu3) ... Installing new version of config file /etc/init.d/rsyslog ... Installing new version of config file /etc/logrotate.d/rsyslog ... Installing new version of config file /etc/rsyslog.conf ... The user `syslog' is already a member of `adm'. Job for rsyslog.service failed because the control process exited with error code. See "systemctl status rsyslog.service" and "journalctl -xe" for details. invoke-rc.d: initscript rsyslog, action "restart" failed. ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Mon 2018-04-23 19:40:06 CEST; 8ms ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Process: 31888 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=1/FAILURE) Main PID: 31888 (code=exited, status=1/FAILURE) dpkg: error processing package rsyslog (--configure): installed rsyslog package post-installation script subprocess returned error exit status 1 ProblemType: Package DistroRelease: Ubuntu 18.04 Package: rsyslog 8.32.0-1ubuntu3 Uname: Linux 4.16.3-041603-generic x86_64 ApportVersion: 2.20.9-0ubuntu6 Architecture: amd64 Date: Mon Apr 23 19:40:06 2018 ErrorMessage: installed rsyslog package post-installation script subprocess returned error exit status 1 Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3 PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1 RelatedPackageVersions: dpkg 1.19.0.5ubuntu2 apt 1.6.1 SourcePackage: rsyslog Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1766317/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1766317] Re: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1
I am seeing this same error in Bionic. Some further telemetry: # /usr/sbin/rsyslogd -n rsyslog internal message (3,-2066): could not load module '/usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so', dlopen: /usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so: failed to map segment from shared object [v8.32.0 try http://www.rsyslog.com/e/2066 ] Error during class init for object 'conf' - failing... rsyslogd initializiation failed - global classes could not be initialized. Did you do a "make install"? Suggested action: run rsyslogd with -d -n options to see what exactly fails. rsyslogd: run failed with error -2066 (see rsyslog.h or try http://www.rsyslog.com/e/2066 to learn what that number means) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1766317 Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 Status in rsyslog package in Ubuntu: Confirmed Bug description: Setting up rsyslog (8.32.0-1ubuntu3) ... Installing new version of config file /etc/init.d/rsyslog ... Installing new version of config file /etc/logrotate.d/rsyslog ... Installing new version of config file /etc/rsyslog.conf ... The user `syslog' is already a member of `adm'. Job for rsyslog.service failed because the control process exited with error code. See "systemctl status rsyslog.service" and "journalctl -xe" for details. invoke-rc.d: initscript rsyslog, action "restart" failed. ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Mon 2018-04-23 19:40:06 CEST; 8ms ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Process: 31888 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=1/FAILURE) Main PID: 31888 (code=exited, status=1/FAILURE) dpkg: error processing package rsyslog (--configure): installed rsyslog package post-installation script subprocess returned error exit status 1 ProblemType: Package DistroRelease: Ubuntu 18.04 Package: rsyslog 8.32.0-1ubuntu3 Uname: Linux 4.16.3-041603-generic x86_64 ApportVersion: 2.20.9-0ubuntu6 Architecture: amd64 Date: Mon Apr 23 19:40:06 2018 ErrorMessage: installed rsyslog package post-installation script subprocess returned error exit status 1 Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3 PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1 RelatedPackageVersions: dpkg 1.19.0.5ubuntu2 apt 1.6.1 SourcePackage: rsyslog Title: package rsyslog 8.32.0-1ubuntu3 failed to install/upgrade: installed rsyslog package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1766317/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)
Thanks Dimitri, greatly appreciated. I haven't found many problems in my testing of Bionic, but this is the juiciest one so far. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1731522 Title: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.) Status in systemd: Fix Released Status in systemd package in Ubuntu: Triaged Status in systemd source package in Artful: Triaged Status in systemd source package in Bionic: Triaged Bug description: Trying to resolve pod51041.outlook.com's domain name seems to fail for applications: $ ping pod51041.outlook.com ping: pod51041.outlook.com: Temporary failure in name resolution (Also can't access via thunderbird). However, it seems to work directly via systemd-resolve: $ systemd-resolve pod51041.outlook.com pod51041.outlook.com: 40.97.160.2 40.97.126.50 132.245.38.194 40.97.147.194 132.245.41.34 40.97.176.2 40.97.150.242 40.97.85.114 40.97.120.50 40.97.85.2 40.97.176.34 40.97.138.242 40.97.166.18 40.97.120.162 40.97.119.82 40.97.176.18 40.97.85.98 40.97.134.34 40.97.84.18 -- Information acquired via protocol DNS in 2.5ms. -- Data is authenticated: no It also works with dig and nslookup. Not quite sure why this is the case, I've spotted this issue upstream that looks similar: https://github.com/systemd/systemd/issues/6520. However, I'm not familiar enough with DNS to tell if it is the same issue. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: systemd 234-2ubuntu12 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: MATE Date: Fri Nov 10 13:10:02 2017 InstallationDate: Installed on 2017-11-10 (0 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) MachineType: LENOVO 2324BB9 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=8ab6bf88-72bd-4308-941e-3b36d4d7811b ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/03/2016 dmi.bios.vendor: LENOVO dmi.bios.version: G2ETA6WW (2.66 ) dmi.board.asset.tag: Not Available dmi.board.name: 2324BB9 dmi.board.vendor: LENOVO dmi.board.version: Not Defined dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvrG2ETA6WW(2.66):bd03/03/2016:svnLENOVO:pn2324BB9:pvrThinkPadX230:rvnLENOVO:rn2324BB9:rvrNotDefined:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.family: ThinkPad X230 dmi.product.name: 2324BB9 dmi.product.version: ThinkPad X230 dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)
Steve, Bionic still has the default (commented-out) #DNSStubListener=udp in /etc/systemd/resolved.conf . I've noticed that this breaks Kerberos KDC lookup at a large site, because the reply is quite large: # host -t SRV _kerberos._udp.xxx.example.com ;; Connection to 127.0.0.53#53(127.0.0.53) for _kerberos._udp.xxx.example.com failed: connection refused. # kinit u...@xxx.example.com kinit: Cannot find KDC for realm "XXX.EXAMPLE.COM" while getting initial credentials After setting DNSStubListener=yes: # host -t srv _kerberos._udp.xxx.example.com _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx01.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx02.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx03.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx04.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx05.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx06.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx07.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx08.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx09.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx10.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx11.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx12.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx13.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx14.xxx.example.com. _kerberos._udp.xxx.example.com has SRV record 0 100 88 xxx15.xxx.example.com. # kinit u...@xxx.example.com Password for u...@xxx.example.com: -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1731522 Title: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.) Status in systemd: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: Trying to resolve pod51041.outlook.com's domain name seems to fail for applications: $ ping pod51041.outlook.com ping: pod51041.outlook.com: Temporary failure in name resolution (Also can't access via thunderbird). However, it seems to work directly via systemd-resolve: $ systemd-resolve pod51041.outlook.com pod51041.outlook.com: 40.97.160.2 40.97.126.50 132.245.38.194 40.97.147.194 132.245.41.34 40.97.176.2 40.97.150.242 40.97.85.114 40.97.120.50 40.97.85.2 40.97.176.34 40.97.138.242 40.97.166.18 40.97.120.162 40.97.119.82 40.97.176.18 40.97.85.98 40.97.134.34 40.97.84.18 -- Information acquired via protocol DNS in 2.5ms. -- Data is authenticated: no It also works with dig and nslookup. Not quite sure why this is the case, I've spotted this issue upstream that looks similar: https://github.com/systemd/systemd/issues/6520. However, I'm not familiar enough with DNS to tell if it is the same issue. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: systemd 234-2ubuntu12 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 NonfreeKernelModules: zfs zunicode zavl zcommon znvpair ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: MATE Date: Fri Nov 10 13:10:02 2017 InstallationDate: Installed on 2017-11-10 (0 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) MachineType: LENOVO 2324BB9 ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=8ab6bf88-72bd-4308-941e-3b36d4d7811b ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/03/2016 dmi.bios.vendor: LENOVO dmi.bios.version: G2ETA6WW (2.66 ) dmi.board.asset.tag: Not Available dmi.board.name: 2324BB9 dmi.board.vendor: LENOVO dmi.board.version: Not Defined dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvrG2ETA6WW(2.66):bd03/03/2016:svnLENOVO:pn2324BB9:pvrThinkPadX230:rvnLENOVO:rn2324BB
[Touch-packages] [Bug 643623] Re: Should ubuntu-keyring include the debug archive key?
Thank you Dimitry, that is a helpful link. I've removed the key-file attachment from comment #5, but am unable to otherwise edit/remove the text. ** Attachment removed: "dbgsym-release-key.asc" https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/643623/+attachment/4903350/+files/dbgsym-release-key.asc -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/643623 Title: Should ubuntu-keyring include the debug archive key? Status in ubuntu-keyring package in Ubuntu: Confirmed Bug description: Binary package hint: ubuntu-keyring Currently there doesn't seem to be a good way for developers who haven't been to many keysignings to establish trust in the Ubuntu Debug Symbol Archive Automatic Signing Key (428D7C01) SIgning this key with with Ubuntu Archive Automatic Signing Key (or equivalent) and/or including the Ubuntu Debug Symbol Archive Automatic Signing Key in ubuntu-keyring could help to solve this problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/643623/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 643623] Re: Should ubuntu-keyring include the debug archive key?
I agree on this key needing to be available in the/an official Ubuntu
keyring package.
For now, because the original key file is not even accessible via HTTPS,
I am attaching a copy of it here. The file is dated 2016-07-04 16:10,
and has the following SHA{256,512} hashes:
4a54623d5ec01d098441a42413d5d176c3292113aed9d274ac18ddaec50b76ce
dbgsym-release-key.asc
728caec72fa2062f6d931a2c231433ee7dd0181d10d59ac6ec2afe90abc4cf17e3c9a7a4e82430ffdbd850eb68557bd33c1882e7de1dd93bc9b8dbbc61119f82
dbgsym-release-key.asc
Original location: http://ddebs.ubuntu.com/dbgsym-release-key.asc
If anyone sees a difference with the original, please speak up.
** Attachment added: "dbgsym-release-key.asc"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/643623/+attachment/4903350/+files/dbgsym-release-key.asc
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/643623
Title:
Should ubuntu-keyring include the debug archive key?
Status in ubuntu-keyring package in Ubuntu:
Confirmed
Bug description:
Binary package hint: ubuntu-keyring
Currently there doesn't seem to be a good way for developers who
haven't been to many keysignings to establish trust in the Ubuntu
Debug Symbol Archive Automatic Signing Key (428D7C01)
SIgning this key with with Ubuntu Archive Automatic Signing Key (or
equivalent) and/or including the Ubuntu Debug Symbol Archive Automatic
Signing Key in ubuntu-keyring could help to solve this problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/643623/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1522675] Re: Warning messages about unsandboxed downloads
Hi Luigi, This StackExchange posting should answer your question: https://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a -man-page-mean -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1522675 Title: Warning messages about unsandboxed downloads Status in apt package in Ubuntu: Fix Released Status in update-notifier package in Ubuntu: Confirmed Status in apt package in Debian: Fix Released Status in synaptic package in Debian: New Bug description: Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but now get that error when installing/upgrading some packages: Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ... Processing triggers for libc-bin (2.21-0ubuntu5) ... W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) From nautilus, i'm seeing a /root/ folder locked (x on its icon) and the folder is empty (no /.synaptic/ sub-folder or file), so the above error. oem@u64:~$ ls -l .synaptic total 4 -rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options -rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf oem@u64:~$ ls -l /var/lib/apt/lists/ -rw-r- 1 root root0 Sep 20 06:36 lock drwx-- 2 _apt root16384 Sep 24 15:25 partial .. oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/ . drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: synaptic 0.82+build1 ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0 Uname: Linux 4.3.0-1-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.19.2-0ubuntu8 Architecture: amd64 CurrentDesktop: GNOME Date: Fri Dec 4 05:23:25 2015 SourcePackage: synaptic UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1522675/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1522675] Re: Can't drop privileges for downloading : _apt user not allowed
Benjamin, what you're seeing appears to be bug #1607535. (That bug report doesn't quote the "/the fonts/" URL directly, but it links to a comment that does. I have a bug report (bug #1575408) against ttf-mscorefonts-installer due to the "Can't drop privileges" warning, but am assuming that that was a specific instance of the more general bug described here, and so have marked my bug as a duplicate of this one. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1522675 Title: Can't drop privileges for downloading : _apt user not allowed Status in apt package in Ubuntu: Confirmed Status in dpkg package in Ubuntu: Confirmed Status in apt package in Debian: New Status in synaptic package in Debian: New Bug description: Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but now get that error when installing/upgrading some packages: Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ... Processing triggers for libc-bin (2.21-0ubuntu5) ... W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) From nautilus, i'm seeing a /root/ folder locked (x on its icon) and the folder is empty (no /.synaptic/ sub-folder or file), so the above error. oem@u64:~$ ls -l .synaptic total 4 -rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options -rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf oem@u64:~$ ls -l /var/lib/apt/lists/ -rw-r- 1 root root0 Sep 20 06:36 lock drwx-- 2 _apt root16384 Sep 24 15:25 partial .. oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/ . drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: synaptic 0.82+build1 ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0 Uname: Linux 4.3.0-1-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.19.2-0ubuntu8 Architecture: amd64 CurrentDesktop: GNOME Date: Fri Dec 4 05:23:25 2015 SourcePackage: synaptic UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1522675/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1584575] Re: /lib/systemd/system/lightdm.service file has no [Install] clause
Maybe make display-manager.service into an actual service file (rather than a symlink), and have that start whatever /etc/X11/default-display- manager points to? What I want is to be able to disable and then re-enable the display manager starting on boot using similar administrative commands, like a "systemctl disable/enable" pair. Even better if the argument to the commands is the same in both cases. (Possibly even better yet if default-display-manager could be set to some "null" option, so you can disable/re-enable the display manager without ever touching systemd...) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1584575 Title: /lib/systemd/system/lightdm.service file has no [Install] clause Status in lightdm package in Ubuntu: New Bug description: This concerns lightdm 1.18.1-0ubuntu1 in Xenial. The /lib/systemd/system/lightdm.service file lacks an [Install] clause. Meaning, that if you do # systemctl disable display-manager to prevent LightDM from starting, running # systemctl enable lightdm does not restore the /etc/systemd/system/display-manager.service symlink, and thus does not re-enable LightDM to run at the next boot as intended. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1584575/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1599646] [NEW] E-mail report contains repeated "Reading database ... NN%" lines
Public bug reported: This concerns unattended-upgrades 0.90 in Xenial. Here is an excerpt from an e-mail report sent out by u-u after the upgrade process is completed: Package installation log: Log started: 2016-07-06 17:24:21 Preconfiguring packages ... (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 314949 files and directories currently installed.) Preparing to unpack .../tzdata_2016f-0ubuntu0.16.04_all.deb ... Unpacking tzdata (2016f-0ubuntu0.16.04) over (2016d-0ubuntu0.16.04) ... Preparing to unpack .../libgimp2.0_2.8.16-1ubuntu1.1_i386.deb ... All but the last "Reading database ..." line should be elided from the message. As a matter of fact, those lines do not appear in messages mailed out from current Trusty systems (u-u version 0.82.1ubuntu2.4), so this appears to be a regression. ** Affects: unattended-upgrades (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1599646 Title: E-mail report contains repeated "Reading database ... NN%" lines Status in unattended-upgrades package in Ubuntu: New Bug description: This concerns unattended-upgrades 0.90 in Xenial. Here is an excerpt from an e-mail report sent out by u-u after the upgrade process is completed: Package installation log: Log started: 2016-07-06 17:24:21 Preconfiguring packages ... (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 314949 files and directories currently installed.) Preparing to unpack .../tzdata_2016f-0ubuntu0.16.04_all.deb ... Unpacking tzdata (2016f-0ubuntu0.16.04) over (2016d-0ubuntu0.16.04) ... Preparing to unpack .../libgimp2.0_2.8.16-1ubuntu1.1_i386.deb ... All but the last "Reading database ..." line should be elided from the message. As a matter of fact, those lines do not appear in messages mailed out from current Trusty systems (u-u version 0.82.1ubuntu2.4), so this appears to be a regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1599646/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1584575] Re: /lib/systemd/system/lightdm.service file has no [Install] clause
This whole systemd thing is new to me, and I can't say I'm terribly enamored of it, so I'm not the best person to ask. But by way of example, I'll point out what a couple other .service files do: /lib/systemd/system/rsyslog.service: [Install] WantedBy=multi-user.target Alias=syslog.service /lib/systemd/system/ssh.service: [Install] WantedBy=multi-user.target Alias=sshd.service I'm pretty sure the LightDM file should have "Alias=display- manager.service", but can't say if "WantedBy" should be "multi- user.target" or "graphical.target" or something else. ** Changed in: lightdm (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1584575 Title: /lib/systemd/system/lightdm.service file has no [Install] clause Status in lightdm package in Ubuntu: New Bug description: This concerns lightdm 1.18.1-0ubuntu1 in Xenial. The /lib/systemd/system/lightdm.service file lacks an [Install] clause. Meaning, that if you do # systemctl disable display-manager to prevent LightDM from starting, running # systemctl enable lightdm does not restore the /etc/systemd/system/display-manager.service symlink, and thus does not re-enable LightDM to run at the next boot as intended. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1584575/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1584575] [NEW] /lib/systemd/system/lightdm.service file has no [Install] clause
Public bug reported: This concerns lightdm 1.18.1-0ubuntu1 in Xenial. The /lib/systemd/system/lightdm.service file lacks an [Install] clause. Meaning, that if you do # systemctl disable display-manager to prevent LightDM from starting, running # systemctl enable lightdm does not restore the /etc/systemd/system/display-manager.service symlink, and thus does not re-enable LightDM to run at the next boot as intended. ** Affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1584575 Title: /lib/systemd/system/lightdm.service file has no [Install] clause Status in lightdm package in Ubuntu: New Bug description: This concerns lightdm 1.18.1-0ubuntu1 in Xenial. The /lib/systemd/system/lightdm.service file lacks an [Install] clause. Meaning, that if you do # systemctl disable display-manager to prevent LightDM from starting, running # systemctl enable lightdm does not restore the /etc/systemd/system/display-manager.service symlink, and thus does not re-enable LightDM to run at the next boot as intended. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1584575/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1258245] Re: syslog user can't write to serial or terminal devices
Generalized the title to include terminal devices (e.g. Linux virtual terminals) as well. I'd like to see a better way to set this up. Yes, you can add the syslog user to the dialout and/or tty groups, but that grants access to *all* serial/terminal devices respectively. This can have security consequences if the syslog user is compromised, given that serial devices can include modems, and terminal devices would encompass tty- mode user login sessions. The current situation is particularly awkward because /etc/rsyslog.d/50-default.conf contains a commented-out rule that directs logging to tty8. No mention is made of any permission issues. I wanted to do basically that, and was puzzled for a few minutes as to why nothing was appearing on the configured virtual terminal. ** Summary changed: - syslog user can't write to /dev/ttyS0 + syslog user can't write to serial or terminal devices -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1258245 Title: syslog user can't write to serial or terminal devices Status in rsyslog package in Ubuntu: Confirmed Bug description: We configure a VM via libvirt to have a serial device(/dev/ttyS0) that writes to a file on the host. During the desktop install we have some early preseed logic that adds an /etc/rsyslog.d config file that directs syslog messages to /dev/ttyS0. Under recent images, nothing is showing up in the file on the host end. For a quick sanity check I ran the following command in the VM: echo ANDY > /dev/ttyS0 This works when done as root, but won't work when run as the syslog user. Digging a little more I see rsyslogd runs as syslog (which is in the syslog and adm groups) and ttyS0 is writeable to root and dialout. This is based on today's image with includes rsyslog 7.4.4-1ubuntu2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1258245/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 381517] Re: Settings in /etc/kbd/config are not read
Thanks to systemd, I've had to update my setterm invocation in
/etc/rc.local to the following:
setterm --term linux --blank 0 --powerdown 0 >/dev/console
("--powersave off" fails with an "Inappropriate ioctl" error because
rc.local no longer runs directly on the Linux virtual console.)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to console-setup in Ubuntu.
https://bugs.launchpad.net/bugs/381517
Title:
Settings in /etc/kbd/config are not read
Status in console-setup package in Ubuntu:
Confirmed
Status in kbd package in Ubuntu:
Triaged
Status in console-setup source package in Precise:
Confirmed
Status in kbd source package in Precise:
Triaged
Bug description:
Binary package hint: kbd
This concerns kbd 1.14.1-4ubuntu4 in Ubuntu Jaunty.
I am setting up a text-mode-only server that will normally run
headless. I want to disable console blanking, so that in the event of
a kernel panic, I can attach a monitor and read the stack trace. So I
make the following edits to /etc/kbd/config:
* Set BLANK_TIME=0
* Set BLANK_DPMS=on
* Set POWERDOWN_TIME=0
And still, the console blanks after about twenty minutes or so (not
that I timed it). It shouldn't even be necessary to make all three of
these changes---I believe setting BLANK_TIME=0 alone should do the
trick---but it underscores the point that console blanking cannot be
disabled here.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/console-setup/+bug/381517/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575455] Re: New AppArmor profile: usr.sbin.nslcd
Thank you Seth :-) Next rev in each release should have this, right? No copyright line is needed; this was trivial to derive from the nscd profile. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575455] Re: New AppArmor profile: usr.sbin.nslcd
Seth, it seems you're absolutely right. Denying dgram while the system is up is no big deal, because DNS lookups go through nscd (or other similar infrastructure) instead of being sent out directly. But when the system is starting up, and nscd et al. aren't running yet, the queries do need to go out directly. And nslcd ends up in a wedged state where it does not reply to queries, and prints an endless series of confusing "Can't contact LDAP server: Permission denied" errors to syslog. So yes, please strike those two dgram lines from the profile. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1512002] Re: Annoying dialog "Authentication is required to change your own user data"
Spurious dialog observed in remote X session on Xenial install with accountservice 0.6.40-2ubuntu10. Enabled xenial-proposed, installed accountservice 0.6.40-2ubuntu11, and the dialog no longer appears. I wasn't seeing this problem as badly as some other folks here, but for my use case, the proposed fix is VERIFIED. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to accountsservice in Ubuntu. https://bugs.launchpad.net/bugs/1512002 Title: Annoying dialog "Authentication is required to change your own user data" Status in accountsservice: Confirmed Status in accountsservice package in Ubuntu: Fix Released Status in indicator-messages package in Ubuntu: Invalid Status in policykit-1-gnome package in Ubuntu: Invalid Status in accountsservice source package in Xenial: Fix Committed Bug description: * Impact Sometimes useless "Authentication is required to change your own user data" prompts are displayed * Test case $ ssh -X localhost $ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 & $ dbus-send --system --print-reply=literal --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User1001 org.freedesktop.Accounts.User.SetXHasMessages boolean:true that shouldn't trigger a prompt * Regression potential it allows the change to be done without prompting in more cases, shouldn't have an impact on cases which were already working -- Every few days a dialog pops up saying "Authentication is required to change your own user data" with an entry field for a password. If I type my user's password the dialog will reappear with an empty entry field. If I click on the cross to close the window many times it will be gone, but reappear a few days later. I don't know what this window is for and it makes no difference whether I close it or leave it. I don't use the gnome keyring. This started with Ubuntu 15.04 or maybe with an earlier release, and is still there in Ubuntu 15.10, also on machines I did a fresh install. To manage notifications about this bug go to: https://bugs.launchpad.net/accountsservice/+bug/1512002/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575438] Re: usr.sbin.nscd needs r/w access to nslcd socket
Minor addendum: It's conceivable that the new line should go into
rather than just the nscd profile. I do see
that the nscd socket is already mentioned there.
I don't know if/why anything else would need access to the nslcd socket,
but that may be a valid use case for other folks.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575438
Title:
usr.sbin.nscd needs r/w access to nslcd socket
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Bug description:
I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via
LDAP.
It is typical to configure nslcd to connect to the actual LDAP server,
and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
type lookups in /etc/nsswitch.conf) with a server URI of
ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk
with the LDAP server, rather than every application that wants to do
getpwent() et al.
Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
results in NSS LDAP lookups not working when the profile is enforced
in this configuration.
This is the new line that is needed:
/{,var/}run/nslcd/socket rw,
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1575438/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575455] Re: New AppArmor profile: usr.sbin.nslcd
For my part, I'm not seeing DNS issues, and I've got a hostname in my LDAP server URI. I'm not sure what goes on under the hood for normal DNS resolution these days (maybe DNS over TCP is favored now?), but if there's any doubt in your mind, feel free to drop those lines. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1471645] Re: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
Chromium continues to fail on Xenial with the title error message when
the currently-shipped AppArmor profile is enforced.
I've updated my profile adjustments to address some new issues that have
cropped up in recent builds of Chromium.
Everyone who wants to get things working again, please add the following
lines to /etc/apparmor.d/local/usr.bin.chromium-browser :
# From https://bugs.launchpad.net/bugs/1471645
#include
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
owner @{PROC}/[0-9]*/setgroups w,
owner @{PROC}/[0-9]*/gid_map w,
owner @{PROC}/[0-9]*/uid_map w,
@{PROC}/[0-9]*/stat r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
/bin/which ixr,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1471645
Title:
[trusty] [regression] chromium-browser crashed with SIGABRT in
base::debug::BreakDebugger()
Status in apparmor package in Ubuntu:
Confirmed
Status in chromium-browser package in Ubuntu:
Invalid
Bug description:
This bug report concerns chromium-browser version
43.0.2357.81-0ubuntu0.14.04.1.1089 in Ubuntu Trusty.
Previously, this system had 41.0.2272.76-0ubuntu0.14.04.1.1076
installed, and it worked correctly. Now, after an update, the browser
crashes immediately upon startup with a SIGABRT. Removing
~/.config/chromium/ and ~/.cache/chromium/ does not alleviate the
problem.
If run in a terminal, the program produces the following output:
[8622:8622:0704/015859:FATAL:zygote_host_impl_linux.cc(182)] Check
failed: process.IsValid(). Failed to launch zygote process
Aborted (core dumped)
ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: chromium-browser 43.0.2357.81-0ubuntu0.14.04.1.1089
ProcVersionSignature: Ubuntu 3.13.0-55.94-generic 3.13.11-ckt20
Uname: Linux 3.13.0-55-generic i686
ApportVersion: 2.14.1-0ubuntu3.11
Architecture: i386
CrashCounter: 1
Date: Sun Jul 5 23:47:06 2015
Desktop-Session:
'xubuntu'
'/etc/xdg/xdg-xubuntu:/usr/share/upstart/xdg:/etc/xdg:/etc/xdg'
'/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share'
DetectedPlugins:
Env:
'None'
'None'
ExecutablePath: /usr/lib/chromium-browser/chromium-browser
InstallationDate: Installed on 2014-10-23 (256 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140416.2)
InstalledPlugins:
Load-Avg-1min: 0.44
Load-Processes-Running-Percent: 0.4%
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: IBM 23739XU
PccardctlIdent:
Socket 0:
no product info available
Socket 1:
no product info available
PccardctlStatus:
Socket 0:
no card
Socket 1:
no card
ProcCmdline: chromium-browser\ --enable-pinch\
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+filebug/aabe74b8-2391-11e5-ad47-d485646cd9a4?field.title=chromium-browser+crashed+with+SIGABRT+in+base%3A%3Adebug%3A%3ABreakDebugger%28%29
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-55-generic
root=UUID=81f5e3b1-d5da-479e-93bd-d7e6b89cff95 ro forcepae
Signal: 6
SourcePackage: chromium-browser
StacktraceTop:
base::debug::BreakDebugger() () from
/usr/lib/chromium-browser/libs/libbase.so
logging::LogMessage::~LogMessage() () from
/usr/lib/chromium-browser/libs/libbase.so
content::ZygoteHostImpl::Init(std::string const&) () from
/usr/lib/chromium-browser/libs/libcontent.so
content::BrowserMainLoop::EarlyInitialization() () from
/usr/lib/chromium-browser/libs/libcontent.so
?? () from /usr/lib/chromium-browser/libs/libcontent.so
Title: chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
dmi.bios.date: 05/14/2004
dmi.bios.vendor: IBM
dmi.bios.version: 1RETC6WW (3.05a)
dmi.board.name: 23739XU
dmi.board.vendor: IBM
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: IBM
dmi.chassis.version: Not Available
dmi.modalias:
dmi:bvnIBM:bvr1RETC6WW(3.05a):bd05/14/2004:svnIBM:pn23739XU:pvrThinkPadT42:rvnIBM:rn23739XU:rvrNotAvailable:cvnIBM:ct10:cvrNotAvailable:
dmi.product.name: 23739XU
dmi.product.version: ThinkPad T42
dmi.sys.vendor: IBM
gconf-keys: /desktop/gnome/applications/browser/exec =
b''/desktop/gnome/url-handlers/https/command =
b''/desktop/gnome/url-handlers/https/enabled =
b''/desktop/gnome/url-handlers/http/command =
b''/desktop/gnome/url-handlers/http/enabled =
b''/desktop/gnome/session/required_components/windowmanager =
b''/apps/metacity/general/compositing
[Touch-packages] [Bug 1575455] [NEW] New AppArmor profile: usr.sbin.nslcd
Public bug reported: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Attachment added: "New AppArmor profile for /usr/sbin/nslcd" https://bugs.launchpad.net/bugs/1575455/+attachment/4648667/+files/usr.sbin.nslcd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd Status in apparmor package in Ubuntu: New Bug description: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575455/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575438] [NEW] usr.sbin.nscd needs r/w access to nslcd socket
Public bug reported:
I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via
LDAP.
It is typical to configure nslcd to connect to the actual LDAP server,
and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
type lookups in /etc/nsswitch.conf) with a server URI of
ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk with
the LDAP server, rather than every application that wants to do
getpwent() et al.
Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
results in NSS LDAP lookups not working when the profile is enforced in
this configuration.
This is the new line that is needed:
/{,var/}run/nslcd/socket rw,
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575438
Title:
usr.sbin.nscd needs r/w access to nslcd socket
Status in apparmor package in Ubuntu:
New
Bug description:
I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via
LDAP.
It is typical to configure nslcd to connect to the actual LDAP server,
and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
type lookups in /etc/nsswitch.conf) with a server URI of
ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk
with the LDAP server, rather than every application that wants to do
getpwent() et al.
Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
results in NSS LDAP lookups not working when the profile is enforced
in this configuration.
This is the new line that is needed:
/{,var/}run/nslcd/socket rw,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575438/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1575392] [NEW] Use force-complain symlinks instead of hard-coded "complain" flags
Public bug reported: I am using apparmor-profiles in Xenial. The AppArmor profiles, by default, are set to "complain" mode by way of "flag=(complain)" directives written into the profiles themselves. If I want these profiles to be enforced, then I have to edit each one and manually delete the directives (or use the aa-enforce utility to perform the same edits for me). This then results in modified config files, which will give me grief if and when the profiles are updated. I can accept the inconvenience of merging if I've made significant changes. But given that all I'm doing is switching from "complain" to "enforce", and that there is already a good mechanism for specifying this outside of the profiles themselves (removing symlinks from the "disable" or "force-complain" subdirs), this significantly impairs the usability of a security feature that sorely needs wider adoption. [tl;dr] Please remove all "complain" flags from the profiles, and replace them with corresponding symlinks in the "force-complain" subdirectory. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575392 Title: Use force-complain symlinks instead of hard-coded "complain" flags Status in apparmor package in Ubuntu: New Bug description: I am using apparmor-profiles in Xenial. The AppArmor profiles, by default, are set to "complain" mode by way of "flag=(complain)" directives written into the profiles themselves. If I want these profiles to be enforced, then I have to edit each one and manually delete the directives (or use the aa-enforce utility to perform the same edits for me). This then results in modified config files, which will give me grief if and when the profiles are updated. I can accept the inconvenience of merging if I've made significant changes. But given that all I'm doing is switching from "complain" to "enforce", and that there is already a good mechanism for specifying this outside of the profiles themselves (removing symlinks from the "disable" or "force-complain" subdirs), this significantly impairs the usability of a security feature that sorely needs wider adoption. [tl;dr] Please remove all "complain" flags from the profiles, and replace them with corresponding symlinks in the "force-complain" subdirectory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575392/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1471645] Re: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1471645 Title: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger() Status in apparmor package in Ubuntu: Confirmed Status in chromium-browser package in Ubuntu: Invalid Bug description: This bug report concerns chromium-browser version 43.0.2357.81-0ubuntu0.14.04.1.1089 in Ubuntu Trusty. Previously, this system had 41.0.2272.76-0ubuntu0.14.04.1.1076 installed, and it worked correctly. Now, after an update, the browser crashes immediately upon startup with a SIGABRT. Removing ~/.config/chromium/ and ~/.cache/chromium/ does not alleviate the problem. If run in a terminal, the program produces the following output: [8622:8622:0704/015859:FATAL:zygote_host_impl_linux.cc(182)] Check failed: process.IsValid(). Failed to launch zygote process Aborted (core dumped) ProblemType: Crash DistroRelease: Ubuntu 14.04 Package: chromium-browser 43.0.2357.81-0ubuntu0.14.04.1.1089 ProcVersionSignature: Ubuntu 3.13.0-55.94-generic 3.13.11-ckt20 Uname: Linux 3.13.0-55-generic i686 ApportVersion: 2.14.1-0ubuntu3.11 Architecture: i386 CrashCounter: 1 Date: Sun Jul 5 23:47:06 2015 Desktop-Session: 'xubuntu' '/etc/xdg/xdg-xubuntu:/usr/share/upstart/xdg:/etc/xdg:/etc/xdg' '/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share' DetectedPlugins: Env: 'None' 'None' ExecutablePath: /usr/lib/chromium-browser/chromium-browser InstallationDate: Installed on 2014-10-23 (256 days ago) InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140416.2) InstalledPlugins: Load-Avg-1min: 0.44 Load-Processes-Running-Percent: 0.4% Lsusb: Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: IBM 23739XU PccardctlIdent: Socket 0: no product info available Socket 1: no product info available PccardctlStatus: Socket 0: no card Socket 1: no card ProcCmdline: chromium-browser\ --enable-pinch\ https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+filebug/aabe74b8-2391-11e5-ad47-d485646cd9a4?field.title=chromium-browser+crashed+with+SIGABRT+in+base%3A%3Adebug%3A%3ABreakDebugger%28%29 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-55-generic root=UUID=81f5e3b1-d5da-479e-93bd-d7e6b89cff95 ro forcepae Signal: 6 SourcePackage: chromium-browser StacktraceTop: base::debug::BreakDebugger() () from /usr/lib/chromium-browser/libs/libbase.so logging::LogMessage::~LogMessage() () from /usr/lib/chromium-browser/libs/libbase.so content::ZygoteHostImpl::Init(std::string const&) () from /usr/lib/chromium-browser/libs/libcontent.so content::BrowserMainLoop::EarlyInitialization() () from /usr/lib/chromium-browser/libs/libcontent.so ?? () from /usr/lib/chromium-browser/libs/libcontent.so Title: chromium-browser crashed with SIGABRT in base::debug::BreakDebugger() UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo dmi.bios.date: 05/14/2004 dmi.bios.vendor: IBM dmi.bios.version: 1RETC6WW (3.05a) dmi.board.name: 23739XU dmi.board.vendor: IBM dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: IBM dmi.chassis.version: Not Available dmi.modalias: dmi:bvnIBM:bvr1RETC6WW(3.05a):bd05/14/2004:svnIBM:pn23739XU:pvrThinkPadT42:rvnIBM:rn23739XU:rvrNotAvailable:cvnIBM:ct10:cvrNotAvailable: dmi.product.name: 23739XU dmi.product.version: ThinkPad T42 dmi.sys.vendor: IBM gconf-keys: /desktop/gnome/applications/browser/exec = b''/desktop/gnome/url-handlers/https/command = b''/desktop/gnome/url-handlers/https/enabled = b''/desktop/gnome/url-handlers/http/command = b''/desktop/gnome/url-handlers/http/enabled = b''/desktop/gnome/session/required_components/windowmanager = b''/apps/metacity/general/compositing_manager = b''/desktop/gnome/interface/icon_theme = b''/desktop/gnome/interface/gtk_theme = b'' modified.conffile..etc.default.chromium.browser: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1471645/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1471645] Re: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
Chad, what is the intended purpose of that command? Because it's mistranscribed: $ dpkg -S $(grep -l /etc/apparmor.d/*) grep: /etc/apparmor.d/apache2.d: Is a directory grep: /etc/apparmor.d/cache: Is a directory grep: /etc/apparmor.d/disable: Is a directory grep: /etc/apparmor.d/force-complain: Is a directory grep: /etc/apparmor.d/local: Is a directory grep: /etc/apparmor.d/program-chunks: Is a directory grep: /etc/apparmor.d/tunables: Is a directory dpkg-query: error: --search needs at least one file name pattern argument Use --help for help about querying packages. Do you want to know which package owns the Chromium profile? $ dpkg -S /etc/apparmor.d/usr.bin.chromium-browser apparmor-profiles: /etc/apparmor.d/usr.bin.chromium-browser -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1471645 Title: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger() Status in apparmor package in Ubuntu: Incomplete Status in chromium-browser package in Ubuntu: Invalid Bug description: This bug report concerns chromium-browser version 43.0.2357.81-0ubuntu0.14.04.1.1089 in Ubuntu Trusty. Previously, this system had 41.0.2272.76-0ubuntu0.14.04.1.1076 installed, and it worked correctly. Now, after an update, the browser crashes immediately upon startup with a SIGABRT. Removing ~/.config/chromium/ and ~/.cache/chromium/ does not alleviate the problem. If run in a terminal, the program produces the following output: [8622:8622:0704/015859:FATAL:zygote_host_impl_linux.cc(182)] Check failed: process.IsValid(). Failed to launch zygote process Aborted (core dumped) ProblemType: Crash DistroRelease: Ubuntu 14.04 Package: chromium-browser 43.0.2357.81-0ubuntu0.14.04.1.1089 ProcVersionSignature: Ubuntu 3.13.0-55.94-generic 3.13.11-ckt20 Uname: Linux 3.13.0-55-generic i686 ApportVersion: 2.14.1-0ubuntu3.11 Architecture: i386 CrashCounter: 1 Date: Sun Jul 5 23:47:06 2015 Desktop-Session: 'xubuntu' '/etc/xdg/xdg-xubuntu:/usr/share/upstart/xdg:/etc/xdg:/etc/xdg' '/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share' DetectedPlugins: Env: 'None' 'None' ExecutablePath: /usr/lib/chromium-browser/chromium-browser InstallationDate: Installed on 2014-10-23 (256 days ago) InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140416.2) InstalledPlugins: Load-Avg-1min: 0.44 Load-Processes-Running-Percent: 0.4% Lsusb: Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: IBM 23739XU PccardctlIdent: Socket 0: no product info available Socket 1: no product info available PccardctlStatus: Socket 0: no card Socket 1: no card ProcCmdline: chromium-browser\ --enable-pinch\ https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+filebug/aabe74b8-2391-11e5-ad47-d485646cd9a4?field.title=chromium-browser+crashed+with+SIGABRT+in+base%3A%3Adebug%3A%3ABreakDebugger%28%29 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-55-generic root=UUID=81f5e3b1-d5da-479e-93bd-d7e6b89cff95 ro forcepae Signal: 6 SourcePackage: chromium-browser StacktraceTop: base::debug::BreakDebugger() () from /usr/lib/chromium-browser/libs/libbase.so logging::LogMessage::~LogMessage() () from /usr/lib/chromium-browser/libs/libbase.so content::ZygoteHostImpl::Init(std::string const&) () from /usr/lib/chromium-browser/libs/libcontent.so content::BrowserMainLoop::EarlyInitialization() () from /usr/lib/chromium-browser/libs/libcontent.so ?? () from /usr/lib/chromium-browser/libs/libcontent.so Title: chromium-browser crashed with SIGABRT in base::debug::BreakDebugger() UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo dmi.bios.date: 05/14/2004 dmi.bios.vendor: IBM dmi.bios.version: 1RETC6WW (3.05a) dmi.board.name: 23739XU dmi.board.vendor: IBM dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: IBM dmi.chassis.version: Not Available dmi.modalias: dmi:bvnIBM:bvr1RETC6WW(3.05a):bd05/14/2004:svnIBM:pn23739XU:pvrThinkPadT42:rvnIBM:rn23739XU:rvrNotAvailable:cvnIBM:ct10:cvrNotAvailable: dmi.product.name: 23739XU dmi.product.version: ThinkPad T42 dmi.sys.vendor: IBM gconf-keys: /desktop/gnome/applications/browser/exec = b''/desktop/gnome/url-handlers/https/command = b''/desktop/gnome/url-handlers/https/enabled = b''/desktop/gnome/url-handlers/http/command = b''/desktop/gnome/url
[Touch-packages] [Bug 606491] Re: start: Job is already running: anacron
Hi Stuart, Note that Anacron is not a daemon; it needs to be executed at boot time and intermittently thereafter (via that cron.d script). It doesn't work to have Anacron run only at boot time and Cron thereafter, because Anacron maintains state in /var/spool/anacron/ that needs to be updated each time it runs. If you look at /etc/crontab, you'll see that Cron does relatively little when Anacron is installed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/606491 Title: start: Job is already running: anacron Status in anacron package in Ubuntu: Triaged Status in apt package in Ubuntu: Confirmed Bug description: Binary package hint: anacron Every day cron sends me this email: Date: Sat, 17 Jul 2010 07:30:01 +1200 From: Cron Daemon To: root@hostname Subject: Cron start -q anacron || : start: Job is already running: anacron I've tried to find out why it was running twice, but I could only find one copy of anacron in the cron directories... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anacron/+bug/606491/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1471645] Re: [trusty] [regression] chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
The crash is due to AppArmor. Adding the following to the profile for
/usr/lib/chromium-browser/chromium-browser gets things working again:
capability sys_admin,
capability sys_chroot,
owner @{PROC}/[0-9]*/setgroups w,
owner @{PROC}/[0-9]*/gid_map w,
owner @{PROC}/[0-9]*/uid_map w,
@{PROC}/[0-9]*/stat r,
** Attachment removed: "BootDmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424858/+files/BootDmesg.txt
** Attachment removed: "UdevDb.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424877/+files/UdevDb.txt
** Attachment removed: "UdevLog.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424878/+files/UdevLog.txt
** Attachment removed: "CurrentDmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424861/+files/CurrentDmesg.txt
** Attachment removed: "ProcModules.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424870/+files/ProcModules.txt
** Attachment removed: "ProcMaps.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424869/+files/ProcMaps.txt
** Attachment removed: "DiskUsage.txt"
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1471645/+attachment/4424864/+files/DiskUsage.txt
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: chromium-browser (Ubuntu)
Status: New => Invalid
** Information type changed from Private to Public
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1471645
Title:
[trusty] [regression] chromium-browser crashed with SIGABRT in
base::debug::BreakDebugger()
Status in apparmor package in Ubuntu:
New
Status in chromium-browser package in Ubuntu:
Invalid
Bug description:
This bug report concerns chromium-browser version
43.0.2357.81-0ubuntu0.14.04.1.1089 in Ubuntu Trusty.
Previously, this system had 41.0.2272.76-0ubuntu0.14.04.1.1076
installed, and it worked correctly. Now, after an update, the browser
crashes immediately upon startup with a SIGABRT. Removing
~/.config/chromium/ and ~/.cache/chromium/ does not alleviate the
problem.
If run in a terminal, the program produces the following output:
[8622:8622:0704/015859:FATAL:zygote_host_impl_linux.cc(182)] Check
failed: process.IsValid(). Failed to launch zygote process
Aborted (core dumped)
ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: chromium-browser 43.0.2357.81-0ubuntu0.14.04.1.1089
ProcVersionSignature: Ubuntu 3.13.0-55.94-generic 3.13.11-ckt20
Uname: Linux 3.13.0-55-generic i686
ApportVersion: 2.14.1-0ubuntu3.11
Architecture: i386
CrashCounter: 1
Date: Sun Jul 5 23:47:06 2015
Desktop-Session:
'xubuntu'
'/etc/xdg/xdg-xubuntu:/usr/share/upstart/xdg:/etc/xdg:/etc/xdg'
'/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share'
DetectedPlugins:
Env:
'None'
'None'
ExecutablePath: /usr/lib/chromium-browser/chromium-browser
InstallationDate: Installed on 2014-10-23 (256 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140416.2)
InstalledPlugins:
Load-Avg-1min: 0.44
Load-Processes-Running-Percent: 0.4%
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: IBM 23739XU
PccardctlIdent:
Socket 0:
no product info available
Socket 1:
no product info available
PccardctlStatus:
Socket 0:
no card
Socket 1:
no card
ProcCmdline: chromium-browser\ --enable-pinch\
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+filebug/aabe74b8-2391-11e5-ad47-d485646cd9a4?field.title=chromium-browser+crashed+with+SIGABRT+in+base%3A%3Adebug%3A%3ABreakDebugger%28%29
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-55-generic
root=UUID=81f5e3b1-d5da-479e-93bd-d7e6b89cff95 ro forcepae
Signal: 6
SourcePackage: chromium-browser
StacktraceTop:
base::debug::BreakDebugger() () from
/usr/lib/chromium-browser/libs/libbase.so
logging::LogMessage::~LogMessage() () from
/usr/lib/chromium-browser/libs/libbase.so
content::ZygoteHostImpl::Init(std::string const&) () from
/usr/lib/chromium-browser/libs/libcontent.so
content::BrowserMainLoop::EarlyInitialization() () from
/usr/lib/chromium-browser/libs/libcontent.so
?? () from /usr/lib/chromium-browser/libs/libcontent.so
Title: chromium-browser crashed with SIGABRT in base::debug::BreakDebugger()
UpgradeStatus: No upgrade log present (probably fresh install)
