[Bug 1903509] [NEW] libvirt-daemon-system creates system user without marking it as system user for login

Mon, 09 Nov 2020 01:51:46 -0800 

Public bug reported:

Package libvirt-daemon-system postinst scripts runs following code:

# Allocated UID and GID for libvirt-qemu
LIBVIRT_QEMU_UID=64055
LIBVIRT_QEMU_GID=64055

...
groupadd --system --non-unique --gid "$gid" libvirt
...

adduser --quiet \
            --system \
            --ingroup kvm \
            --quiet \
            --disabled-login \
            --disabled-password \
            --home /var/lib/libvirt \
            --no-create-home \
            --gecos "Libvirt Qemu" \
            $PARAMETER_UID \
            libvirt-qemu


However, after this has been done, e.g. lightdm will show "Libvirt Qemu" as a 
possible user to login.

Arguably, the postinst script does the correct thing (it says "--system"
and "--disabeld-login") but still package accountsservices picks up this
as possible user account to use for login. Perhaps there's some kind of
miscommunication between package maintainers about how system accounts
are marked as system accounts? At least some packages assume that UID
less than 1000 is the only marker for system accounts.

According to 'man adduser' the flag '--system' probably does nothing if
UID is hardcoded.

One possible way to fix this would be to include file

    /var/lib/AccountsService/users/libvirt-qemu

with contents

[User]
SystemAccount=true

to package libvirt-daemon-system.

This whole issue is caused by https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=844339 which globally reserves UID above 1000 for
system level feature.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libvirt-daemon-system 4.0.0-1ubuntu8.17
ProcVersionSignature: Ubuntu 5.4.0-52.57~18.04.1-lowlatency 5.4.65
Uname: Linux 5.4.0-52-lowlatency x86_64
ApportVersion: 2.20.9-0ubuntu7.18
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Nov  9 11:25:56 2020
EcryptfsInUse: Yes
InstallationDate: Installed on 2019-01-05 (673 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.nwfilter.allow-arp.xml: [inaccessible: [Errno 
13] Permission denied: '/etc/libvirt/nwfilter/allow-arp.xml']
modified.conffile..etc.libvirt.nwfilter.allow-dhcp-server.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-dhcp-server.xml']
modified.conffile..etc.libvirt.nwfilter.allow-dhcp.xml: [inaccessible: [Errno 
13] Permission denied: '/etc/libvirt/nwfilter/allow-dhcp.xml']
modified.conffile..etc.libvirt.nwfilter.allow-incoming-ipv4.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml']
modified.conffile..etc.libvirt.nwfilter.allow-ipv4.xml: [inaccessible: [Errno 
13] Permission denied: '/etc/libvirt/nwfilter/allow-ipv4.xml']
modified.conffile..etc.libvirt.nwfilter.clean-traffic.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/clean-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-ip-spoofing.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-mac-spoofing.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-spoofing.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-ip-multicast.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-ip-multicast.xml']
modified.conffile..etc.libvirt.nwfilter.no-ip-spoofing.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-ip-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-mac-broadcast.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-mac-broadcast.xml']
modified.conffile..etc.libvirt.nwfilter.no-mac-spoofing.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-mac-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-other-l2-traffic.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.no-other-rarp-traffic.xml: 
[inaccessible: [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-other-rarp-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.qemu-announce-self-rarp.xml: 
[inaccessible: [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml']
modified.conffile..etc.libvirt.nwfilter.qemu-announce-self.xml: [inaccessible: 
[Errno 13] Permission denied: '/etc/libvirt/nwfilter/qemu-announce-self.xml']
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission 
denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible: [Errno 
13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903509

Title:
  libvirt-daemon-system creates system user without marking it as system
  user for login

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1903509/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to