[SOLVED] Devuan Excalibur polkitd installation bug

tux_99 · Yesterday 01:03:08

There seems to be a bug in the polkitd package. On my Devuan Excalibur install it created the polkitd user with UID 999 and GID 999, despite me having configured /etc/login.defs to assign the range 101 to 499 to system users and 500 to 60000 to normal users.

In other words it looks like the polkitd package creates the polkitd user ignoring the settings in /etc/login.defs.

All other system packages that during installation create users and/or groups that I installed so far have respected my settings in /etc/login.defs and in /etc/adduser.conf as expected.

Here are the settings I have in /etc/login.defs:

UID_MIN			  500
UID_MAX			60000
SYS_UID_MIN		  101
SYS_UID_MAX		  499
GID_MIN			  500
GID_MAX			60000
SYS_GID_MIN		  101
SYS_GID_MAX		  499

And in /etc/adduser.conf I have:

$ more /etc/adduser.conf |grep ID|grep -v ^#
LAST_SYSTEM_UID=499
LAST_SYSTEM_GID=499
FIRST_UID=500
FIRST_GID=500

And this is what my /etc/passwd and /etc/group contains after installation of the polkitd package:

$ grep polkit /etc/passwd /etc/group
/etc/passwd:polkitd:x:999:999:User for polkitd:/:/usr/sbin/nologin
/etc/group:polkitd:x:999:

It appears to me that this is a forked Devuan package, not a Debian package (the version string says so:126-2devuan1+excalibur1 ).
Where should I report this to?

Last edited by tux_99 (Yesterday 01:29:54)

tux_99 · Yesterday 02:03:40

Actually the bug (or rather missbehaviour) seems to be coming from /usr/bin/systemd-sysusers (which the polkitd package seems to prefer over adduser to create the polkitd user/group) from the package systemd-standalone-sysusers which completely ignores any settings in /etc/login.defs and in /etc/adduser.conf.

Why does Devuan prefer systemd-sysusers to create system users during installation rather than adduser?

Why do we even have this disrespectful (of the user configuration) systemd derived package in Devuan?

Last edited by tux_99 (Yesterday 02:42:25)

tux_99 · Yesterday 02:36:48

On the systemd webpage says:

Some older systems placed the boundary at 499/500, or even 99/100, and some distributions allow the boundary between system and regular users to be changed via local configuration. In systemd, the boundary is configurable during compilation time and is also queried from /etc/login.defs at runtime, if the -Dcompat-mutable-uid-boundaries=true compile-time setting is used.

https://systemd.io/UIDS-GIDS/

I checked the debian/rules file of the source package for systemd-standalone-sysusers and didn't find this compile time flag (-Dcompat-mutable-uid-boundaries=true) so it appears an omission of the Debian systemd source package (that generates the binary package systemd-standalone-sysusers).

On the other hand it would be better if the polkitd package didn't use this systemd tool but rather adduser, especially since it seems to be already set up to use adduser but it gives preference to systemd-sysusers if it finds it, see debian/polkitd.postinst (policykit-1-126 source):

        if command -v systemd-sysusers >/dev/null; then
            systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} polkit.conf
        else
            adduser --group --system --quiet --gecos 'polkit' \
                --no-create-home --home /nonexistent polkitd
            addgroup --system --quiet polkitd
        fi

IMHO the above should be changed to always use adduser and since this is a Devuan package it would be easier to fix rather than getting Debian to add the compile time flag to the systemd package.

There is even a 3 year old open bug report about this missing compile flag for systemd in debians bugtracker but nobody seems to have done anything about it:
https://bugs.debian.org/cgi-bin/bugrepo … ug=1029785

Therefore I really think it would be better for Devuan to remove this systemd dependency from the Devuan polkit package (which is forked already) and use exclusively 'adduser' in the postinst script of polkitd.

Last edited by tux_99 (Yesterday 02:57:18)

RedGreen925 · Yesterday 04:37:18

"Why does Devuan prefer systemd-sysusers to create system users during installation rather than adduser?"

It is nowhere to be found on my Excalibur install or even there to be installed.

root@9600k:~# apt policy systemd-sysusers
systemd-sysusers:
  Installed: (none)
  Candidate: (none)
  Version table:
root@9600k:~# cat /etc/os-release
PRETTY_NAME="Devuan GNU/Linux 6 (excalibur)"
NAME="Devuan GNU/Linux"
VERSION_ID="6"
VERSION="6 (excalibur)"
VERSION_CODENAME="excalibur"
ID=devuan
ID_LIKE=debian
HOME_URL="https://www.devuan.org/"
SUPPORT_URL="https://devuan.org/os/community"
BUG_REPORT_URL="https://bugs.devuan.org/"

I would check your policy output and perhaps your sources to figure out where you got it from.

root@9600k:~# cat /etc/apt/sources.list.d/devuan.sources 
## Devuan 6 excalibur
## The new style method of using repositories to install software.
## This /etc/apt/sources.list.d/devuan.sources is new style and location file
## The /etc/apt/old.style.sources.list contains the same as this.
## https://linuxconfig.org/ubuntus-repository-configuration-ubuntu-sources-have-moved-to-etc-apt-sources-list-d-ubuntu-sources

## Normal excalibur sources
Types: deb
URIs: http://gnlug.org/pub/devuan/merged 
Suites: excalibur excalibur-backports excalibur-proposed-updates  excalibur-updates
Components: main non-free contrib non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/devuan-archive-keyring.gpg
Architectures: amd64

## excalibur security sources
Types: deb
URIs: http://gnlug.org/pub/devuan/merged
Suites: excalibur-security
Components: main non-free contrib non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/devuan-archive-keyring.gpg
Architectures: amd64

stultumanto · Yesterday 06:25:44

According to apt-file, /usr/bin/systemd-sysusers can be installed by either opensysusers or systemd-standalone-users. The latter package is a dependency of cron-daemon-common and openssh-server, among others.

RedGreen925 · Yesterday 14:26:17

The systemd-standalone-users is likewise nowhere to be found on my system the other has candicate but is not installed.

zeus@9600k:~$ apt policy opensysusers systemd-standalone-users
opensysusers:
  Installed: (none)
  Candidate: 0.7.3-5
  Version table:
     0.7.3-5 990
        990 http://gnlug.org/pub/devuan/merged excalibur/main amd64 Packages
N: Unable to locate package systemd-standalone-users

Both of the packages mentioned as having them as a dependency are installed without them.

zeus@9600k:~$ apt policy cron-daemon-common openssh-server
cron-daemon-common:
  Installed: 3.0pl1-197
  Candidate: 3.0pl1-197
  Version table:
 *** 3.0pl1-197 990
        990 http://gnlug.org/pub/devuan/merged excalibur/main amd64 Packages
        100 /var/lib/dpkg/status
openssh-server:
  Installed: 1:10.0p1-7
  Candidate: 1:10.0p1-7
  Version table:
     1:10.2p1-2~bpo13+1 100
        100 http://gnlug.org/pub/devuan/merged excalibur-backports/main amd64 Packages
 *** 1:10.0p1-7 990
        990 http://gnlug.org/pub/devuan/merged excalibur/main amd64 Packages
        100 /var/lib/dpkg/status

fsmithred · Yesterday 14:44:07

N: Unable to locate package systemd-standalone-users

It gets confusing with all the overlapping names. The correct name for that package is systemd-standalone-sysusers

# apt remove systemd-standalone-sysusers
The following packages were automatically installed and are no longer required:
  libwtmpdb0  openssh-sftp-server
Use 'apt autoremove' to remove them.

REMOVING:
  cron  cron-daemon-common  openssh-server  systemd-standalone-sysusers

Installing opensysusers instead will remove systemd-standalone-sysusers without removing cron or ssh.
And either one of those will give you /usr/bin/systemd-sysusers.

tux_99 · Yesterday 14:52:52

tux_99 wrote:

There is even a 3 year old open bug report about this missing compile flag for systemd in debians bugtracker but nobody seems to have done anything about it: https://bugs.debian.org/cgi-bin/bugrepo … ug=1029785

Guess where the Debian systemd maintainer that seems unwilling to fix this bug works:

Software engineer at Microsoft by day, open source developer involved in various projects by night (systemd maintainer, DPDK LTS maintainer, ZeroMQ project co-lead, Debian Developer)

https://archive.fosdem.org/2023/schedul … _boccassi/

I'm starting to realize more and more that Debian is no longer an independent community distro at all, not only is it full of Canonical (understandable) and IBM/Redhat Devs (less understandable), there are even Microsoft Employees involved with core packages of Debian...

fsmithred wrote:

Installing opensysusers instead will remove systemd-standalone-sysusers without removing cron or ssh.

Thanks for the suggestion, I will try that and see whether "opensysusers" takes into account the custom UID/GID ranges configured in /etc/login.defs.

Last edited by tux_99 (Yesterday 14:53:10)

tux_99 · Yesterday 21:10:33

So I installed opensysusers as suggested by fsmithred instead of systemd-standalone-users and tested it by creating a testuser.conf file and then running opensysusers:

# cat /usr/lib/sysusers.d/test.conf
u testtest99 - "testtest99 user"
# systemd-sysusers test.conf
# grep testtest /etc/passwd /etc/group
/etc/passwd:testtest99:x:498:498:testtest99 user:/:/sbin/nologin
/etc/group:testtest99:x:498:

And we have a winner, opensysusers respects the settings in /etc/login.defs since it's simply a shell script that calls useradd and groupadd to actually create the users (and useradd and groupadd obviously follow the settings in /etc/login.defs ).

So I guess the problem is solved, but I would suggest that Devuan should default to opensysusers even during the initial installation rather than systemd-standalone-users.

opensysusers is an easy to understand shell script that relies on the standard useradd and groupadd binaries, i.e. it's a typical tool following the Unix philosophy unlike systemd-standalone-users, therefore opensysusers seems much better suited as default for Devuan.

systemd-standalone-users should really be blacklisted in Devuan as it ignores the settings in /etc/login.defs and therefore potentially creates users and groups with unwanted UIDs and GIDs.

Last edited by tux_99 (Yesterday 21:36:05)

RedGreen925 · Yesterday 22:53:04

I'm starting to realize more and more that Debian is no longer an independent community distro at all, not only is it full of Canonical (understandable) and IBM/Redhat Devs (less understandable), there are even Microsoft Employees involved with core packages of Debian...

This has been true for years now the project has been subverted by the corporate parasite controlled developers within it. Eventually it will be turned into a systemd only distribution by them. Good to see you get it sorted, I too had that piece of garbage package installed now no longer, thanks for digging into it.

stargate-sg1-cheyenne-mtn · Today 10:21:50

and somewhere on the planet someone rattles a keyboard

someone@somewhere:~$ apt info opensysusers
Package: opensysusers
Version: 0.7.3-2
Priority: optional
Section: net
Maintainer: Andrea Pappacoda <andrea@pappacoda.it>
Installed-Size: 43.0 kB
Provides: systemd-sysusers
Homepage: https://github.com/cromerc/opensysusers.git
Download-Size: 14.3 kB
APT-Sources: http://deb.devuan.org/merged daedalus/main amd64 Packages
Description: processes sysusers.d directory to create system users
 Opensysusers uses the files from sysusers.d directory to create system users
 and groups and to add users to groups, at package installation or boot time.
 This tool may be used to allocate system users and groups only, it is not
 useful for creating non-system (i.e. regular, "human") users and groups, as it
 accesses /etc/passwd and /etc/group directly, bypassing any more complex user
 databases, for example any database involving NIS or LDAP.
 .
 Opensysusers is an alternative implementation of systemd-sysusers that may
 work on systems with or without systemd installed.

interested in others' thoughts regarding

Opensysusers uses the files from sysusers.d directory to create system users
and groups and to add users to groups, at package installation or boot time.
This tool may be used to allocate system users and groups only, it is not
useful for creating non-system (i.e. regular, "human") users and groups, as it
accesses /etc/passwd and /etc/group directly, bypassing any more complex user
databases, for example any database involving NIS or LDAP.

and now back to one of the links on Michael W Lucas mainpage
(wouldn't it be fun if there was a man page for michaelwlucas ... ha!)

someone@somewhere:~$ man michaelwlucas
No manual entry for michaelwlucas

sigh...

tux_99 · Today 14:21:10

@stargate-sg1-cheyenne-mtn Can you please make a more straight-forward question? Despite reading your post twice I have no idea what your concern is.

Last edited by tux_99 (Today 14:21:31)

The officially official Devuan Forum!

#1 Yesterday 01:03:08

[SOLVED] Devuan Excalibur polkitd installation bug

#2 Yesterday 02:03:40

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#3 Yesterday 02:36:48

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#4 Yesterday 04:37:18

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#5 Yesterday 06:25:44

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#6 Yesterday 14:26:17

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#7 Yesterday 14:44:07

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#8 Yesterday 14:52:52

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#9 Yesterday 21:10:33

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#10 Yesterday 22:53:04

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#11 Today 10:21:50

Re: [SOLVED] Devuan Excalibur polkitd installation bug

#12 Today 14:21:10

Re: [SOLVED] Devuan Excalibur polkitd installation bug

Board footer