Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#80182 - [xfsprogs] User=nobody in xfs_scrub@.service is discouraged by systemd

Attached to Project: Arch Linux
Opened by helle vaanzinn (glitsj16) - Monday, 06 November 2023, 21:45 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 22 November 2023, 00:46 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Usage of User/Group `nobody` in systemd units is discouraged since systemd v246 [1]. The xfs_scrub@.service from xfsprogs 6.5.0-1 still references "User=nobody" and should be changed to use the more secure `DynamicUser` concept [2].

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
I've contacted upstream about this issue by mail [3] and will add more detailed info as soon as I get a reply.

Steps to reproduce:
Start the xfs_scrub@.service
Observe systemd complaining ... Special user nobody configured, this is not safe!

- - - - - -

[1] https://github.com/systemd/systemd/blob/v246/NEWS#L106
[2] https://0pointer.net/blog/dynamic-users-with-systemd.html
[3] linux-xfs@vger.kernel.org
This task depends upon

Closed by  Toolybird (Toolybird)
Wednesday, 22 November 2023, 00:46 GMT
Reason for closing:  Deferred
Additional comments about closing:  Please continue to liaise with upstream to try and get it fixed.
Comment by loqs (loqs) - Monday, 06 November 2023, 21:52 GMT
Thank you for contacting upstream. Upstream has not merged a proposed fix for the issue due to lack of reviews [1].

[1]: https://lore.kernel.org/linux-xfs/20231106214608.GH1205143@frogsfrogsfrogs/
Comment by Toolybird (Toolybird) - Monday, 06 November 2023, 21:53 GMT
That service file is provided by upstream. You'll need to report this upstream. Please let us know how you get on.

Edit: ninja'd by @loqs, again! :)
Comment by helle vaanzinn (glitsj16) - Monday, 06 November 2023, 22:03 GMT
Hopefully upstream will review the proposed fix referenced by @loqs again. It contains several other hardenings that should benefit Arch Linux users. Not sure if/when such a review will be undertaken. Until upstream acts on this I suppose Arch devs/package mainainers can't do much, sadly enough...

Loading...