Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group memberships not shown for drop in user records #24381

Open
Gibheer opened this issue Aug 21, 2022 · 13 comments · May be fixed by #32871
Open

group memberships not shown for drop in user records #24381

Gibheer opened this issue Aug 21, 2022 · 13 comments · May be fixed by #32871
Labels
bug 🐛 Programming errors, that need preferential fixing nss userdb

Comments

@Gibheer
Copy link

Gibheer commented Aug 21, 2022

To add some login users to my images, I tried the userdb drop in users.
They show up in userdb, but the group memberships don't come up as expected.

My system is Archlinux with systemd 251.4-1-arch

USERDB_DIR="/etc/userdb"
mkdir $USERDB_DIR

cat <<EOF > ${USERDB_DIR}/test.user
{
  "userName": "test",
  "uid": 6000,
  "locked": false,
  "memberOf": [
    "test1"
  ]
}
EOF
cat <<EOF > ${USERDB_DIR}/test1.group
{
  "groupName": "test1",
  "gid": 6001
}
EOF
cat <<EOF > ${USERDB_DIR}/test2.group
{
  "groupName": "test2",
  "gid": 6002,
  "members": ["test"]
}
EOF
ln -s ${USERDB_DIR}/test1.group ${USERDB_DIR}/6000.group
ln -s ${USERDB_DIR}/test2.group ${USERDB_DIR}/6001.group
ln -s ${USERDB_DIR}/test.user ${USERDB_DIR}/6000.user

/usr/bin/userdbctl groups-of-user test
/usr/bin/userdbctl users-in-group test1
/usr/bin/userdbctl users-in-group test2

This should return

USER    GROUP
test    test1
test    test2

2 memberships listed.
USER         GROUP 
test          test1

1 memberships listed.
USER         GROUP 
test          test2

1 memberships listed.

but instead I get that no memberships exist

No memberships.
No memberships.
No memberships.

The services of userdb are up and running

$ userdbctl services
SERVICE                      LISTENING
io.systemd.DropIn            yes      
io.systemd.DynamicUser       yes      
io.systemd.Machine           yes      
io.systemd.Multiplexer       yes      
io.systemd.NameServiceSwitch yes      

5 services listed.

The records are available according to userdbctl

   User name: test
 Disposition: regular
    Login OK: yes
 Password OK: no (none set)
         UID: 6000
         GID: 6000
   Directory: /home/test
     Storage: classic
       Shell: /bin/bash
      Locked: no
   Passwords: none
     Service: io.systemd.NameServiceSwitch

But somehow the relationship isn't loaded as it would have been when using homectl. I have investigated the code but couldn't find the place where the group memberships are left out or dropped.
@poettering poettering added nss userdb bug 🐛 Programming errors, that need preferential fixing labels Sep 15, 2022
@lutchann
Copy link

It doesn't look like additional group membership is properly loaded from drop-ins, neither with the member field of the group drop-in, nor with the memberOf field of the user drop-in. strace shows that .user files aren't even consulted when running getent group.

However, as a workaround, membership drop-ins do the trick: create a file named <user>:<group>.membership alongside your existing drop-ins. (The contents of the file don't seem to matter, but the file can't be zero-length as the parser will treat it as a mask file.) In your example above, you could use something like:

echo > ${USERDB_DIR}/test:test1.membership
echo > ${USERDB_DIR}/test:test2.membership

At least, this is working for me on Ubuntu 22.04 with systemd 249, which does not have userdbd.

@poettering
Copy link
Member

how does your /etc/nsswitch.conf actually look like?

i.e. it must say:

group: compat [SUCCESS=merge] systemd

or something like that. i.e. the [SUCCESS=merge] thing is key.

@Gibheer
Copy link
Author

Gibheer commented Sep 30, 2022

Sorry for the late response. My nsswitch.conf contains

group: files [SUCCESS=merge] systemd

Thank you lutchan, I will try that.

@pothos pothos mentioned this issue Mar 29, 2023
Open
@pothos
Copy link
Contributor

pothos commented Mar 29, 2023

Thanks for the workaround, indeed it helps :) But now I wonder, what are valid contents for a .membership file - is the content ignored? After a quick glimpse on the source code I think the filename consists of a user and a group name but now sure if the contents are even read somewhere.

@pothos
Copy link
Contributor

pothos commented Sep 12, 2023

@AdrianVovk fyi

@chewi
Copy link

chewi commented May 13, 2024

I've looked into this and found that it's basically not implemented! Presumably an oversight. 😄 I started trying to fix this one way, and got the group to appear in userdbctl user, but I realised this wasn't going to work in other cases. My second attempt would be a more complete fix, but it's currently not working. I think I'm close, but it's not the easiest thing to debug!

@Gibheer
Copy link
Author

Gibheer commented May 13, 2024

@chewi thank you so much for looking into this issue :)

@chewi
Copy link

chewi commented May 14, 2024

I got it to work!! It just needs some deduping. Hopefully that's not difficult.

@chewi
Copy link

chewi commented May 14, 2024

Oh, by the way, your test case is slightly wonky. 6000.group and 6001.group point to GIDs 6001 and 6002. The user also defaults to GID 6000, but you didn't create a group for that.

@chewi
Copy link

chewi commented May 14, 2024

All looking good now. Time to write some tests.

chewi added a commit to chewi/systemd that referenced this issue May 15, 2024
@chewi
userdb: Fix use of memberships defined in .user and .group dropins
e1ced45 
This was broken because it was never actually implemented. Only
.membership dropins were checked.

This enhances the membership iterator to step through each user/group in
these dropins before moving on to the next dropin.

Fixes systemd#24381.
@chewi
Copy link

chewi commented May 15, 2024

It turns out I'm still getting some duplication, although that's probably a minor issue. More importantly, my tests are failing because I'm bizarrely getting different results from userdbctl when requesting the output in JSON format. I don't think I should create a pull request yet, but here is the branch if you're interested.

chewi added a commit to chewi/systemd that referenced this issue May 15, 2024
@chewi
userdb: Fix use of memberships defined in .user and .group dropins
0ba3fc2 
This was broken because it was never actually implemented. Only
.membership dropins were checked.

This enhances the membership iterator to step through each user/group in
these dropins before moving on to the next dropin.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 16, 2024
@chewi
userdb: Fix use of memberships defined in .user and .group dropins
e1e50a4 
This was broken because it was never actually implemented. Only
.membership dropins were checked.

This enhances the membership iterator to step through each user/group in
these dropins before moving on to the next dropin.

It does not deduplicate the users or groups as it iterates. Some users
of the iterator do deduplication, but userdbctl's friendly output and
the NSS module do not. Perhaps this is not an issue in practise.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 16, 2024
@chewi
userdbctl: Make user/group membership in JSON consistent with friendly
a98ee27 
The friendly renderer was using a membership iterator while the JSON
renderer was not.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 16, 2024
@chewi
userdbctl: Make group membership in classic consistent with friendly
396ba6e 
The friendly renderer was using a membership iterator while the classic
renderer was not.

Fixes systemd#24381.
@chewi chewi linked a pull request May 16, 2024 that will close this issue
Open
@chewi
Copy link

chewi commented May 16, 2024

It's ready. It still duplicates in places, but hopefully that's not a real issue. See the PR in #32871.

bluca pushed a commit to chewi/systemd that referenced this issue May 17, 2024
@chewi @bluca
userdb: Fix use of memberships defined in .user and .group dropins
4f1040b 
This was broken because it was never actually implemented. Only
.membership dropins were checked.

This enhances the membership iterator to step through each user/group in
these dropins before moving on to the next dropin.

It does not deduplicate the users or groups as it iterates. Some users
of the iterator do deduplication, but userdbctl's friendly output and
the NSS module do not. Perhaps this is not an issue in practise.

Fixes systemd#24381.
bluca pushed a commit to chewi/systemd that referenced this issue May 17, 2024
@chewi @bluca
userdbctl: Make user/group membership in JSON consistent with friendly
cda2207 
The friendly renderer was using a membership iterator while the JSON
renderer was not.

Fixes systemd#24381.
bluca pushed a commit to chewi/systemd that referenced this issue May 17, 2024
@chewi @bluca
userdbctl: Make group membership in classic consistent with friendly
632dc07 
The friendly renderer was using a membership iterator while the classic
renderer was not.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 22, 2024
@chewi
userdb: Fix use of memberships defined in .user and .group dropins
164b64b 
This was broken because it was never actually implemented. Only
.membership dropins were checked.

This enhances the membership iterator to step through each user/group in
these dropins before moving on to the next dropin.

It does not deduplicate the users or groups as it iterates. Some users
of the iterator do deduplication, but userdbctl's friendly output and
the NSS module do not. Perhaps this is not an issue in practise.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 22, 2024
@chewi
userdbctl: Make user/group membership in JSON consistent with friendly
22381ad 
The friendly renderer was using a membership iterator while the JSON
renderer was not.

Fixes systemd#24381.
chewi added a commit to chewi/systemd that referenced this issue May 22, 2024
@chewi
userdbctl: Make group membership in classic consistent with friendly
1cfe77c 
The friendly renderer was using a membership iterator while the classic
renderer was not.

Fixes systemd#24381.
@poettering
Copy link
Member

poettering commented May 22, 2024
edited

Thanks for the workaround, indeed it helps :) But now I wonder, what are valid contents for a .membership file - is the content ignored? After a quick glimpse on the source code I think the filename consists of a user and a group name but now sure if the contents are even read somewhere.

so yeah, the contents is ignored indeed.

this was the reason i never documented this part, i wasn't entirely sure what to write into the docs... and then i eventually totally forgot about this.

I think we should require that these files contain json objects matching the return parameter of what the io.systemd.UserDatabase.GetMemberships() call also returns.

(but of course, we don't really want to parse those files ever, hence it's hard to enforce correctness here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Programming errors, that need preferential fixing nss userdb
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

userdb: Fix use of memberships defined in .user/.group dropins and userdbctl outputs chewi/systemd
5 participants
@chewi @Gibheer @pothos @poettering @lutchann