sysusers: handle NSS errors gracefully

bluca · bluca · commit af2eb43ff42d · 2024-07-06T17:27:47.000+01:00
If the io.systemd.DynamicUser or io.systemd.Machine files exist, but nothing is listening on them, the nss-systemd module returns ECONNREFUSED and systemd-sysusers fails to creat the user/group. This is problematic when ran by packaging scripts, as the package assumes that after this has run, the user/group exist and can be used. adduser does not fail in the same situation. Change sysusers to print a loud warning but otherwise continue when NSS returns an error. (cherry picked from commit fc9938d) (cherry picked from commit abba1e6) (cherry picked from commit 0f51875) (cherry picked from commit dffa62c)
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
@@ -989,7 +989,7 @@ static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {
                 if (p)
                         return 0;
                 if (!IN_SET(errno, 0, ENOENT))
-                        return -errno;
+                        log_warning_errno(errno, "Unexpected failure while looking up UID '" UID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
 
                 if (check_with_gid) {
                         errno = 0;
@@ -998,7 +998,7 @@ static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {
                                 if (!streq(g->gr_name, name))
                                         return 0;
                         } else if (!IN_SET(errno, 0, ENOENT))
-                                return -errno;
+                                log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
                 }
         }
 
@@ -1103,7 +1103,7 @@ static int add_user(Item *i) {
                         return 0;
                 }
                 if (!errno_is_not_exists(errno))
-                        return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);
+                        log_warning_errno(errno, "Unexpected failure while looking up user '%s' via NSS, assuming it doesn't exist: %m", i->name);
         }
 
         /* Try to use the suggested numeric UID */
@@ -1219,15 +1219,15 @@ static int gid_is_ok(gid_t gid, const char *groupname, bool check_with_uid) {
                 if (g)
                         return 0;
                 if (!IN_SET(errno, 0, ENOENT))
-                        return -errno;
+                        log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
 
                 if (check_with_uid) {
                         errno = 0;
                         p = getpwuid((uid_t) gid);
                         if (p)
                                 return 0;
                         if (!IN_SET(errno, 0, ENOENT))
-                                return -errno;
+                                log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
                 }
         }
 
@@ -1257,7 +1257,7 @@ static int get_gid_by_name(const char *name, gid_t *gid) {
                         return 0;
                 }
                 if (!errno_is_not_exists(errno))
-                        return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);
+                        log_warning_errno(errno, "Unexpected failure while looking up group '%s' via NSS, assuming it doesn't exist: %m", name);
         }
 
         return -ENOENT;
diff --git a/test/units/TEST-74-AUX-UTILS.sysusers.sh b/test/units/TEST-74-AUX-UTILS.sysusers.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+at_exit() {
+    set +e
+    userdel -r foobarbaz
+    umount /run/systemd/userdb/
+}
+
+# Check that we indeed run under root to make the rest of the test work
+[[ "$(id -u)" -eq 0 ]]
+
+trap at_exit EXIT
+
+# Ensure that a non-responsive NSS socket doesn't make sysusers fail
+mount -t tmpfs tmpfs /run/systemd/userdb/
+touch /run/systemd/userdb/io.systemd.DynamicUser
+echo 'u foobarbaz' | SYSTEMD_LOG_LEVEL=debug systemd-sysusers -
+grep -q foobarbaz /etc/passwd

Original file line number	Diff line number	Diff line change
`@@ -989,7 +989,7 @@ static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {`
`989`	`989`	`if (p)`
`990`	`990`	`return 0;`
`991`	`991`	`if (!IN_SET(errno, 0, ENOENT))`
`992`		`- return -errno;`
	`992`	`+ log_warning_errno(errno, "Unexpected failure while looking up UID '" UID_FMT "' via NSS, assuming it doesn't exist: %m", uid);`
`993`	`993`
`994`	`994`	`if (check_with_gid) {`
`995`	`995`	`errno = 0;`
`@@ -998,7 +998,7 @@ static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {`
`998`	`998`	`if (!streq(g->gr_name, name))`
`999`	`999`	`return 0;`
`1000`	`1000`	`} else if (!IN_SET(errno, 0, ENOENT))`
`1001`		`- return -errno;`
	`1001`	`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", uid);`
`1002`	`1002`	`}`
`1003`	`1003`	`}`
`1004`	`1004`
`@@ -1103,7 +1103,7 @@ static int add_user(Item *i) {`
`1103`	`1103`	`return 0;`
`1104`	`1104`	`}`
`1105`	`1105`	`if (!errno_is_not_exists(errno))`
`1106`		`- return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);`
	`1106`	`+ log_warning_errno(errno, "Unexpected failure while looking up user '%s' via NSS, assuming it doesn't exist: %m", i->name);`
`1107`	`1107`	`}`
`1108`	`1108`
`1109`	`1109`	`/* Try to use the suggested numeric UID */`
`@@ -1219,15 +1219,15 @@ static int gid_is_ok(gid_t gid, const char *groupname, bool check_with_uid) {`
`1219`	`1219`	`if (g)`
`1220`	`1220`	`return 0;`
`1221`	`1221`	`if (!IN_SET(errno, 0, ENOENT))`
`1222`		`- return -errno;`
	`1222`	`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);`
`1223`	`1223`
`1224`	`1224`	`if (check_with_uid) {`
`1225`	`1225`	`errno = 0;`
`1226`	`1226`	`p = getpwuid((uid_t) gid);`
`1227`	`1227`	`if (p)`
`1228`	`1228`	`return 0;`
`1229`	`1229`	`if (!IN_SET(errno, 0, ENOENT))`
`1230`		`- return -errno;`
	`1230`	`+ log_warning_errno(errno, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);`
`1231`	`1231`	`}`
`1232`	`1232`	`}`
`1233`	`1233`
`@@ -1257,7 +1257,7 @@ static int get_gid_by_name(const char name, gid_t gid) {`
`1257`	`1257`	`return 0;`
`1258`	`1258`	`}`
`1259`	`1259`	`if (!errno_is_not_exists(errno))`
`1260`		`- return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);`
	`1260`	`+ log_warning_errno(errno, "Unexpected failure while looking up group '%s' via NSS, assuming it doesn't exist: %m", name);`
`1261`	`1261`	`}`
`1262`	`1262`
`1263`	`1263`	`return -ENOENT;`