Removing libnss-* does not remove corresponding options

Bug #1625584 reported by Martin Pitt on 2016-09-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Medium
Martin Pitt
Xenial
Medium
Unassigned

Bug Description

libnss-{resolve,mymachines,myhostname} automatically add/remove themselves from /etc/nsswitch.conf on installation/removal.

But when (manually) adding NSS action specifiers, these do not get removed along.

SRU FIX: https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial&id=2d08d7e481

TEST CASE:
  * Install libnss-mymachines. This will change the "hosts" line in /etc/nsswitch.conf from e. g. "files dns" to "files dns mymachines".
  * Edit the file to add an action specifier: "files dns mymachines [!UNAVAIL=return]"
  * Remove/purge libnss-mymachines.
  * In current xenial (229-4ubuntu7)/yakkety (231-6) the hosts line ends up as "files dns [!UNAVAIL=return]", i. e. the action specifier now applies to "dns" but should have been removed.
  * With the fixed version, the action specifier is completely gone.
  * Re-test with installing libnss-resolve (which inserts itself before "dns") and modifying to "files resolve [!UNAVAIL=return] dns [foo=bar]", then purge libnss-resolve again -- this should again remove the [!UNAVAIL=return] but *NOT* "dns [foo=bar]".

Regression potential: This only affects package removal, so upgrades or new installs are not affected. Removals of libnss-{mymachines,myhostname,resolvle} must be tested carefully to ensure that they don't break nsswitch.conf in any way.

Martin Pitt (pitti) on 2016-09-20
Changed in systemd (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Martin Pitt (pitti)
milestone: none → ubuntu-16.09
Changed in systemd (Ubuntu Xenial):
status: New → Triaged
Changed in systemd (Ubuntu):
status: New → In Progress
Martin Pitt (pitti) on 2016-09-20
description: updated
Martin Pitt (pitti) on 2016-09-20
Changed in systemd (Ubuntu):
status: In Progress → Fix Committed
description: updated
Changed in systemd (Ubuntu Xenial):
status: Triaged → In Progress
description: updated

Hello Martin, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in systemd (Ubuntu Xenial):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 231-7

---------------
systemd (231-7) unstable; urgency=medium

  [ Michael Biebl ]
  * fsckd: Do not exit on idle timeout if there are still clients connected
    (Closes: #788050, LP: #1547844)

  [ Martin Pitt ]
  * 73-usb-net-by-mac.rules: Split kernel command line import line.
    Reportedly this makes the rule actually work on some platforms. Thanks Alp
    Toker! (LP: #1593379)
  * debian/tests/boot-smoke: Only run 5 iterations
  * systemd.postinst: Drop obsolete setcap call for systemd-detect-virt.
    Drop corresponding libcap2-bin dependency.
  * debian/tests/systemd-fsckd: Robustify check for "unit was running"
    (LP: #1624406)
  * debian/extra/set-cpufreq: Use powersave with intel_pstate.
    This is what we did on xenial, and apparently powersave is still actually
    better than performance. Thanks to Doug Smythies for the measurements!
    (LP: #1579278)
  * Ubuntu: Move ondemand.service from static to runtime enablement.
    This makes it easier to keep performance, by disabling ondemand.service.
    Side issue in LP: #1579278
  * Revert "networkd: remove route if carrier is lost"
    This causes networkd to drop addresses from unmanaged interfaces in some
    cases. (Closes: #837759)
  * debian/tests/storage: Avoid stderr output of stopping systemd-cryptsetup@.service
  * libnss-*.prerm: Remove possible [key=value] options from NSS modules as well.
    (LP: #1625584)

 -- Martin Pitt <email address hidden> Tue, 20 Sep 2016 15:03:06 +0200

Changed in systemd (Ubuntu):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Current SRU got shadowed by a security update, resetting. Will reupload shortly.

Changed in systemd (Ubuntu Xenial):
status: Fix Committed → In Progress
tags: removed: verification-needed
Chris Halse Rogers (raof) wrote :

Hello Martin, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Martin Pitt (pitti) wrote :

I ran the test case on a xenial-proposed machine successfully.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 229-4ubuntu11

---------------
systemd (229-4ubuntu11) xenial; urgency=medium

  * 73-usb-net-by-mac.rules: Split kernel command line import line.
    Reportedly this makes the rule actually work on some platforms. Thanks
    Alp Toker! (LP: #1593379)
  * fsckd: Do not exit on idle timeout if there are still clients connected
    (Closes: #788050, LP: #1547844)
  * libnss-*.prerm: Remove possible [key=value] options from NSS modules as
    well. (LP: #1625584)
  * Backport networkd 231. Compared to 229 this has a lot of fixes, some of
    which we need for good netplan support. Backporting them individually
    would be a lot more work and a lot less robust, and we did not use/support
    networkd in 16.04 so far. Drop the other network related patches as they
    are included in this backport now. (LP: #1627641)
  * debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
    behaviour is fixed with the above backport now.
  * pid1: process zero-length notification messages again. Just remove the
    assertion, the "n" value was not used anyway. This fixes a local DoS due
    to unprocessed/unclosed fds which got introduced by the previous fix.
    (LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd(). If
    manager_dispatch_notify_fd() fails and returns an error then the handling
    of service notifications will be disabled entirely leading to a
    compromised system. (side issue of LP: #1628687)

 -- Martin Pitt <email address hidden> Tue, 04 Oct 2016 21:43:04 +0200

Changed in systemd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers