[Bug 1934393] Re: systemd-logind network access is blocked, and breaks remote authentication configurations

Thu Sep 23 00:37:53 UTC 2021

I initially preferred your option two, a drop-in file in whichever nis
and ldap binary packages, on principle of trying to keep the mitigations
in place if we can.

But your case for a difficult debugging session is persuasive. Reading
the various bug reports around this, option three seems pretty bad --
none of those symptoms would make me think of changing a systemd hardening
configuration on a service I might not know I am running. Nothing really
looked obviously related to network-based id services. Trying to provide
documentation around that won't be very discoverable.

Ubuntu is supposed to be easy.

So, option one: removing the restrictions for systemd-logind in our
package.

It would be nice if our implementation of option one would make it very
easy to re-add the hardening setting; which we could then document in a
hardening guide.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1934393

Title:
  systemd-logind network access is blocked, and breaks remote
  authentication configurations

Status in systemd:
  Fix Released
Status in nis package in Ubuntu:
  Confirmed
Status in openldap package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed
Status in nis package in Debian:
  Fix Released

Bug description:
  [impact]

  starting in focal, systemd-logind runs sandboxed without any network
  access, which breaks any configuration that uses remote servers for
  user data, e.g. ldap, nis, etc

  A more full discussion is available in the upstream bug report as well
  as the debian bug report, see other info section below

  [test case]

  many possible ways to reproduce this; there are reproducers in some of
  the bugs reported before that are caused by this, e.g. bug 1915502 or
  bug 1916235

  [regression potential]

  failure to authenticate when using remote user data, incorrect
  authentication, security issues due to un-sandboxing of systemd-logind

  [scope]

  this is needed in f and later

  before focal, systemd-logind was not sandboxed so this did not apply

  [other info]

  this isn't actually a bug in systemd, this is a by-design security feature; see links below (and/or comment 13 in this bug) to upstream comments about how systemd's position is that no NSS module should ever perform network access, and any NSS module that does needs to also adjust the restrictions of systemd services such as systemd-logind, systemd-userdbd, and possibly others that might need to make NSS calls into glibc.
  https://github.com/systemd/systemd/issues/7074#issuecomment-338157851
  https://github.com/systemd/systemd/issues/15705#issuecomment-624125354

  this may also can cause systemd-udevd failures in some cases as well.
  https://github.com/systemd/systemd/pull/7343#issuecomment-344800313

  For reference, upstream discussion around the systemd-logind sandboxing specifically:
  https://github.com/systemd/systemd/issues/7074
  upstream updated doc PR explaining the upstream position:
  https://github.com/systemd/systemd/pull/7343

  Debian bug report:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878625
  Note that while this Debian bug is marked as fix released, I don't think it actually fixes the problem, from the final comment it seems like the only change was to add Recommends: nscd, which doesn't really solve things if someone doesn't use nscd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions