[systemd-devel] Fedpra 32 NIS with systemd-logind.service: start operation timed out. Terminating. Got lookup error: io.systemd.TimedOut

Lennart Poettering lennart at poettering.net
Wed May 20 16:54:40 UTC 2020 

On Mi, 20.05.20 11:07, Robert Kudyba (rkudyba at fordham.edu) wrote:

> >
> >
> > On Di, 19.05.20 23:36, Robert Kudyba (rkudyba at fordham.edu) wrote:
> >
> > > Just upgraded for Fedora 32, still running NUS/ypserv, now getting
> > > very slow logins and systemd-logind is not starting. I enabled debug
> > > logs and am seeing the below logs. I don't think
> > >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_systemd_systemd_issues_7074&d=DwIBAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=g-sQXgHR3VJuVTBfUvADrmjl8NIsPaBKboi8ZUH0gOA&s=X94m6OxWpvg9NhGqgPLaACIrMX1q1gleuH8E5qtUR3U&e=
> > is back with the
> > > nss-nis bug but I made sure that IPAddress= is set (to nothing).
> >
> > Make sure to turn the sandboxing off for systemd-userdb.service too if
> > you want to use NIS.
> >
>
> OK this wasn't obvious to me but I believe I found it. How does one know
> how to turn off sandboxing for this service? Is there a document that
> mentions IPAddress = achieves this?

You shouldn't have to do that manually. Packages that require to
do networking from inside NSS modules (which is pretty much NIS,
because it's so old) should ship a drop-in for systemd-userdbd.service
and systemd-logind.service to punch a hole into the sandboxing.

Quite frankly: NSS modules should not do networking directly in
2020. Let them talk to a local service that does it, but doing it
inside of any frickin process that calls getpwnam() is just very very
wrong, and a security hole.

In the interest of building a secure OS system generally locks most
its services into a tight sandbox, and that means we turn off
networking for most of them since they generally don#t need
that. Except they do if nss-nis is used which wants that. But if you
do something dangerous like that it's really on you that the sandbox
must be turned off.

> https://bugzilla.redhat.com/show_bug.cgi?id=1837808

File it against the NIS packages, they should carry the drop-in for
these two services that turn of the sandbox. That way the majority
people can enjoy a tightly locked sandbox for these services, and only
those who actually run NIS opt into non-sandboxed operation.

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list