On Thu, 14 Dec 2023 at 11:38:16 +0100, Harald Dunkel wrote:
> getent queries all databases, as listed in /etc/nsswitch.conf, AFAIU.
> I would suggest to use
>
> getent -s files passwd polkitd
>
> to query /etc/passwd only and to ignore remote databases based on LDAP
> or NIS or similar. polkitd is supposed to be a local system user.
Wouldn't this break systems where polkitd is a local system user stored
in some backend other than the standard flat files, like libnss-db or
libnss-extrausers?
In any case, as per your later reply, it seems that this wouldn't have
been sufficient:
On Fri, 15 Dec 2023 at 13:59:02 +0100, Harald Dunkel wrote:
> + command -v systemd-sysusers
> + systemd-sysusers polkitd.conf
> Failed to check if group polkitd already exists: Connection refused
How is this particular system set up? Is it using a remote user database?
This seems to be consistent with how
/usr/share/debhelper/autoscripts/postinst-sysusers handles sysusers, so
if there is a bug here, it would affect any package that relies on
sysusers.d, not just polkit.
> chown: invalid user: 'polkitd:root'
This is what is actually causing the script to fail here, and it's
unavoidable: we can't not do this. If we skipped this step, polkitd
would not work correctly.
(In current versions of polkitd it would be root:polkitd, but the
principle is the same.)
chown, id and any other standard system utilities that use glibc
interfaces like getpwnam() are always going to do the equivalent of
`getent passwd polkitd` and never the equivalent of
`getent -s files passwd polkitd`, so the equivalents of those calls need
to work, one way or another, while you are doing your upgrade.
smcv
