Bug 249445 - sysutils/accountsservice: Update to 0.6.55
Summary: sysutils/accountsservice: Update to 0.6.55
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords: needs-patch, regression, security
Depends on:
Blocks:
 
Reported: 2020-09-19 09:09 UTC by Olivier Duchateau
Modified: 2021-09-20 03:09 UTC (History)
17 users (show)

See Also:
0mp: maintainer-feedback-


Attachments
Patch to update sysutils/accountsservice (41.10 KB, patch)
2020-09-19 09:09 UTC, Olivier Duchateau
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Duchateau 2020-09-19 09:09:30 UTC
Created attachment 218068 [details]
Patch to update sysutils/accountsservice

- Update to 0.6.55 (big 4 years jump!)
- Switch to the Meson build system
- Update pkg-descr, Freedesktop.org migrated from cgit to gitlab
- Adjust dependencies
- Remove useless pkg-install script, feature already in pkg-plist

CC'ed the desktop team

Note: tested with GLib 2.66.0
Comment 1 Olivier Duchateau 2020-09-19 09:11:31 UTC
Tested with GLib 2.66.0 and GObject introspection 1.66.0 (both the latest releases).
Comment 2 Greg V 2020-11-12 13:52:21 UTC
Ooh, this also fixes the userdel thing (the previous patches forgot to touch deletion), nice.
Comment 3 Tobias C. Berner freebsd_committer 2021-05-24 15:05:14 UTC
Thanks for taking this 0mp :)


mfg Tobias
Comment 4 commit-hook freebsd_committer 2021-05-25 08:28:54 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ffb1311e56725702208e807cfc63c8163c6b4a52

commit ffb1311e56725702208e807cfc63c8163c6b4a52
Author:     Olivier Duchateau <olivierd@FreeBSD.org>
AuthorDate: 2021-05-24 15:38:38 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2021-05-25 08:28:07 +0000

    sysutils/accountsservice: Update to 0.6.55

    This update also fixes the userdel functionality.

    PR:             249445
    Reviewed by:    0mp
    Approved by:    maintainer timeout
    MFH:            2021Q2
    Security:       75aae50b-9e3c-11eb-9bc3-8c164582fbac
    Security:       CVE-2018-14036

 sysutils/accountsservice/Makefile                  |  30 +--
 sysutils/accountsservice/distinfo                  |   6 +-
 .../accountsservice/files/patch-configure (gone)   |  21 --
 .../accountsservice/files/patch-meson.build (new)  |  16 ++
 .../files/patch-meson__post__install.py (new)      |  13 +
 sysutils/accountsservice/files/patch-src_daemon.c  | 282 ++++++++++++++++++++-
 .../patch-src_libaccountsservice_act-user.c (new)  |  11 +
 .../files/patch-src_meson.build (new)              |  13 +
 sysutils/accountsservice/files/patch-src_user.c    | 190 ++++++++++----
 .../accountsservice/files/patch-src_user.h (new)   |  27 ++
 .../files/patch-src_wtmp-helper.h (new)            |  10 +
 sysutils/accountsservice/pkg-descr                 |   6 +-
 sysutils/accountsservice/pkg-install (gone)        |   9 -
 sysutils/accountsservice/pkg-plist                 |  51 ++--
 14 files changed, 540 insertions(+), 145 deletions(-)
Comment 5 commit-hook freebsd_committer 2021-05-25 08:32:56 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6a456af02d7efda292eb0c52887c1a1964478589

commit 6a456af02d7efda292eb0c52887c1a1964478589
Author:     Olivier Duchateau <olivierd@FreeBSD.org>
AuthorDate: 2021-05-24 15:38:38 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2021-05-25 08:31:57 +0000

    sysutils/accountsservice: Update to 0.6.55

    This update also fixes the userdel functionality.

    PR:             249445
    Reviewed by:    0mp
    Approved by:    maintainer timeout
    MFH:            2021Q2
    Security:       75aae50b-9e3c-11eb-9bc3-8c164582fbac
    Security:       CVE-2018-14036

    (cherry picked from commit ffb1311e56725702208e807cfc63c8163c6b4a52)

 sysutils/accountsservice/Makefile                  |  30 +--
 sysutils/accountsservice/distinfo                  |   6 +-
 .../accountsservice/files/patch-configure (gone)   |  21 --
 .../accountsservice/files/patch-meson.build (new)  |  16 ++
 .../files/patch-meson__post__install.py (new)      |  13 +
 sysutils/accountsservice/files/patch-src_daemon.c  | 282 ++++++++++++++++++++-
 .../patch-src_libaccountsservice_act-user.c (new)  |  11 +
 .../files/patch-src_meson.build (new)              |  13 +
 sysutils/accountsservice/files/patch-src_user.c    | 190 ++++++++++----
 .../accountsservice/files/patch-src_user.h (new)   |  27 ++
 .../files/patch-src_wtmp-helper.h (new)            |  10 +
 sysutils/accountsservice/pkg-descr                 |   6 +-
 sysutils/accountsservice/pkg-install (gone)        |   9 -
 sysutils/accountsservice/pkg-plist                 |  51 ++--
 14 files changed, 540 insertions(+), 145 deletions(-)
Comment 6 Ruslan Makhmatkhanov freebsd_committer 2021-06-06 09:03:52 UTC
Reopen. After update to 0.6.55 there is no users list at gdm login screen. It just shows "not listed" string. But I able to click there and type username manually. At 14-CURRENT I'm able to get to desktop after that, but there is similar user report for 13.x at freebsd-ports@ ML, and reporter has a problem with getting the desktop after manually typing username. But if I Lock the screen (Windows+L or via menu), I can't get back to the desktop without restarting gdm and supplying user credentials again, because Lock login screen lacks username field and providing just password isn't enough.  

Reverting to 0.6.42 makes users list available again and fixes Lock screen dialog. Both for 14-CURRENT and 13.x.
Comment 7 Ruslan Makhmatkhanov freebsd_committer 2021-06-06 09:22:59 UTC
Here is original report: 
https://lists.freebsd.org/archives/freebsd-ports/2021-June/000094.html
Comment 8 Olivier Duchateau 2021-06-06 14:17:02 UTC
If you try (when GDM is running, but in different TTY):

DBus service must be enable.

> gdbus call --system --dest org.freedesktop.DBus \
>  --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames

If you see 'org.freedesktop.Accounts', try this following command:

> gdbus call --system --dest org.freedesktop.Accounts \
>  --object-path /org/freedesktop/Accounts \
>  --method org.freedesktop.Accounts.ListCachedUsers

List of users (it's list of ObjectPath) will be displayed (UserName property contains login name).
Comment 9 Pavel Timofeev 2021-06-07 15:21:52 UTC
(In reply to Ruslan Makhmatkhanov from comment #7)
Thank you, Ruslan, for linking my post
Comment 10 bpurgar 2021-06-20 11:06:10 UTC
Same problem after updating to 0.6.55
No user icons in gdm login screen
Comment 11 bpurgar 2021-06-20 17:08:49 UTC
(In reply to Olivier Duchateau from comment #8)

gdbus call --system --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames
(['org.freedesktop.DBus', ':1.92', ':1.7', ':1.93', ':1.94', ':1.83', 'org.freedesktop.ColorManager', ':1.50', ':1.84', ':1.51', ':1.52', ':1.86', ':1.53', 'org.freedesktop.PolicyKit1', ':1.87', ':1.54', ':1.88', ':1.55', 'org.freedesktop.ConsoleKit', ':1.89', ':1.56', 'org.freedesktop.UPower', 'org.freedesktop.UDisks2', ':1.2', ':1.49', ':1.17', ':1.4', ':1.90', 'org.freedesktop.Accounts', ':1.91'],)

gdbus call --system --dest org.freedesktop.Accounts  --object-path /org/freedesktop/Accounts --method org.freedesktop.Accounts.ListCachedUsers
([objectpath '/org/freedesktop/Accounts/User1001'],)



If i enable autologin in gdm's custom.conf i got this in logs :

gdm[25252]: accountsservice: ActUserManager: user (null) has no username (uid: -1)

maybe this helps ..
Comment 12 david 2021-06-26 22:45:43 UTC
I have been hitting this issue myself, and I think the bug exists in 2 places.  1 in accountservice/src/daemon.c:

daemon.c:197
>         /* First iteration */
>         if (*state == NULL) {
>                 GHashTable *shadow_users = NULL;
>                 FILE *fp;
> #ifdef HAVE_SHADOW_H
>                 struct spwd *shadow_entry;
> 
>                 fp = fopen (PATH_SHADOW, "r");
>                 if (fp == NULL) {
>                         g_warning ("Unable to open %s: %s", PATH_SHADOW, g_strerror (errno));
>                         return NULL;
>                 }
> 
>                 shadow_users = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
> 
>                 do {
>                         int ret = 0;
> 
>                         shadow_entry_buffers = g_malloc0 (sizeof (*shadow_entry_buffers));
> 
>                         ret = fgetspent_r (fp, &shadow_entry_buffers->spbuf, shadow_entry_buffers->buf, sizeof (shadow_entry_buffers->buf), &shadow_entry);
>                         if (ret == 0) {
>                                 g_hash_table_insert (shadow_users, g_strdup (shadow_entry->sp_namp), shadow_entry_buffers);
>                         } else {
>                                 g_free (shadow_entry_buffers);
> 
>                                 if (errno != EINTR) {
>                                         break;
>                                 }
>                         }
>                 } while (shadow_entry != NULL);
> 
>                 fclose (fp);
> 
>                 if (g_hash_table_size (shadow_users) == 0) {
>                         g_clear_pointer (&shadow_users, g_hash_table_unref);
>                         return NULL;
>                 }
> #endif
> 
>                 fp = fopen (PATH_PASSWD, "r");
>                 if (fp == NULL) {
>                         g_clear_pointer (&shadow_users, g_hash_table_unref);
>                         g_warning ("Unable to open %s: %s", PATH_PASSWD, g_strerror (errno));
>                         return NULL;
>                 }
> 
>                 generator_state = g_malloc0 (sizeof (*generator_state));
>                 generator_state->fp = fp;
>                 generator_state->users = shadow_users;
> 
>                 *state = generator_state;
>         }
> 
>         /* Every iteration */
>         generator_state = *state;
> 
>         if (g_hash_table_size (users) < MAX_LOCAL_USERS) {
>                 pwent = fgetpwent (generator_state->fp);
>                 if (pwent != NULL) {
> #ifdef HAVE_SHADOW_H
>                         shadow_entry_buffers = g_hash_table_lookup (generator_state->users, pwent->pw_name);
> 
>                         if (shadow_entry_buffers != NULL) {
>                             *spent = &shadow_entry_buffers->spbuf;
>                         }
>                         return pwent;
> #else
>                         if (!generator_state->users || g_hash_table_lookup (generator_state->users, pwent->pw_name))
>                             return pwent;
> #endif
>                 }
>         }


Note that my reading of the code is that it pulls all of /etc/shadow into memory (and does it extremely hamfistedly), and then uses that to prune /etc/passwd in such a way that users that aren't in /etc/shadow don't even show up:
>    if (!generator_state->users || g_hash_table_lookup (generator_state->users, pwent->pw_name))
>        return pwent;

So generator_state-> users has to be non-null, AND it has to have a user by that name in it... but in the first iteration generator_state->users is set to shadow_users (L246), however shadow_users is set L210 (inside the #ifdef block), and populated in that block, what WE get is the initial value (NULL), L199.... Therefore that check NEVER passes, and we never have ANY users.

So I fixed that by removing the if conditional and always returned pwent.

This however did not fix it.  In experimenting I would swap out JUST account-daemon (or whatever it is called), and hit gdm.  THIS worked.... and later I discovered that there is libaccountservice at play here,  I think there is a *second* bug lurking in there.  I did a git diff between the two versions that we upgraded and .. a lot changed.  

I am not done investigating yet, but I figured more eyes will help.  I hope this helps.
Comment 13 Pavel Timofeev 2021-07-14 17:41:49 UTC
Let's rollback it until it's fixed
Comment 14 Mateusz Piotrowski freebsd_committer 2021-08-06 10:08:04 UTC
(In reply to Pavel Timofeev from comment #13)

Rolling back is surely an option but there is an CVE that got fixed in the committed version. If we roll back the update, we need to make sure the vulnerability is still patched.

Unfortunately, I don't have the necessary time to investigate and prepare a suitable patch.
Comment 15 Bleakwind 2021-09-11 18:06:04 UTC
When my computer time out, the screen back to lock screen, and I can't login again, only use alt+Fx reboot, so I must turned off automatic lock screen, it make me crazy.

This bug affects a lot of people, especially like me use FreeBSD for desktops to work.
I don't have the ability to fix it.

Today I just rollback accountsservice-0.6.55 to accountsservice-0.6.43.
Everything works fine.

btw: I use ports-mgmt/portdowngrade to downgrade accountsservice.
Comment 17 Pavel Timofeev 2021-09-14 14:32:07 UTC
(In reply to Robert Nagy from comment #16)
Great! This fixed worked for me!
Comment 18 huanghwh 2021-09-20 03:09:50 UTC
Fixed for me too.