dlt-daemon.service uses user "nobody"
Affected images versions
- see the table below (list the *architecture and build id of the tested images in the appropriate cells)
| Deployment | Type | v2023 | v2024pre | v2025dev1 |
|---|---|---|---|---|
| apt | dlt-daemon | x | x |
Unaffected images versions
- seems that all versions are affected
Testcase
Steps to reproduce
Install dlt-daemon into the image Boot up the target
Expected result
dlt-daemon uses a dedicated user and not user nobody
Actual result
During boot, a warning is printed: systemd[1]: /lib/systemd/system/dlt-daemon.service:24: Special user nobody configured, this is not safe!
Reproducibility
How often the issue is hit when repeating the test and changing nothing (same device, same image, etc.)?
Put the
-
✅ always - often, but not always
- rarely
Impact of bug
The image is still bootable and functionally correct but it might be a security issue.
Root cause
dlt-daemon.service of the dlt-daemon package uses User=nobody in the unit file. According to Sjoerd, there is already a fix in the debian packaging: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055580
Outcomes
- pkg/dlt-daemon!26 (merged) Fix for v2025dev1
- pkg/dlt-daemon!27 (merged) Fix for v2024
- pkg/dlt-daemon!28 (merged) Fix for v2023
Management data
This section is for management only, it should be the last one in the description.
/cc @andrunko @em @Balasubramanian @sudarshan @wlozano
Phabricator link: https://phabricator.apertis.org/T10265