root coredumps warn "Cannot resolve systemd-coredump user"

[pennae]

Describe the bug
when a root-owned process dumps core (eg recent sshd, due to a known bug) and coredumps are enabled, systemd-coredump warns Cannot resolve systemd-coredump user. Proceeding to dump core as root: No such process (but proceeds successfully).

To Reproduce
Steps to reproduce the behavior:

1. have systemd coredumps enabled
2. send a SIGABRT to any root-owned process (eg by running timeout -s ABRT 1s cat)

Expected behavior
coredumps succeeds with proper privsep

Screenshots

Additional context

Notify maintainers
@andir @edolstra @flokli @kloenk

Metadata

• system: "x86_64-linux"
• host os: Linux 5.10.29, NixOS, 21.05pre282878.652749c4ca7 (Okapi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.10
• channels(root): "nixos-21.05pre282878.652749c4ca7"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[flokli]

Can you reproduce this with a simple c binary you interactively run as root user?

[pennae]

yes, timeout -s ABRT 1s cat as root does it. amended the original post

addendum: if you want a minimal C example that causes it:

#include <signal.h>
#include <unistd.h>

int main() {
	kill(getpid(), SIGABRT);
}

[pennae]

still happening regularly due to a bug in openssh (race conditions in process shutdown can cause seccomp filters to trigger)

[solson]

I am also observing this problem, both sshd dumping core and the systemd-coredump error when it happens. I can also reproduce it with timeout -s ABRT 1s cat as root.

[flokli]

I can confirm I see the log messages:

Jul 29 14:49:38 tp sudo[695842]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Jul 29 14:49:38 tp systemd[1]: Started Process Core Dump (PID 695844/UID 0).
Jul 29 14:49:38 tp systemd-coredump[695845]: Cannot resolve systemd-coredump user. Proceeding to dump core as root: No such process
Jul 29 14:49:38 tp systemd-coredump[695845]: [🡕] Process 695843 (foo) of user 0 dumped core.
Jul 29 14:49:38 tp sudo[695842]: pam_unix(sudo:session): session closed for user root

I looked at src/coredump/coredump.c. It seems systemd-coredump wants to drop privileges to a systemd-coredump user (but falls back to root if it can't find it).

sysusers.d/systemd.conf.in suggests we should create it (like we create one for systemd-networkd).

I opened #131948, which does that.