Errors regarding user/group tss after upgrade

Ask Fedora
1

Hi.

After upgrade to f44 I get the following errors.

Mär 22 21:13:02 terence systemd-tmpfiles\[405\]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:4: Failed to resolve user ‘tss’: Unknown user                                                                                            
Mär 22 21:13:02 terence systemd-tmpfiles\[405\]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:6: Failed to resolve group ‘tss’: Unknown group
Mär 22 21:13:02 terence systemd-tmpfiles\[405\]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:7: Failed to resolve group ‘tss’: Unknown group                                                                                      
Mär 22 21:13:02 terence systemd-udevd\[484\]: /usr/lib/udev/rules.d/60-tpm-udev.rules:3 Failed to resolve user ‘tss’, ignoring: Unknown user                                                                           
Mär 22 21:13:02 terence systemd-udevd\[484\]: /usr/lib/udev/rules.d/60-tpm-udev.rules:4 Failed to resolve group ‘tss’, ignoring: Unknown group

However tss is present in /etc/passw and group. I’m also able to sudo to user tss.

2

My device has the same problem. Besides, have you noticed that the logout button is missing from the quick menu?

3

I don’t have that issue. I’m using GNOME.

4

I’ve checked status of systemd-tmpfiles and systemd-udev after boot. systemctl show no errors, everything started successfully. Could it be that tss is not available early on startup?

5

There is several systemd-tmpfiles*.service and systemd-udev*.service, and some of
them are started before Switching root.

It would be nice to narrow down which of them are issuing those errors.

Also, what is you authselect setup ?
See: authselect current authselect check

PS: Please, use the </> button when you paste text here.

6

There is several systemd-tmpfiles*.service and systemd-udev*.service, and some of
them are started before Switching root.

Actually I checked all of them with systemctl status. The wildcards were removed in my last post. According to systemd all are fine.

Now when I look at journal it looks like

  • systemd-tmpfiles-setup-dev.service
  • systemd-tmpfiles-setup.service
  • systemd-udevd.service

produce the errors.

Full log before/after the errors.

Mär 23 11:35:22 terence kernel: fuse: init (API version 7.45)
Mär 23 11:35:22 terence systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
Mär 23 11:35:22 terence systemd[1]: Starting systemd-sysctl.service - Apply Kernel Variables...
Mär 23 11:35:22 terence systemd[1]: Finished systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully.
Mär 23 11:35:22 terence systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
Mär 23 11:35:22 terence systemd[1]: Finished systemd-sysctl.service - Apply Kernel Variables.
Mär 23 11:35:22 terence systemd[1]: Finished systemd-vconsole-setup.service - Virtual Console Setup.
Mär 23 11:35:22 terence systemd[1]: Starting dracut-cmdline-ask.service - dracut ask for additional cmdline parameters...
Mär 23 11:35:22 terence systemd[1]: Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
Mär 23 11:35:22 terence systemd[1]: Finished dracut-cmdline-ask.service - dracut ask for additional cmdline parameters.
Mär 23 11:35:22 terence systemd[1]: Reached target local-fs-pre.target - Preparation for Local File Systems.
Mär 23 11:35:22 terence systemd[1]: Reached target local-fs.target - Local File Systems.
Mär 23 11:35:22 terence systemd[1]: Starting dracut-cmdline.service - dracut cmdline hook...
Mär 23 11:35:22 terence systemd-journald[355]: Journal started
Mär 23 11:35:22 terence systemd-journald[355]: Runtime Journal (/run/log/journal/d83382cdb12d401bb0cbbf2645b74dcb) is 8M, max 1.2G, 1.2G free.
Mär 23 11:35:22 terence systemd-modules-load[358]: Using 3 probe threads
Mär 23 11:35:22 terence systemd-modules-load[358]: Module 'msr' is built in
Mär 23 11:35:22 terence systemd-modules-load[358]: Inserted module 'i2c_dev'
Mär 23 11:35:22 terence systemd-vconsole-setup[360]: /usr/bin/setfont failed with a "system error" (EX_OSERR), ignoring.
Mär 23 11:35:22 terence systemd[1]: Started systemd-journald.service - Journal Service.
Mär 23 11:35:22 terence systemd-modules-load[358]: Inserted module 'fuse'
Mär 23 11:35:22 terence systemd-vconsole-setup[368]: setfont: ERROR kdfontop.c:212 put_font_kdfontop: Unable to load such font with such kernel version
Mär 23 11:35:22 terence systemd-vconsole-setup[360]: Configuration of first virtual console failed, ignoring remaining ones.
Mär 23 11:35:22 terence systemd-tmpfiles[382]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
Mär 23 11:35:22 terence systemd-tmpfiles[382]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
Mär 23 11:35:22 terence systemd[1]: Starting systemd-tmpfiles-setup.service - Create System Files and Directories...
Mär 23 11:35:22 terence dracut-cmdline[400]: dracut-108-6.fc44
Mär 23 11:35:22 terence dracut-cmdline[400]: Using kernel command line parameters:  rd.driver.pre=btrfs   BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.19.9-300.fc44.x86_64 root=UUID=cb7ca12b-fc29-4c08-8fa5-66055049beb3 ro rootflags=subvol=root rhgb quiet vt.default_red=30,243,166,249,137,245,148,186,88,243,166,249,137,245,148,166 vt.default_grn=30,139,227,226,180,194,226,194,91,139,227,226,180,194,226,173 vt.default_blu=46,168,161,175,250,231,213,222,112,168,161,175,250,231,213,200
Mär 23 11:35:23 terence systemd-tmpfiles[409]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:2: Failed to resolve user 'tss': Unknown user
Mär 23 11:35:23 terence systemd-tmpfiles[409]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
Mär 23 11:35:23 terence systemd-tmpfiles[409]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:4: Failed to resolve user 'tss': Unknown user
Mär 23 11:35:23 terence systemd-tmpfiles[409]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
Mär 23 11:35:23 terence systemd-tmpfiles[409]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:6: Failed to resolve group 'tss': Unknown groupMär 23 11:35:23 terence systemd-tmpfiles[409]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:7: Failed to resolve group 'tss': Unknown group
Mär 23 11:35:23 terence systemd-tmpfiles[409]: /usr/lib/tmpfiles.d/var.conf:14: Duplicate line for path "/var/log", ignoring.
Mär 23 11:35:23 terence systemd[1]: Finished systemd-tmpfiles-setup.service - Create System Files and Directories.
Mär 23 11:35:23 terence systemd[1]: Finished dracut-cmdline.service - dracut cmdline hook.
Mär 23 11:35:23 terence systemd[1]: Starting dracut-pre-udev.service - dracut pre-udev hook...
Mär 23 11:35:23 terence systemd[1]: Finished dracut-pre-udev.service - dracut pre-udev hook.
Mär 23 11:35:23 terence systemd[1]: Starting systemd-udevd.service - Rule-based Manager for Device Events and Files...
Mär 23 11:35:23 terence systemd-udevd[485]: Using default interface naming scheme 'v259'.
Mär 23 11:35:23 terence systemd-udevd[485]: /usr/lib/udev/rules.d/60-tpm-udev.rules:3 Failed to resolve user 'tss', ignoring: Unknown user
Mär 23 11:35:23 terence systemd-udevd[485]: /usr/lib/udev/rules.d/60-tpm-udev.rules:4 Failed to resolve group 'tss', ignoring: Unknown group
Mär 23 11:35:23 terence systemd[1]: Started systemd-udevd.service - Rule-based Manager for Device Events and Files.
Mär 23 11:35:23 terence systemd[1]: dracut-pre-trigger.service - dracut pre-trigger hook skipped, no trigger condition checks were met.
Mär 23 11:35:23 terence systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
Mär 23 11:35:23 terence kernel: usb 1-5: New USB device found, idVendor=13d3, idProduct=3568, bcdDevice= 1.00
Mär 23 11:35:23 terence kernel: usb 1-5: New USB device strings: Mfr=5, Product=6, SerialNumber=7
Mär 23 11:35:23 terence kernel: usb 1-5: Product: Wireless_Device
Mär 23 11:35:23 terence kernel: usb 1-5: Manufacturer: MediaTek Inc.
Mär 23 11:35:23 terence kernel: usb 1-5: SerialNumber: 000000000
Mär 23 11:35:23 terence systemd[1]: Finished systemd-udev-trigger.service - Coldplug All udev Devices.

And here are results of authcheck

>authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-fingerprint
- with-mdns4

>authselect check
Current configuration is valid.
7

those errors occur before switch-root. Extracted the initramfs

# grep tss  etc/passwd  etc/group  usr/lib/sysusers.d/tpm2-tss.conf  usr/lib/tmpfiles.d/tpm2-tss-fapi.conf 
usr/lib/sysusers.d/tpm2-tss.conf:u     tss  59  "Account used for TPM access" -              -
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:d       /var/lib/tpm2-tss/system/keystore   2775 tss  tss   -           -
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:a+      /var/lib/tpm2-tss/system/keystore   -    -    -     -           default:group:tss:rwx
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:d       /run/tpm2-tss/eventlog                2775 tss  tss   -           -
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:a+      /run/tpm2-tss/eventlog                -    -    -     -           default:group:tss:rwx
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:z-	/sys/kernel/security/tpm[0-9]/binary_bios_measurements	0440  root tss	-	    -
usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:z-	/sys/kernel/security/ima/binary_runtime_measurements	0440  root tss	-	    -

Should systemd create the tss user and group on-the-fly with the info provided in
usr/lib/sysusers.d/tpm2-tss.conf ?
This can be reproduced in a VM after f43->f44 sys-upgrade

8

I think so. This is the case in F43; I see that on my machine:

  systemd[1]: Starting systemd-sysusers.service - Create System Users.

  systemd-sysusers[328]: Creating group 'tss' with GID 59.
  systemd-sysusers[328]: Creating user 'tss' (Account used for TPM access) with UID 59 and GID 59.

  systemd[1]: Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.

  systemd[1]: Starting systemd-tmpfiles-setup.service - Create System Files and Directories...

and etc/passwd in the initrd only defines 4 users:

  • adm systemd-network root nobody

systemd-tmpfiles-setup.service has a After: systemd-sysusers.service

One should check thus if systemd-sysusers.service is in the initrd
on F44, and if yes if it fails, if no check the dracut configs
(if still using dracut).

9

Based on systemd-sysusers broken in initramfs · Issue #21665 · systemd/systemd · GitHub it does not look like sysusers should be working like this and the user should be added using something like fix(tpm2-tss): add tss user/group in addition to sysusers config by bdrung · Pull Request #2139 · dracut-ng/dracut-ng · GitHub

There’s a bug: 2448131 – systemd-tmpfiles fails to resolve 'tss' user at boot; systemd-sysusers.service skipped (Fedora 44)

edit: looks like this is fixed in dracut 110

1 Like
10

Also see Bug 2442617 - tss user is missing before initrd-switch-root.target [NEEDINFO].

1 Like