From 6e6e96f628d352b56fd396cffb311f16839f78fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 09:47:51 +0100 Subject: [PATCH 1/8] udev: define a generic helper to print messages about unknown users and groups We cannot just use %m, because strerror returns a confusing error message for ESRCH or ENOEXEC. udev code was doing a good job, but the error handling was very verbose. Let's encapsulate the customized error messages in a helper. No functional change, except that the error messages have a slightly different form now. The old messages were a bit better, but we don't have as much flexibility in the new scheme. "Failed to resolve user 'foo': Unknown user" should be good enough. --- src/basic/user-util.h | 9 +++++++- src/udev/udev-rules.c | 36 ++++++++++++------------------- test/units/TEST-17-UDEV.verify.sh | 16 +++++++------- 3 files changed, 30 insertions(+), 31 deletions(-) diff --git a/src/basic/user-util.h b/src/basic/user-util.h index c4f2aea309..24793530e6 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -10,7 +10,8 @@ #include "basic-forward.h" -/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */ +/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details + * how this range fits into the rest of the world. */ #define HOME_UID_MIN ((uid_t) 60001) #define HOME_UID_MAX ((uid_t) 60513) @@ -18,6 +19,12 @@ #define MAP_UID_MIN ((uid_t) 60514) #define MAP_UID_MAX ((uid_t) 60577) +/* A helper to print an error message when user or group resolution fails. + * Note that we can't use ({ … }) to define a temporary variable, so errnum is + * evaluated multiple times. */ +#define STRERROR_USER(errnum) ((errnum) == -ESRCH ? "Unknown user" : (errnum) == -ENOEXEC ? "Not a system user" : STRERROR(errnum)) +#define STRERROR_GROUP(errnum) ((errnum) == -ESRCH ? "Unknown group" : (errnum) == -ENOEXEC ? "Not a system group" : STRERROR(errnum)) + bool uid_is_valid(uid_t uid) _const_; static inline bool gid_is_valid(gid_t gid) { diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c index 87c57d7487..543ad9be06 100644 --- a/src/udev/udev-rules.c +++ b/src/udev/udev-rules.c @@ -512,12 +512,10 @@ static int rule_resolve_user(UdevRuleLine *rule_line, const char *name, uid_t *r r = userdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &ur); - if (r == -ESRCH) - return log_line_error_errno(rule_line, r, "Unknown user '%s', ignoring.", name); - if (r == -ENOEXEC) - return log_line_error_errno(rule_line, r, "User '%s' is not a system user, ignoring.", name); if (r < 0) - return log_line_error_errno(rule_line, r, "Failed to resolve user '%s', ignoring: %m", name); + return log_line_error_errno(rule_line, r, + "Failed to resolve user '%s', ignoring: %s", + name, STRERROR_USER(r)); _cleanup_free_ char *n = strdup(name); if (!n) @@ -549,12 +547,10 @@ static int rule_resolve_group(UdevRuleLine *rule_line, const char *name, gid_t * r = groupdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &gr); - if (r == -ESRCH) - return log_line_error_errno(rule_line, r, "Unknown group '%s', ignoring.", name); - if (r == -ENOEXEC) - return log_line_error_errno(rule_line, r, "Group '%s' is not a system group, ignoring.", name); if (r < 0) - return log_line_error_errno(rule_line, r, "Failed to resolve group '%s', ignoring: %m", name); + return log_line_error_errno(rule_line, r, + "Failed to resolve group '%s', ignoring: %s", + name, STRERROR_GROUP(r)); _cleanup_free_ char *n = strdup(name); if (!n) @@ -2681,12 +2677,10 @@ static int udev_rule_apply_token_to_event( r = userdb_by_name(owner, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &ur); - if (r == -ESRCH) - log_event_error_errno(event, token, r, "Unknown user \"%s\", ignoring.", owner); - else if (r == -ENOEXEC) - log_event_error(event, token, "User \"%s\" is not a system user, ignoring.", owner); - else if (r < 0) - log_event_error_errno(event, token, r, "Failed to resolve user \"%s\", ignoring: %m", owner); + if (r < 0) + log_event_error_errno(event, token, r, + "Failed to resolve user \"%s\", ignoring: %s", + owner, STRERROR_USER(r)); else { event->uid = ur->uid; log_event_debug(event, token, "Set owner: %s("UID_FMT")", owner, event->uid); @@ -2709,12 +2703,10 @@ static int udev_rule_apply_token_to_event( r = groupdb_by_name(group, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &gr); - if (r == -ESRCH) - log_event_error_errno(event, token, r, "Unknown group \"%s\", ignoring.", group); - else if (r == -ENOEXEC) - log_event_error(event, token, "Group \"%s\" is not a system group, ignoring.", group); - else if (r < 0) - log_event_error_errno(event, token, r, "Failed to resolve group \"%s\", ignoring: %m", group); + if (r < 0) + log_event_error_errno(event, token, r, + "Failed to resolve group \"%s\", ignoring: %s", + group, STRERROR_GROUP(r)); else { event->gid = gr->gid; log_event_debug(event, token, "Set group: %s("GID_FMT")", group, event->gid); diff --git a/test/units/TEST-17-UDEV.verify.sh b/test/units/TEST-17-UDEV.verify.sh index 8252b630d3..5b6baa4280 100755 --- a/test/units/TEST-17-UDEV.verify.sh +++ b/test/units/TEST-17-UDEV.verify.sh @@ -309,15 +309,15 @@ assert_0 "${rules}" test_syntax_error 'OWNER=":nosuchuser:"' "Failed to resolve user ':nosuchuser:', ignoring: Invalid argument" # nonexistent user if ! getent passwd nosuchuser >/dev/null; then - test_syntax_error 'OWNER="nosuchuser"' "Unknown user 'nosuchuser', ignoring." + test_syntax_error 'OWNER="nosuchuser"' "Failed to resolve user 'nosuchuser', ignoring: Unknown user" fi if ! getent passwd 12345 >/dev/null; then - test_syntax_error 'OWNER="12345"' "Unknown user '12345', ignoring." + test_syntax_error 'OWNER="12345"' "Failed to resolve user '12345', ignoring: Unknown user" fi # regular user if getent passwd testuser >/dev/null; then - test_syntax_error 'OWNER="testuser"' "User 'testuser' is not a system user, ignoring." - test_syntax_error "OWNER=\"$(id -u testuser)\"" "User '$(id -u testuser)' is not a system user, ignoring." + test_syntax_error 'OWNER="testuser"' "Failed to resolve user 'testuser', ignoring: Not a system user" + test_syntax_error "OWNER=\"$(id -u testuser)\"" "Failed to resolve user '$(id -u testuser)', ignoring: Not a system user" fi test_syntax_error 'GROUP{a}="b"' 'Invalid attribute for GROUP.' test_syntax_error 'GROUP-="b"' 'Invalid operator for GROUP.' @@ -341,15 +341,15 @@ assert_0 "${rules}" test_syntax_error 'GROUP=":nosuchgroup:"' "Failed to resolve group ':nosuchgroup:', ignoring: Invalid argument" # nonexistent group if ! getent group nosuchgroup >/dev/null; then - test_syntax_error 'GROUP="nosuchgroup"' "Unknown group 'nosuchgroup', ignoring." + test_syntax_error 'GROUP="nosuchgroup"' "Failed to resolve group 'nosuchgroup', ignoring: Unknown group" fi if ! getent group 12345 >/dev/null; then - test_syntax_error 'GROUP="12345"' "Unknown group '12345', ignoring." + test_syntax_error 'GROUP="12345"' "Failed to resolve group '12345', ignoring: Unknown group" fi # regular group if getent group testuser >/dev/null; then - test_syntax_error 'GROUP="testuser"' "Group 'testuser' is not a system group, ignoring." - test_syntax_error "GROUP=\"$(id -g testuser)\"" "Group '$(id -g testuser)' is not a system group, ignoring." + test_syntax_error 'GROUP="testuser"' "Failed to resolve group 'testuser', ignoring: Not a system group" + test_syntax_error "GROUP=\"$(id -g testuser)\"" "Failed to resolve group '$(id -g testuser)', ignoring: Not a system group" fi test_syntax_error 'MODE{a}="b"' 'Invalid attribute for MODE.' test_syntax_error 'MODE-="b"' 'Invalid operator for MODE.' From f436664881831617efac01e7dd58df259c474698 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 09:21:02 +0100 Subject: [PATCH 2/8] tmpfiles: improve error message for missing user/group From a boot with a dracut initrd: systemd-tmpfiles[242]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:2: Failed to resolve user 'tss': No such process systemd-tmpfiles[242]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument systemd-tmpfiles[242]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:4: Failed to resolve user 'tss': No such process systemd-tmpfiles[242]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument systemd-tmpfiles[242]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:6: Failed to resolve group 'tss': No such process systemd-tmpfiles[242]: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:7: Failed to resolve group 'tss': No such process --- src/tmpfiles/tmpfiles.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 981c6a5198..8def2a16de 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -3992,7 +3992,8 @@ static int parse_line( missing_user_or_group = true; } else if (r < 0) { *invalid_config = true; - return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve user '%s': %m", u); + return log_syntax(NULL, LOG_ERR, fname, line, r, + "Failed to resolve user '%s': %s", u, STRERROR_USER(r)); } else i.uid_set = true; } @@ -4013,7 +4014,8 @@ static int parse_line( missing_user_or_group = true; } else if (r < 0) { *invalid_config = true; - return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve group '%s': %m", g); + return log_syntax(NULL, LOG_ERR, fname, line, r, + "Failed to resolve group '%s': %s", g, STRERROR_GROUP(r)); } else i.gid_set = true; } From d92e47a0936477cb068b5f7cff1104419a9591ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 09:26:49 +0100 Subject: [PATCH 3/8] run: improve log message for unknown user/group Before: $ sudo build/systemd-run --scope --uid=asdf whoami Failed to resolve user asdf: No such process Now: $ sudo build/systemd-run --scope --uid=asdf whoami Failed to resolve user 'asdf': Unknown user --- src/run/run.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/run/run.c b/src/run/run.c index d1202632ac..510d4c51ab 100644 --- a/src/run/run.c +++ b/src/run/run.c @@ -2748,7 +2748,8 @@ static int start_transient_scope(sd_bus *bus) { r = get_group_creds(&arg_exec_group, &gid, 0); if (r < 0) - return log_error_errno(r, "Failed to resolve group %s: %m", arg_exec_group); + return log_error_errno(r, "Failed to resolve group '%s': %s", + arg_exec_group, STRERROR_GROUP(r)); if (setresgid(gid, gid, gid) < 0) return log_error_errno(errno, "Failed to change GID to " GID_FMT ": %m", gid); @@ -2762,7 +2763,8 @@ static int start_transient_scope(sd_bus *bus) { r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS); if (r < 0) - return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user); + return log_error_errno(r, "Failed to resolve user '%s': %s", + arg_exec_user, STRERROR_USER(r)); if (home) { r = strv_extendf(&user_env, "HOME=%s", home); From a50fdf611c83b8143255da45d831eb27bcb67a4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 10:08:41 +0100 Subject: [PATCH 4/8] core: improve messages about unknown users and groups $ sudo build/systemd-run --uid=asdf whoami $ journalctl -e (whoami)[1007784]: run-p1007782-i5200512.service: Failed to determine user credentials: No such process (whoami)[1007784]: run-p1007782-i5200512.service: Failed at step USER spawning /usr/sbin/whoami: No such process systemd[1]: run-p1007782-i5200512.service: Main process exited, code=exited, status=217/USER systemd[1]: run-p1007782-i5200512.service: Failed with result 'exit-code'. Now: (whoami)[1013204]: run-p1013202-i5205932.service: Failed to determine credentials for user 'asdf': Unknown user (whoami)[1013204]: run-p1013202-i5205932.service: Failed at step USER spawning /usr/sbin/whoami: Invalid argument systemd[1]: run-p1013202-i5205932.service: Main process exited, code=exited, status=217/USER systemd[1]: run-p1013202-i5205932.service: Failed with result 'exit-code'. --- src/basic/user-util.h | 8 ++++++++ src/core/exec-invoke.c | 15 +++++++++++---- src/core/scope.c | 8 ++++++-- src/core/socket.c | 8 ++++++-- 4 files changed, 31 insertions(+), 8 deletions(-) diff --git a/src/basic/user-util.h b/src/basic/user-util.h index 24793530e6..b7e71720a5 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -9,6 +9,7 @@ #include #include "basic-forward.h" +#include "errno-util.h" /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details * how this range fits into the rest of the world. */ @@ -25,6 +26,13 @@ #define STRERROR_USER(errnum) ((errnum) == -ESRCH ? "Unknown user" : (errnum) == -ENOEXEC ? "Not a system user" : STRERROR(errnum)) #define STRERROR_GROUP(errnum) ((errnum) == -ESRCH ? "Unknown group" : (errnum) == -ENOEXEC ? "Not a system group" : STRERROR(errnum)) +static inline bool ERRNO_IS_NEG_BAD_ACCOUNT(intmax_t r) { + return IN_SET(r, + -ESRCH, + -ENOEXEC); +} +_DEFINE_ABS_WRAPPER(BAD_ACCOUNT); + bool uid_is_valid(uid_t uid) _const_; static inline bool gid_is_valid(gid_t gid) { diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 97a7107384..e9c4e3f624 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -2087,8 +2087,11 @@ static int build_environment( assert(!c->user); r = get_fixed_user("root", /* prefer_nss = */ false, &username, NULL, NULL, &home, &shell); - if (r < 0) - return log_debug_errno(r, "Failed to determine user credentials for root: %m"); + if (r < 0) { + log_debug_errno(r, "Failed to determine credentials for user root: %s", + STRERROR_USER(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ + } } bool set_user_login_env = exec_context_get_set_login_environment(c); @@ -5265,7 +5268,9 @@ int exec_invoke( &username, &uid, &gid, &pwent_home, &shell); if (r < 0) { *exit_status = EXIT_USER; - return log_error_errno(r, "Failed to determine user credentials: %m"); + log_error_errno(r, "Failed to determine credentials for user '%s': %s", + u, STRERROR_USER(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ } } @@ -5273,7 +5278,9 @@ int exec_invoke( r = get_fixed_group(context->group, &groupname, &gid); if (r < 0) { *exit_status = EXIT_GROUP; - return log_error_errno(r, "Failed to determine group credentials: %m"); + log_error_errno(r, "Failed to determine credentials for group '%s': %s", + u, STRERROR_GROUP(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ } } } diff --git a/src/core/scope.c b/src/core/scope.c index 50dafacb42..a6b4cebca5 100644 --- a/src/core/scope.c +++ b/src/core/scope.c @@ -348,7 +348,9 @@ static int scope_enter_start_chown(Scope *s) { r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve user \"%s\": %m", user); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve user '%s': %s", + user, STRERROR_USER(r)); _exit(EXIT_USER); } } @@ -358,7 +360,9 @@ static int scope_enter_start_chown(Scope *s) { r = get_group_creds(&group, &gid, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve group \"%s\": %m", group); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve group '%s': %s", + group, STRERROR_GROUP(r)); _exit(EXIT_GROUP); } } diff --git a/src/core/socket.c b/src/core/socket.c index c53f84906f..dd4b96c213 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -2056,7 +2056,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) { r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve user '%s': %s", + user, STRERROR_USER(r)); _exit(EXIT_USER); } } @@ -2066,7 +2068,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) { r = get_group_creds(&group, &gid, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve group '%s': %s", + group, STRERROR_GROUP(r)); _exit(EXIT_GROUP); } } From 718578b96d8bc92e084dc12d3531b7c633f9f75a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 10:18:25 +0100 Subject: [PATCH 5/8] creds: improve message about unknown user Before: $ build/systemd-creds --uid=asdf Failed to resolve user 'asdf': No such process Now: $ build/systemd-creds --uid=asdf Failed to resolve user 'asdf': Unknown user --- src/creds/creds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/creds/creds.c b/src/creds/creds.c index 383ef268b8..bcdf3d3038 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -1062,7 +1062,8 @@ static int parse_argv(int argc, char *argv[]) { /* ret_shell= */ NULL, /* flags= */ 0); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", optarg); + return log_error_errno(r, "Failed to resolve user '%s': %s", + optarg, STRERROR_USER(r)); } break; From f3f933ee921614602c5d5b430e606c6fc696f1f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 10:28:53 +0100 Subject: [PATCH 6/8] login: use STREROR_USER helper --- src/login/user-runtime-dir.c | 4 +--- src/shared/userdb.c | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/login/user-runtime-dir.c b/src/login/user-runtime-dir.c index b80723b97e..6cf157ffad 100644 --- a/src/login/user-runtime-dir.c +++ b/src/login/user-runtime-dir.c @@ -348,10 +348,8 @@ static int run(int argc, char *argv[]) { if (streq(verb, "start")) { _cleanup_(user_record_unrefp) UserRecord *ur = NULL; r = userdb_by_name(user, /* match= */ NULL, USERDB_PARSE_NUMERIC|USERDB_SUPPRESS_SHADOW, &ur); - if (r == -ESRCH) - return log_error_errno(r, "User '%s' does not exist: %m", user); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", user); + return log_error_errno(r, "Failed to resolve user '%s': %s", user, STRERROR_USER(r)); /* We do two things here: mount the per-user XDG_RUNTIME_DIR, and set up tmpfs quota on /tmp/ * and /dev/shm/. */ diff --git a/src/shared/userdb.c b/src/shared/userdb.c index c7a1595211..99cceb25a4 100644 --- a/src/shared/userdb.c +++ b/src/shared/userdb.c @@ -932,7 +932,7 @@ int userdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flags r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", /* more= */ false, query, flags); if (r >= 0) { r = userdb_process(iterator, &ur, /* ret_group_record= */ NULL, /* ret_user_name= */ NULL, /* ret_group_name= */ NULL); - if (r == -ENOEXEC) /* found a user matching UID or name, but not filter. In this case the + if (r == -ENOEXEC) /* Found a user matching UID or name, but not filter. In this case the * fallback paths below are pointless */ return r; } From 29d26ebe9a36f2ce17c7c9cb234b0bfbcf2d7e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 10:29:40 +0100 Subject: [PATCH 7/8] nspawn,vmspawn: improve errors for unknown users and groups --- src/shared/machine-bind-user.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/shared/machine-bind-user.c b/src/shared/machine-bind-user.c index c0fd1a96d0..e0f6ef6650 100644 --- a/src/shared/machine-bind-user.c +++ b/src/shared/machine-bind-user.c @@ -244,8 +244,10 @@ int machine_bind_user_prepare( _cleanup_(group_record_unrefp) GroupRecord *g = NULL, *cg = NULL; r = userdb_by_name(*n, /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &u); + if (r == -ENOEXEC) + return log_error_errno(r, "User '%s' did not pass filter.", *n); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", *n); + return log_error_errno(r, "Failed to resolve user '%s': %s", *n, STRERROR_USER(r)); /* For now, let's refuse mapping the root/nobody users explicitly. The records we generate * are strictly additive, nss-systemd is typically placed last in /etc/nsswitch.conf. Thus @@ -266,8 +268,11 @@ int machine_bind_user_prepare( return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing."); r = groupdb_by_gid(user_record_gid(u), /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &g); + if (r == -ENOEXEC) + return log_error_errno(r, "Group of user '%s' did not pass filter.", u->user_name); if (r < 0) - return log_error_errno(r, "Failed to resolve group of user '%s': %m", u->user_name); + return log_error_errno(r, "Failed to resolve group of user '%s': %s", + u->user_name, STRERROR_GROUP(r)); /* We want to synthesize exactly one user + group from the host into the machine. This only * makes sense if the user on the host has its own private group. We can't reasonably check From 970c29b6b6ff88a3cdcf7429589d54545be67ba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Nov 2025 12:41:45 +0100 Subject: [PATCH 8/8] networkd: use STRERROR_{USER,GROUP} --- src/network/netdev/tuntap.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/network/netdev/tuntap.c b/src/network/netdev/tuntap.c index 3c573335c0..1288458819 100644 --- a/src/network/netdev/tuntap.c +++ b/src/network/netdev/tuntap.c @@ -239,10 +239,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) { r = userdb_by_name(t->user_name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC, &ur); - if (r == -ENOEXEC) - log_netdev_warning_errno(netdev, r, "User %s is not a system user, ignoring.", t->user_name); - else if (r < 0) - log_netdev_warning_errno(netdev, r, "Cannot resolve user name %s, ignoring: %m", t->user_name); + if (r < 0) + log_netdev_warning_errno(netdev, r, "Cannot resolve user name '%s', ignoring: %s", + t->user_name, STRERROR_USER(r)); else t->uid = ur->uid; } @@ -253,10 +252,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) { r = groupdb_by_name(t->group_name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC, &gr); - if (r == -ENOEXEC) - log_netdev_warning_errno(netdev, r, "Group %s is not a system group, ignoring.", t->group_name); - else if (r < 0) - log_netdev_warning_errno(netdev, r, "Cannot resolve group name %s, ignoring: %m", t->group_name); + if (r < 0) + log_netdev_warning_errno(netdev, r, "Cannot resolve group name '%s', ignoring: %s", + t->group_name, STRERROR_GROUP(r)); else t->gid = gr->gid; }