errno is already set to EPERM when _nss_systemd_getpwent_r is entered:

Breakpoint 1, _nss_systemd_getpwent_r (result=0x7ffff7dcc460 <resbuf>, buffer=0x602bf0 "rngd", 
    buflen=1024, errnop=0x7ffff7ff1480) at ../src/nss-systemd/nss-systemd.c:734
734	enum nss_status _nss_systemd_getpwent_r(struct passwd *result, char *buffer, size_t buflen, int *errnop) {
Missing separate debuginfos, use: yum debuginfo-install libblkid-2.32.1-35.el8.x86_64 libcap-2.48-2.el8.x86_64 libgcc-8.5.0-10.el8.x86_64 libmount-2.32.1-35.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-35.el8.x86_64 pcre2-10.32-2.el8.x86_64 sssd-client-2.6.2-3.el8.x86_64
(gdb) p errno
$1 = 1

The reproducer from the private description:

#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>

int main(void)
{
    struct passwd *pw;
    errno = 0;
    setpwent();
    while ((pw = getpwent()) != NULL) {
        errno = 0;
        printf("%d: %s\n", pw->pw_uid, pw->pw_name);
    }
    printf("getpwent errno = %d (%m)\n", errno);
    endpwent();
    return 0;
}

It's a bit iffy because it does not set errno right before the getpwent call, but that is not what is causing this. EPERM is not visible in strace because of bug 2062648, the actual error is EINVAL from prctl (as seen on :

prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)

The libcap ELF constructor also clobbers errno. This is perhaps not a great thing to do, but a successful call to (internal) dlopen can clobber errno for other reasons as well, and the glibc NSS framework is not prepared to deal with that. So we have to fix this in glibc anyway.

This glibc bug is present in the rewritten upstream code, and earlier versions of Red Hat Enterprise Linux 8. It's not a new problem as far as glibc is concerned. How important is it that we fixed this in the upcoming 8.6.0 release?

(In reply to Florian Weimer from comment #3)
> ... How important is it that we fixed this in the upcoming
> 8.6.0 release?

It causes problem for dovecot (recreates bug #1630410) when it tries to iterate over user list for mail administration (doveadm command) that handles mail backup,replication,acl,quota,...

(In reply to Michal Hlavinka from comment #4)
> (In reply to Florian Weimer from comment #3)
> > ... How important is it that we fixed this in the upcoming
> > 8.6.0 release?
> 
> It causes problem for dovecot (recreates bug #1630410) when it tries to
> iterate over user list for mail administration (doveadm command) that
> handles mail backup,replication,acl,quota,...

I'm reading this as, “we really should fix this in the exception phase”.

Carlos, what do you think?

Meanwhile I've posted an upstream patch:

[PATCH 2/2] nss: Protect against errno changes in function lookup (bug 28953)
https://sourceware.org/pipermail/libc-alpha/2022-March/137009.html

This won't apply downstream as-is because of the NSS refactoring that happened upstream. But I expect a similar approach can be used downstream.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (glibc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2005