| 1 |
Hi all, |
| 2 |
|
| 3 |
Already two years.... |
| 4 |
Yes, two years ago I've posted here to notify you about the creattion of users and groups when using "ROOT=". |
| 5 |
As a reminder, if you currently emerge a package to a specific rootfs folder, some packages will actually not create the user and groups correctly inside this rootfs. |
| 6 |
It will also not check for the existance of the user/group inside of the rootfs. |
| 7 |
Everytime, it will check "/". |
| 8 |
|
| 9 |
This very old gentoo issue (I have to find again the GLEP talking about this issue). |
| 10 |
|
| 11 |
The solution is not possible without changing the behaviour of the tools used by portage. For example, portage is using shadow in most systems (and shadow is using the glibc). |
| 12 |
|
| 13 |
I've submited a patch first to shadow upstream team to avec this feature, using a new argument (--prefix) to tools like usemod,useradd etc |
| 14 |
You can create users in any rootfs you want, no need to be root (except if you local pam configuration requires it) |
| 15 |
|
| 16 |
This is unfortunately not enough for gentoo: some packages are relying on chaonw directly. So I've added some wrappers (same as the current enewuser etc functions) |
| 17 |
This enable people to build embedded systems rootfs from scratch, using a complete gentoo. |
| 18 |
Some packages must be updated in order to behave properly in that case (replace chown with echown for example) |
| 19 |
As a failsafe, I'm only triggering the new behavior in case ROOT env var is not "/" (and I think (I have to check) that if the command fails, it will fallback to the old behavior in case the --prefix argument is not implemented (incorrect shadow version for example) |
| 20 |
|
| 21 |
This requires in that case a new EAPI I think. Just tell me what to do, where, and I will submit the proposal |
| 22 |
|
| 23 |
I'm using the modifications for 2 years now. |
| 24 |
|
| 25 |
|
| 26 |
Limitations: |
| 27 |
- selinux is not supported (ie: you will still use the system's selinux.). |
| 28 |
- Also, this only works with gentoo systems using the shadow package (the exact version will depend on when the new release will be done). |
| 29 |
- Last one: I only tested on a linux configuration |
| 30 |
|
| 31 |
|
| 32 |
Cheers |
| 33 |
|
| 34 |
|
| 35 |
-------------------------------------------- |
| 36 |
En date de : Mar 24.5.16, Farid BENAMROUCHE <fariouche@×××××.fr> a écrit : |
| 37 |
|
| 38 |
Objet: Modification proposal for user/group creation when ROOT!="/" |
| 39 |
À: gentoo-dev@l.g.o |
| 40 |
Date: Mardi 24 mai 2016, 21h00 |
| 41 |
|
| 42 |
Hi all, |
| 43 |
|
| 44 |
Currently there is an old known |
| 45 |
limitation when using ROOT= option to install a package in a |
| 46 |
folder: user/groups are created in the host filesystem, not |
| 47 |
the target root filesystem. |
| 48 |
|
| 49 |
So I've pushed some modifications to |
| 50 |
the upstream shadow repo. |
| 51 |
Basically, I've added a --prefix option |
| 52 |
to user{add,mod,del} and group{add,mod,del} |
| 53 |
This option does the same as --root |
| 54 |
option, but whithout a chroot (so compatible when cross |
| 55 |
compiling) |
| 56 |
You can see more details (and the |
| 57 |
limitation of my implementation) in the shadow github repo: |
| 58 |
https://github.com/shadow-maint/shadow/issues/18 |
| 59 |
|
| 60 |
|
| 61 |
Now, for the gentoo part, I do have a |
| 62 |
working solution that I've pushed in the following |
| 63 |
bugzilla: |
| 64 |
https://bugs.gentoo.org/show_bug.cgi?id=541406 |
| 65 |
|
| 66 |
A new user.eclass file with modified |
| 67 |
enewuser,enewgroup and egetent that all supports ${ROOT} |
| 68 |
option via --prefix in shadow utilities. |
| 69 |
For now I've only added this option for |
| 70 |
linux. |
| 71 |
|
| 72 |
However, I've encountered some |
| 73 |
unexpected issues: some ebuilds are using direct calls to |
| 74 |
chown and fowners. Both are not compatible with ${ROOT}... |
| 75 |
|
| 76 |
To solve this, I've created 2 new calls |
| 77 |
in user.eclass: echown and efowners. |
| 78 |
The only thing the new functions are |
| 79 |
doing is to get the uid/gid from the correct passwd/group |
| 80 |
files from ${ROOT} using the modified egetent function and |
| 81 |
pass that to the native chown/fowners... |
| 82 |
|
| 83 |
For example, in sys-power/nut we can |
| 84 |
find: |
| 85 |
chown nut:nut ${ROOT}/var/lib/nut |
| 86 |
|
| 87 |
This should be changed to |
| 88 |
echown nut:nut ${ROOT}/var/lib/nut |
| 89 |
|
| 90 |
Same to fowners. |
| 91 |
If the modification is not done, either |
| 92 |
the ebuild will fail because the nut user does not exists in |
| 93 |
the host, or the incorrect uid will be user in ${ROOT} |
| 94 |
|
| 95 |
The solution is not perfect, but at |
| 96 |
least better than what we have today, and totally usable I |
| 97 |
believe. |
| 98 |
|
| 99 |
I've uploaded the patches for lighttpd |
| 100 |
and nut, plus my patch for user.eclass for review in this |
| 101 |
bug... we do have time until upstream shadow team reviews |
| 102 |
and commits my modifications (at least). |
| 103 |
|
| 104 |
Side note: it's a bit complicated to |
| 105 |
know when to add ${ROOT} and when not in a ebuild... For |
| 106 |
example, chown needs ${ROOT} but fowners must not!... |
| 107 |
Side note 2: maybe I should add a |
| 108 |
verification to check if useradd/groupadd supports my new |
| 109 |
--prefix solution, and fallback to original behavior if |
| 110 |
not? |
| 111 |
|
| 112 |
Tests: I've compiled a full working |
| 113 |
system with my above solution, and it works. (cross |
| 114 |
compilation in a dedicated target root path) |
| 115 |
|
| 116 |
Regards, |
| 117 |
Farid |
Archives