1 |
Hi all, |
2 |
|
3 |
Already two years.... |
4 |
Yes, two years ago I've posted here to notify you about the creattion of users and groups when using "ROOT=". |
5 |
As a reminder, if you currently emerge a package to a specific rootfs folder, some packages will actually not create the user and groups correctly inside this rootfs. |
6 |
It will also not check for the existance of the user/group inside of the rootfs. |
7 |
Everytime, it will check "/". |
8 |
|
9 |
This very old gentoo issue (I have to find again the GLEP talking about this issue). |
10 |
|
11 |
The solution is not possible without changing the behaviour of the tools used by portage. For example, portage is using shadow in most systems (and shadow is using the glibc). |
12 |
|
13 |
I've submited a patch first to shadow upstream team to avec this feature, using a new argument (--prefix) to tools like usemod,useradd etc |
14 |
You can create users in any rootfs you want, no need to be root (except if you local pam configuration requires it) |
15 |
|
16 |
This is unfortunately not enough for gentoo: some packages are relying on chaonw directly. So I've added some wrappers (same as the current enewuser etc functions) |
17 |
This enable people to build embedded systems rootfs from scratch, using a complete gentoo. |
18 |
Some packages must be updated in order to behave properly in that case (replace chown with echown for example) |
19 |
As a failsafe, I'm only triggering the new behavior in case ROOT env var is not "/" (and I think (I have to check) that if the command fails, it will fallback to the old behavior in case the --prefix argument is not implemented (incorrect shadow version for example) |
20 |
|
21 |
This requires in that case a new EAPI I think. Just tell me what to do, where, and I will submit the proposal |
22 |
|
23 |
I'm using the modifications for 2 years now. |
24 |
|
25 |
|
26 |
Limitations: |
27 |
- selinux is not supported (ie: you will still use the system's selinux.). |
28 |
- Also, this only works with gentoo systems using the shadow package (the exact version will depend on when the new release will be done). |
29 |
- Last one: I only tested on a linux configuration |
30 |
|
31 |
|
32 |
Cheers |
33 |
|
34 |
|
35 |
-------------------------------------------- |
36 |
En date de : Mar 24.5.16, Farid BENAMROUCHE <fariouche@×××××.fr> a écrit : |
37 |
|
38 |
Objet: Modification proposal for user/group creation when ROOT!="/" |
39 |
À: gentoo-dev@l.g.o |
40 |
Date: Mardi 24 mai 2016, 21h00 |
41 |
|
42 |
Hi all, |
43 |
|
44 |
Currently there is an old known |
45 |
limitation when using ROOT= option to install a package in a |
46 |
folder: user/groups are created in the host filesystem, not |
47 |
the target root filesystem. |
48 |
|
49 |
So I've pushed some modifications to |
50 |
the upstream shadow repo. |
51 |
Basically, I've added a --prefix option |
52 |
to user{add,mod,del} and group{add,mod,del} |
53 |
This option does the same as --root |
54 |
option, but whithout a chroot (so compatible when cross |
55 |
compiling) |
56 |
You can see more details (and the |
57 |
limitation of my implementation) in the shadow github repo: |
58 |
https://github.com/shadow-maint/shadow/issues/18 |
59 |
|
60 |
|
61 |
Now, for the gentoo part, I do have a |
62 |
working solution that I've pushed in the following |
63 |
bugzilla: |
64 |
https://bugs.gentoo.org/show_bug.cgi?id=541406 |
65 |
|
66 |
A new user.eclass file with modified |
67 |
enewuser,enewgroup and egetent that all supports ${ROOT} |
68 |
option via --prefix in shadow utilities. |
69 |
For now I've only added this option for |
70 |
linux. |
71 |
|
72 |
However, I've encountered some |
73 |
unexpected issues: some ebuilds are using direct calls to |
74 |
chown and fowners. Both are not compatible with ${ROOT}... |
75 |
|
76 |
To solve this, I've created 2 new calls |
77 |
in user.eclass: echown and efowners. |
78 |
The only thing the new functions are |
79 |
doing is to get the uid/gid from the correct passwd/group |
80 |
files from ${ROOT} using the modified egetent function and |
81 |
pass that to the native chown/fowners... |
82 |
|
83 |
For example, in sys-power/nut we can |
84 |
find: |
85 |
chown nut:nut ${ROOT}/var/lib/nut |
86 |
|
87 |
This should be changed to |
88 |
echown nut:nut ${ROOT}/var/lib/nut |
89 |
|
90 |
Same to fowners. |
91 |
If the modification is not done, either |
92 |
the ebuild will fail because the nut user does not exists in |
93 |
the host, or the incorrect uid will be user in ${ROOT} |
94 |
|
95 |
The solution is not perfect, but at |
96 |
least better than what we have today, and totally usable I |
97 |
believe. |
98 |
|
99 |
I've uploaded the patches for lighttpd |
100 |
and nut, plus my patch for user.eclass for review in this |
101 |
bug... we do have time until upstream shadow team reviews |
102 |
and commits my modifications (at least). |
103 |
|
104 |
Side note: it's a bit complicated to |
105 |
know when to add ${ROOT} and when not in a ebuild... For |
106 |
example, chown needs ${ROOT} but fowners must not!... |
107 |
Side note 2: maybe I should add a |
108 |
verification to check if useradd/groupadd supports my new |
109 |
--prefix solution, and fallback to original behavior if |
110 |
not? |
111 |
|
112 |
Tests: I've compiled a full working |
113 |
system with my above solution, and it works. (cross |
114 |
compilation in a dedicated target root path) |
115 |
|
116 |
Regards, |
117 |
Farid |