| 1 |
On 02/16/2010 10:04 AM, P. Levine wrote: |
| 2 |
> Peter Stuge wrote: |
| 3 |
>> I talked to upstream on freenode/#shadow and they welcome a patch for |
| 4 |
>> adding --chroot |
| 5 |
>> |
| 6 |
>> chroot() needs to happen really early since useradd and friends read |
| 7 |
>> some configuration files to know e.g. which password encryption |
| 8 |
>> method to use. |
| 9 |
> |
| 10 |
> Attached is a tentative patch to add a chroot flag to useradd and |
| 11 |
> groupadd (via --chroot or -R). It compiles and works on my end |
| 12 |
> (--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags |
| 13 |
> enabled. I'm hoping for others to test it and get some feedback before |
| 14 |
> I submit it to shadow upstream. |
| 15 |
> |
| 16 |
> There do exist a couple of issues: |
| 17 |
> |
| 18 |
> sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would |
| 19 |
> report the maximum allowable number of groups per user on the build |
| 20 |
> system, not the target. To my knowledge, this is set by the kernel and |
| 21 |
> would have to be used. However, this tends to be a very high number for |
| 22 |
> linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux |
| 23 |
> kernel >= 2.6.3). |
| 24 |
> |
| 25 |
> There are a number of calls to "getXXbyYY" functions (i.e., getgrgid, |
| 26 |
> getpwnam, etc...). These seem to be dynamically preloaded and access |
| 27 |
> preloaded databases. They are unaffected by chroot() (even after |
| 28 |
> setting __nss_configure_lookup(foo, files)). I've instead used shadow's |
| 29 |
> own method of macro expansion to generate functions doing the |
| 30 |
> equivalent, with recursive calls to fgetXXent functions. |
| 31 |
> |
| 32 |
> And PAM functionality doesn't work and has to be disabled while using |
| 33 |
> chroot(). I don't know very much about PAM. Would this be a problem? |
| 34 |
> |
| 35 |
> Also, the chroot functionality could probably be easily extended to |
| 36 |
> other modules but I'm not sure if this would be acceptable upstream. |
| 37 |
> |
| 38 |
> There are a couple of cosmetic changes I'm considering as well (such as |
| 39 |
> how --chroot flag is parsed). |
| 40 |
> |
| 41 |
> -- Peter Levine |
| 42 |
|
| 43 |
Sorry, wrong patch. |
| 44 |
|
| 45 |
I've attached the correct one. |
| 46 |
|
| 47 |
-- Peter Levine |
Archives