1 |
On 02/16/2010 10:04 AM, P. Levine wrote: |
2 |
> Peter Stuge wrote: |
3 |
>> I talked to upstream on freenode/#shadow and they welcome a patch for |
4 |
>> adding --chroot |
5 |
>> |
6 |
>> chroot() needs to happen really early since useradd and friends read |
7 |
>> some configuration files to know e.g. which password encryption |
8 |
>> method to use. |
9 |
> |
10 |
> Attached is a tentative patch to add a chroot flag to useradd and |
11 |
> groupadd (via --chroot or -R). It compiles and works on my end |
12 |
> (--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags |
13 |
> enabled. I'm hoping for others to test it and get some feedback before |
14 |
> I submit it to shadow upstream. |
15 |
> |
16 |
> There do exist a couple of issues: |
17 |
> |
18 |
> sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would |
19 |
> report the maximum allowable number of groups per user on the build |
20 |
> system, not the target. To my knowledge, this is set by the kernel and |
21 |
> would have to be used. However, this tends to be a very high number for |
22 |
> linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux |
23 |
> kernel >= 2.6.3). |
24 |
> |
25 |
> There are a number of calls to "getXXbyYY" functions (i.e., getgrgid, |
26 |
> getpwnam, etc...). These seem to be dynamically preloaded and access |
27 |
> preloaded databases. They are unaffected by chroot() (even after |
28 |
> setting __nss_configure_lookup(foo, files)). I've instead used shadow's |
29 |
> own method of macro expansion to generate functions doing the |
30 |
> equivalent, with recursive calls to fgetXXent functions. |
31 |
> |
32 |
> And PAM functionality doesn't work and has to be disabled while using |
33 |
> chroot(). I don't know very much about PAM. Would this be a problem? |
34 |
> |
35 |
> Also, the chroot functionality could probably be easily extended to |
36 |
> other modules but I'm not sure if this would be acceptable upstream. |
37 |
> |
38 |
> There are a couple of cosmetic changes I'm considering as well (such as |
39 |
> how --chroot flag is parsed). |
40 |
> |
41 |
> -- Peter Levine |
42 |
|
43 |
Sorry, wrong patch. |
44 |
|
45 |
I've attached the correct one. |
46 |
|
47 |
-- Peter Levine |