1 |
Peter Stuge wrote: |
2 |
> I talked to upstream on freenode/#shadow and they welcome a patch for |
3 |
> adding --chroot |
4 |
> |
5 |
> chroot() needs to happen really early since useradd and friends read |
6 |
> some configuration files to know e.g. which password encryption |
7 |
> method to use. |
8 |
|
9 |
Attached is a tentative patch to add a chroot flag to useradd and |
10 |
groupadd (via --chroot or -R). It compiles and works on my end |
11 |
(--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags |
12 |
enabled. I'm hoping for others to test it and get some feedback before |
13 |
I submit it to shadow upstream. |
14 |
|
15 |
There do exist a couple of issues: |
16 |
|
17 |
sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would |
18 |
report the maximum allowable number of groups per user on the build |
19 |
system, not the target. To my knowledge, this is set by the kernel and |
20 |
would have to be used. However, this tends to be a very high number for |
21 |
linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux |
22 |
kernel >= 2.6.3). |
23 |
|
24 |
There are a number of calls to "getXXbyYY" functions (i.e., getgrgid, |
25 |
getpwnam, etc...). These seem to be dynamically preloaded and access |
26 |
preloaded databases. They are unaffected by chroot() (even after |
27 |
setting __nss_configure_lookup(foo, files)). I've instead used shadow's |
28 |
own method of macro expansion to generate functions doing the |
29 |
equivalent, with recursive calls to fgetXXent functions. |
30 |
|
31 |
And PAM functionality doesn't work and has to be disabled while using |
32 |
chroot(). I don't know very much about PAM. Would this be a problem? |
33 |
|
34 |
Also, the chroot functionality could probably be easily extended to |
35 |
other modules but I'm not sure if this would be acceptable upstream. |
36 |
|
37 |
There are a couple of cosmetic changes I'm considering as well (such as |
38 |
how --chroot flag is parsed). |
39 |
|
40 |
-- Peter Levine |