| 1 |
Peter Stuge wrote: |
| 2 |
> I talked to upstream on freenode/#shadow and they welcome a patch for |
| 3 |
> adding --chroot |
| 4 |
> |
| 5 |
> chroot() needs to happen really early since useradd and friends read |
| 6 |
> some configuration files to know e.g. which password encryption |
| 7 |
> method to use. |
| 8 |
|
| 9 |
Attached is a tentative patch to add a chroot flag to useradd and |
| 10 |
groupadd (via --chroot or -R). It compiles and works on my end |
| 11 |
(--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags |
| 12 |
enabled. I'm hoping for others to test it and get some feedback before |
| 13 |
I submit it to shadow upstream. |
| 14 |
|
| 15 |
There do exist a couple of issues: |
| 16 |
|
| 17 |
sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would |
| 18 |
report the maximum allowable number of groups per user on the build |
| 19 |
system, not the target. To my knowledge, this is set by the kernel and |
| 20 |
would have to be used. However, this tends to be a very high number for |
| 21 |
linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux |
| 22 |
kernel >= 2.6.3). |
| 23 |
|
| 24 |
There are a number of calls to "getXXbyYY" functions (i.e., getgrgid, |
| 25 |
getpwnam, etc...). These seem to be dynamically preloaded and access |
| 26 |
preloaded databases. They are unaffected by chroot() (even after |
| 27 |
setting __nss_configure_lookup(foo, files)). I've instead used shadow's |
| 28 |
own method of macro expansion to generate functions doing the |
| 29 |
equivalent, with recursive calls to fgetXXent functions. |
| 30 |
|
| 31 |
And PAM functionality doesn't work and has to be disabled while using |
| 32 |
chroot(). I don't know very much about PAM. Would this be a problem? |
| 33 |
|
| 34 |
Also, the chroot functionality could probably be easily extended to |
| 35 |
other modules but I'm not sure if this would be acceptable upstream. |
| 36 |
|
| 37 |
There are a couple of cosmetic changes I'm considering as well (such as |
| 38 |
how --chroot flag is parsed). |
| 39 |
|
| 40 |
-- Peter Levine |
Archives