From cc509e77d3cfaaaf1078e0ebf750856166772edd Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 16 Feb 2022 18:26:04 +0100 Subject: [PATCH] build_library: move package sysusers to /usr database Package users nowadays get created through systemd-sysuser files. Gentoo uses the acct-user|groups packages to allocate stable IDs for these users. Since they get created at runtime, we have the problem that they end up in /etc/passwd at boot time which would be fine if they follow the acct-user allocations but it could also be that there is a package that uses its own sysuser files, leading to dynamic ID allocation which we can't control and may result in ugly user ID mismatches that are hard to resolve again. Normally we intend to ship all system users under /usr/share/baselayout/passwd so that /etc/passwd is really left to the user's own entries. Generate the /etc/passwd sysuser entries at image build time and move these entries over to /usr/share/baselayout/passwd so that all system users reside in this database. We should still ensure to have acct-user packages for all system users or at least hardcoded user IDs, therefore, add a check for that. --- build_library/build_image_util.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 4e29cadf88..ce900d1485 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -607,6 +607,24 @@ finish_image() { "${root_fs_dir}/boot/flatcar/vmlinuz-a" sudo rm "${root_fs_dir}/usr/boot/vmlinuz"* + # Forbid dynamic user ID allocation because we want stable IDs + local found="" + # We want to forbid "-", "X:-" (.*:-), "-:X" (-:.*), "/X" (/.*) + found=$({ grep '^[ug]' "${root_fs_dir}"/usr/lib/sysusers.d/*.conf || true ; } | awk '{print $3}' | { grep -x -- "-\|.*:-\|-:.*\|/.*" || true ; }) + if [ "${found}" != "" ]; then + die "Found dynamic ID allocation instead of hardcoded ID in /usr/lib/sysusers.d/*.conf (third column must not use '-', 'X:-', '-:X', or '/path')" + fi + # Run systemd-sysusers once to create users in /etc/passwd so that + # we can move them to /usr (relying on nss-altfiles to provide them + # at runtime, but we could use systemd's userdb, too). + sudo systemd-sysusers --root="${root_fs_dir}" + for databasefile in passwd group shadow gshadow; do + newentries=$(comm -23 <(sudo cut -d ":" -f 1 "${root_fs_dir}/etc/${databasefile}" | sort) <(sudo cut -d ":" -f 1 "${root_fs_dir}/usr/share/baselayout/${databasefile}" | sort)) + for newentry in ${newentries}; do + sudo grep "^${newentry}:" "${root_fs_dir}/etc/${databasefile}" | sudo tee -a "${root_fs_dir}/usr/share/baselayout/${databasefile}" + done + sudo rm -f "${root_fs_dir}/etc/${databasefile}" "${root_fs_dir}/etc/${databasefile}-" + done # Record directories installed to the state partition. # Explicitly ignore entries covered by existing configs. local tmp_ignore=$(awk '/^[dDfFL]/ {print "--ignore=" $2}' \