passwd: sync etc/{,g}shadow according to etc/{passwd,group}
#4503
Conversation
rust/src/passwd.rs
Outdated
| }) | ||
| .with_context(|| format!("Writing {target_etc_shadow}"))?; | ||
| } | ||
| _ => {} |
There was a problem hiding this comment.
Same as above, this should never be reached and should fail.
There was a problem hiding this comment.
Yeah, unreachable! is probably OK here.
(Or with more work, we could actually try to pass around an enum PasswdKind { User, Group } instead?)
There was a problem hiding this comment.
Makes sense to me, updated, thanks!
|
Could you add more context / explanation for the change? |
HuijingHei
force-pushed
the
sync-gshadow
branch
2 times, most recently
from
697043e
to
196db3f
Compare
Refer to coreos#49 (comment), do testing: 1. Remove bin line in group and passwd 2. Build FCOS, see logs: ``` systemd.post: Creating group 'bin' with GID 1. systemd.post: Creating user 'bin' (bin) with UID 1 and GID 1. systemd.post: /etc/gshadow: Group "bin" already exists. ``` According to @cgwalters 's pointer: The above log will lead systemd-sysusers (during systemd.post) exit early before saving the updated `/etc/{passwd,group}` refer to [code](https://github.com/systemd/systemd/blob/main/src/sysusers/sysusers.c#L820), and bin user/group will not be saved finally. The root cause is that `gshadow` is not consistent with group, `gshadow` is from setup, and we override group according to https://github.com/coreos/fedora-coreos-config/blob/testing-devel/manifests/group. The `shadow` is also from setup, and is not consistent with passwd, we should also sync it. Fix coreos/fedora-coreos-tracker#1525
Sure, add more context and can also see in the commit. |
|
Sorry to add |
| rootfs | ||
| .atomic_replace_with(&target_shadow_path, |target_shadow| -> Result<()> { | ||
| for user in entries { | ||
| writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?; |
There was a problem hiding this comment.
I had to actually look some of this up... https://www.cyberciti.biz/faq/understanding-etcshadow-file/ is a useful reference. I think for now, it's probably fine to just hardcode these things.
What may be a little bit more sustainable though (albeit very hacky) would be to run useradd --system demouser at build time (on a throwaway rootfs) and then scrape out the defaults it injects.
That way, the constants from libuser are a source-of-truth and we don't have a duplicate copy effectively.
But what we're doing now is a lot better than not injecting shadow entries at all.
There was a problem hiding this comment.
Thanks for the link, that is helpful.
The above format refers to https://pagure.io/setup/blob/master/f/shadowconvert.sh, the comment still makes sense to me.
passwd: Rename func
data_from_jsontowrite_data_from_treefilepasswd: sync
etc/{,g}shadowaccording toetc/{passwd,group}Refer to #49 (comment), do testing:
According to @cgwalters 's pointer:
The above log will lead systemd-sysusers (during systemd.post)
exit early before saving the updated
/etc/{passwd,group}referto code, and bin user/group will not be saved finally.
The root cause is that
gshadowis not consistent with group,gshadowis from setup, and we override group according to https://github.com/coreos/fedora-coreos-config/blob/testing-devel/manifests/group.The
shadowis also from setup, and is not consistent withpasswd, we should also sync it.
Fix coreos/fedora-coreos-tracker#1525
passwd: add
enum PasswdKindRefer to d8dc960