Your message dated Sat, 11 Nov 2023 09:31:38 +0900
with message-id <[email protected]>
and subject line Re: Bug#1055752: `groupadd --force --system sambashare` in
samba.postinst is wrong
has caused the Debian Bug report #1055752,
regarding `groupadd --force --system sambashare` in samba.postinst is wrong
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055752
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: samba
Severity: normal
Problem: `groupadd --force --system sambashare` in samba.postinst is wrong
Versions: 2:4.17.12+dfsg-0+deb12u1, 2:4.19.2+dfsg-1
Salsa: 0610d7670c6 ("update changelog; upload version 4.19.2+dfsg-1 to
unstable", 2023-10-16)
groupadd is in essential but command syntax is not the same as addgroup
from adduser package. Simply replacing adduser is not the right fix.
I see you committed on this happened from:
1eb07efc2fb ("d/winbind.postinst: switch addgroup => groupadd and eliminate
getent", 2022-11-03)
What happened was adduser is not essential. So if you don't depend on
it, piuparts fails. (Yes, there may have been some transitional problem
etc. But this is the core of the issue.) So please add depends to
adduser and use the older good code.
If you insist on using groupadd from shadow package, you need to use
something along (but this may still fail on some corner cases:
groupadd -f -K MIN_GID=100 -K MAX_GID=999 sambashare
I still think this use of groupadd is bad idea.
Use of getent in old code should be no problem since it is in libc-bin
which is priority required.
If you still have problem with your local piuparts checks, please check
your base sid image used for it. If it still has adduser package in it,
remove it.
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-0.deb12.1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- no debconf information
--- End Message ---
--- Begin Message ---
Excuse me. I was wrong. I overlooked groupadd also has --system.
I am looking for root cause of linuxcontainer.org produced Debian LXD image
shipping with odd GID=1000 for netdev group.
I thought it might be due to transition away from addgroup in some maintainer
script for --system handling. This was wrong idea in late night. Today, I
woke-up and realized.
```
$ lxc exec dc12a -- bash -l
root@dc12a:~# cp -a /etc/group /etc/group.before
root@dc12a:~# addgroup --system addgroupsystem
Adding group `addgroupsystem' (GID 107) ...
Done.
root@dc12a:~# groupadd --system groupaddsystem
root@dc12a:~# diff -u /etc/group.before /etc/group
--- /etc/group.before 2023-11-04 15:27:53.494095848 +0000
+++ /etc/group 2023-11-11 00:17:58.288947004 +0000
@@ -47,3 +47,5 @@
_ssh:x:106:
netdev:x:1000:debian
debian:x:1001:
+addgroupsystem:x:107:
+groupaddsystem:x:996:
```
On Fri, 2023-11-10 at 19:33 +0300, Michael Tokarev wrote:
> Control: tag -1 + moreinfo
>
> 10.11.2023 18:04, Osamu Aoki:
> > Source: samba
> > Severity: normal
> >
> > Problem: `groupadd --force --system sambashare` in samba.postinst is wrong
> >
> > Versions: 2:4.17.12+dfsg-0+deb12u1, 2:4.19.2+dfsg-1
> > Salsa: 0610d7670c6 ("update changelog; upload version 4.19.2+dfsg-1 to
> > unstable", 2023-10-16)
> >
> > groupadd is in essential but command syntax is not the same as addgroup
> > from adduser package. Simply replacing adduser is not the right fix.
> >
> > I see you committed on this happened from:
> > 1eb07efc2fb ("d/winbind.postinst: switch addgroup => groupadd and
> > eliminate getent", 2022-11-03)
> >
> > What happened was adduser is not essential. So if you don't depend on
> > it, piuparts fails. (Yes, there may have been some transitional problem
> > etc. But this is the core of the issue.) So please add depends to
> > adduser and use the older good code.
> >
> > If you insist on using groupadd from shadow package, you need to use
> > something along (but this may still fail on some corner cases:
> >
> > groupadd -f -K MIN_GID=100 -K MAX_GID=999 sambashare
> >
> > I still think this use of groupadd is bad idea.
> >
> > Use of getent in old code should be no problem since it is in libc-bin
> > which is priority required.
>
> Why are you saying it all? I don't follow. Sure thing, groupadd does not
> have the same syntax as addgroup, but this is irrelevant.
>
> From groupadd manpage:
>
> --force
> This option causes the command to simply exit with success status
> if the specified group already exists
>
> So this eliminates the need for getent, I can use just a single call to
> groupadd, it will do nothing if the group is already exists.
>
> --system
> Create a system group.
>
> The numeric identifiers of new system groups are chosen in the
> SYS_GID_MIN-SYS_GID_MAX range, defined in login.defs, instead of
> GID_MIN-GID_MAX.
>
> Why do you suggest to hard-code -K MIN_GID && MAX_GID instead of using
> whatever values are configured in login.defs? I'd say the opposite:
> if addgroup always used 100 & 999 here, instead of values from login.defs,
> it is a bug in addgroup, and I don't want to use buggy software.
>
> I don't see the point. groupadd suits the task perfectly.
>
> /mjt
--- End Message ---
