Your message dated Tue, 04 Oct 2022 21:37:02 +0000
with message-id <[email protected]>
and subject line Bug#1007758: fixed in shadow 1:4.12.3+dfsg1-1
has caused the Debian Bug report #1007758,
regarding shadow: please consider avoiding chroot in shadowconfig
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1007758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007758
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shadow
Version: 1:4.11.1+dfsg1-2
Severity: normal
Tags: patch
User: [email protected]
Usertags: dpkg-root-support
X-Debbugs-Cc: [email protected]
Hi,
when creating chroots for new architectures that are in the process of
being bootstrapped without yet having emulation support from qemu, it is
not possible to run maintainer scripts inside the foreign architecture
chroot because foreign architecture ELF binaries cannot be executed. The
solution to that problem is to run maintainer scripts from outside the
chroot and use the DPKG_ROOT environment variable to instruct the
maintainer script on which chroot to operate. By default, for normal
installations, that environment variable is set, but empty.
Apart from init-system-helpers and pam, all packages in the
Essential:yes set have support for DPKG_ROOT already. To start building
packages we also need to install build-essential. In debootstrap, the
buildd variant includes the Essential:yes packages, Priority:required
packages and build-essential. Strictly speaking passwd is not necessary
to start building packages as it only gets installed in the buildd
variant of debootstrap because it is Priority:required. The postinst of
apt also indirectly depends on passwd via adduser to create the _apt
user, but since apt is able to operate without the _apt user, this also
doesn't make passwd required for the early native bootstrap phase.
The patch at the end of this mail proposes two ways to add support for
DPKG_ROOT to the shadowconfig script as it is called by the passwd
postinst. The first method, which is disabled by a "if false" uses the
--root parameter to pwck, grpck, pwconv and grpconv to let these tools
chroot into the directory stored in DPKG_ROOT and then operate on that
directory instead of /. Since the DPKG_ROOT variable is empty for normal
installations, that codepath would also transparently work for those
without any conditionals.
The second method that would solve this situation is shown in the second
branch of the if-statement. The disadvantage of the first method is,
that we still need to call chroot(). Currently, all other packages in
the Essential:yes, Priority:required and build-essential set can be
installed without any call to chroot(). The passwd postinst via
shadowconfig would be the only part that requires the chroot() call when
using the --root parameter. It would be nice if no component would
require doing the chroot() call because that would allow creating a
DPKG_ROOT chroot simply inside fakeroot. Thus, the second branch of the
conditional implements a method that works without chroot() and creates
a bit-by-bit identical result compared to a normal installation. While
those 10 lines are definitely complex and prone to breaking, please
consider using that method anyway because
1) the code-path is never executed during a normal installation
because the DPKG_ROOT variable is empty
2) we regularly test this method in our CI system and would send
patches if it should break in the future
3) if it breaks it would only break DPKG_ROOT support and not normal
installations
What do you think?
Thanks!
cheers, josch
diff -Nru shadow-4.11.1+dfsg1/debian/shadowconfig
shadow-4.11.1+dfsg1/debian/shadowconfig
--- shadow-4.11.1+dfsg1/debian/shadowconfig 2022-03-03 20:41:41.000000000
+0100
+++ shadow-4.11.1+dfsg1/debian/shadowconfig 2022-03-14 14:18:52.000000000
+0100
@@ -5,14 +5,40 @@
shadowon () {
set -e
- pwck -q -r
- grpck -r
- pwconv
- grpconv
- chown root:root /etc/passwd /etc/group
- chmod 644 /etc/passwd /etc/group
- chown root:shadow /etc/shadow /etc/gshadow
- chmod 640 /etc/shadow /etc/gshadow
+
+ if false; then
+ pwck -q -r --root "${DPKG_ROOT}/"
+ grpck -r --root "${DPKG_ROOT}/"
+ pwconv --root "${DPKG_ROOT}/"
+ grpconv --root "${DPKG_ROOT}/"
+ elif [ -n "$DPKG_ROOT" ] \
+ && cmp "${DPKG_ROOT}/etc/passwd"
"${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
+ && cmp "${DPKG_ROOT}/etc/group"
"${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
+ # If dpkg is run with --force-script-chrootless and if /etc/passwd
+ # and /etc/group are unchanged, we avoid the chroot() call by manually
+ # processing the files. This produces bit-by-bit identical results
+ # compared to the normal case as shown by the CI setup at
+ # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
+ for f in passwd group; do
+ cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
+ done
+ chmod 600 "${DPKG_ROOT}/etc/passwd-"
+ sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group"
"${DPKG_ROOT}/etc/passwd"
+ [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH ||
epoch=$(date +%s)
+ sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/"
"${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
+ sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" >
"${DPKG_ROOT}/etc/gshadow"
+ touch "${DPKG_ROOT}/etc/.pwd.lock"
+ chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
+ else
+ pwck -q -r
+ grpck -r
+ pwconv
+ grpconv
+ fi
+ chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+ chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+ chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+ chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
}
shadowoff () {
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.12.3+dfsg1-1
Done: Balint Reczey <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <[email protected]> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Oct 2022 22:09:04 +0200
Source: shadow
Built-For-Profiles: noudeb
Architecture: source
Version: 1:4.12.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers
<[email protected]>
Changed-By: Balint Reczey <[email protected]>
Closes: 1004242 1006848 1007758 1019245
Changes:
shadow (1:4.12.3+dfsg1-1) unstable; urgency=medium
.
[ Balint Reczey ]
* New upstream release (Closes: #1004242, #1006848)
* Refresh patches
* debian/patches: Reorder patches in series to make it look sane
* Fix Lintian elevated-privileges tag rename
.
[ Johannes Schauer Marin Rodrigues ]
* debian/shadowconfig: Support DPKG_ROOT without using chroot()
(Closes: #1007758)
* useradd: cherry-pick patch from upstream to avoid creating several GB worth
of sparse lastlog and faillog files for users with high uid values
(Closes: #1019245)
.
[ Debian Janitor ]
* Update renamed lintian tag names in lintian overrides.
* Update standards version to 4.6.1, no changes needed.
Checksums-Sha1:
30a716cd187a49655d0b7cddcaae18aaeecdea2c 2416 shadow_4.12.3+dfsg1-1.dsc
126657b934ed7ca7c57f11c60e0265e5b584a96f 1796336
shadow_4.12.3+dfsg1.orig.tar.xz
ffee478fa513757f08f65105d171bdbbcebb6229 78976
shadow_4.12.3+dfsg1-1.debian.tar.xz
31d6912b2e20cf9207a740ce3b24cb355549452c 8078
shadow_4.12.3+dfsg1-1_source.buildinfo
Checksums-Sha256:
83d288a278cc88d38f96ff59a0fa257c4672cd07b27dbf8a64e71d4d4160b0bd 2416
shadow_4.12.3+dfsg1-1.dsc
0f6b86620d4893e766401ae7aca0361e19859e5da56851af6d6dc58932044657 1796336
shadow_4.12.3+dfsg1.orig.tar.xz
40edaf4c1626a9874bb53ed21848d8b41e8115c79c51c3c364a171fe6f389556 78976
shadow_4.12.3+dfsg1-1.debian.tar.xz
6dd258ab64a458cb21fdbef61edb53e1633b3821f696b331b123fedf1aa2244b 8078
shadow_4.12.3+dfsg1-1_source.buildinfo
Files:
904e976fe06ec1a15c174cac8d8d5573 2416 admin required shadow_4.12.3+dfsg1-1.dsc
fc8970164ab232ed0fc6b0efeedfef1d 1796336 admin required
shadow_4.12.3+dfsg1.orig.tar.xz
f8f48ce6410665adc461420cd3187fc2 78976 admin required
shadow_4.12.3+dfsg1-1.debian.tar.xz
b617c4691913a22624f20118040a04bc 8078 admin required
shadow_4.12.3+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEI/PvTgXX55rLQUfDg6KBkWslS0UFAmM8nbgACgkQg6KBkWsl
S0VzLhAAgRUetUk4637L/6bz5bfKpSDNKPdHr9wckLy6mf5SEZ7L5fPpZ9yEveQK
FiH/v22KRvhxcufwirJwZnJxZDhffJgTSLx9X8di0qxbcllhSjIIUzi/GO1CBtw5
UYrMNZb2eaiCTycv1Msa1JBGQSIdpWlCXJb0+A8PdlMeYJu7pI0iwiwqrHZB/Cyp
Y/dPskYvkWWDXOzzdO5SNyCmo0yh9svwcpW5tGKirmTvbJj/ciBy5792m0MVmIv2
vzoAtomQ1IwdiDVxG/m6stdhDhQDIba3XvgFHfKsBGnthk1VBIELWQ210mgJHLL4
W42LB57LzbVo5Ue80KHKkOTOsQtTQbiFsN6AERzfRKFZ5fVx1BNtKK7QokWPBb0d
WctB3RtVXUr9WXaaTh2gKPT1ljLPmitDi5MGsHDEiWD/07iVYfGGXzgESeh2g7h9
2BB4JihcGJn3Irr08h3snyOpVY527krmrsm7oaok2qBaeQ4A8A8UPGgFppnpmf3Y
S0jpowsaPZbOWzIAcs5vBJY3Sh+FHvegfzSlDSLUkAahtINtfEgB8d1BBtRS44/p
lHYdtf1RB58fmw/FpipXMa434xmKtvvXHan6/nPjYbuctBwFPojNySpuN3HWelje
94T4FDQzaFPUuw/90wai5VgIqhCcENRfnDgq2sjkD0+U10sPB6k=
=OQa0
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-shadow-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
