Bug#1055752: `groupadd --force --system sambashare` in samba.postinst is wrong
Control: tag -1 + moreinfo
10.11.2023 18:04, Osamu Aoki:
Source: samba
Severity: normal
Problem: `groupadd --force --system sambashare` in samba.postinst is wrong
Versions: 2:4.17.12+dfsg-0+deb12u1, 2:4.19.2+dfsg-1
Salsa: 0610d7670c6 ("update changelog; upload version 4.19.2+dfsg-1 to
unstable", 2023-10-16)
groupadd is in essential but command syntax is not the same as addgroup
from adduser package. Simply replacing adduser is not the right fix.
I see you committed on this happened from:
1eb07efc2fb ("d/winbind.postinst: switch addgroup => groupadd and eliminate
getent", 2022-11-03)
What happened was adduser is not essential. So if you don't depend on
it, piuparts fails. (Yes, there may have been some transitional problem
etc. But this is the core of the issue.) So please add depends to
adduser and use the older good code.
If you insist on using groupadd from shadow package, you need to use
something along (but this may still fail on some corner cases:
groupadd -f -K MIN_GID=100 -K MAX_GID=999 sambashare
I still think this use of groupadd is bad idea.
Use of getent in old code should be no problem since it is in libc-bin
which is priority required.
Why are you saying it all? I don't follow. Sure thing, groupadd does not
have the same syntax as addgroup, but this is irrelevant.
From groupadd manpage:
--force
This option causes the command to simply exit with success status
if the specified group already exists
So this eliminates the need for getent, I can use just a single call to
groupadd, it will do nothing if the group is already exists.
--system
Create a system group.
The numeric identifiers of new system groups are chosen in the
SYS_GID_MIN-SYS_GID_MAX range, defined in login.defs, instead of
GID_MIN-GID_MAX.
Why do you suggest to hard-code -K MIN_GID && MAX_GID instead of using
whatever values are configured in login.defs? I'd say the opposite:
if addgroup always used 100 & 999 here, instead of values from login.defs,
it is a bug in addgroup, and I don't want to use buggy software.
I don't see the point. groupadd suits the task perfectly.
/mjt
Bug#1055752: `groupadd --force --system sambashare` in samba.postinst is wrong
Source: samba
Severity: normal
Problem: `groupadd --force --system sambashare` in samba.postinst is wrong
Versions: 2:4.17.12+dfsg-0+deb12u1, 2:4.19.2+dfsg-1
Salsa: 0610d7670c6 ("update changelog; upload version 4.19.2+dfsg-1 to
unstable", 2023-10-16)
groupadd is in essential but command syntax is not the same as addgroup
from adduser package. Simply replacing adduser is not the right fix.
I see you committed on this happened from:
1eb07efc2fb ("d/winbind.postinst: switch addgroup => groupadd and eliminate
getent", 2022-11-03)
What happened was adduser is not essential. So if you don't depend on
it, piuparts fails. (Yes, there may have been some transitional problem
etc. But this is the core of the issue.) So please add depends to
adduser and use the older good code.
If you insist on using groupadd from shadow package, you need to use
something along (but this may still fail on some corner cases:
groupadd -f -K MIN_GID=100 -K MAX_GID=999 sambashare
I still think this use of groupadd is bad idea.
Use of getent in old code should be no problem since it is in libc-bin
which is priority required.
If you still have problem with your local piuparts checks, please check
your base sid image used for it. If it still has adduser package in it,
remove it.
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-0.deb12.1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- no debconf information
