Debian Bug report logs - #791661
support for alternative passwd location (i.e. libnss-extrausers)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Vogt <mvo@ubuntu.com>

To: submit@bugs.debian.org

Subject: support for alternative passwd location (i.e. libnss-extrausers)

Date: Tue, 7 Jul 2015 13:10:45 +0200

Package: shadow
Version: 1:4.1.5.1-1.1
Severity: wishlist

Hi,

in Ubuntu we applied a patch that adds a new --extrausers flag that
will use the libnss-extrauser passwd/group/shadow databasees instead
of the normal ones.

I'm happy to cleanup this patch and forward it to Debian if there is a
chance that it might get applied. Please let me know if thats
something you would consider.

Thanks,
 Michael

Message #10 received at 791661@bugs.debian.org (full text, mbox, reply):

From: Michael Vogt <mvo@ubuntu.com>

To: 791661@bugs.debian.org

Subject: patches

Date: Fri, 18 Sep 2015 09:13:55 +0200

[Message part 1 (text/plain, inline)]

Hi,

looks like the actual patches are missing for some reason. Attached
are the two patches that add support for libnss-extrausers.

Cheers,
 Michael

[1010_extrausers.patch (text/x-diff, attachment)]

[1011_extrausers_toggle.patch (text/x-diff, attachment)]

Message #15 received at 791661@bugs.debian.org (full text, mbox, reply):

From: Dimitri John Ledkov <dimitri.j.ledkov@intel.com>

To: Michael Vogt <mvo@ubuntu.com>, 791661@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#791661: patches

Date: Fri, 18 Sep 2015 10:27:11 +0100

Hello,

On 18 September 2015 at 08:13, Michael Vogt <mvo@ubuntu.com> wrote:
> Hi,
>
> looks like the actual patches are missing for some reason. Attached
> are the two patches that add support for libnss-extrausers.
>

These patches look weird. Are these used to manipulate
/var/lib/extrausers/* ? and why not use systemd-sysusers for that?

E.g. in clearlinux.org we have sysusers.d config files, which at build
time are used to generate {passwd,group,shadow,...}

The patches that we have for shadow (and i believe i have even
published some of them) go further - that is they load information
from both databases and allow manipulating it. Such that kvm group is
defined in altfiles location, yet one can still add users to said
group. In those patches a lookup is done to alternative location, and
the entry is copied across into the writable /etc/group, if one wants
custom user accounts to be added into a "system" group. There we use
libnss-altfiles modules.

Could you please elaborate how this patch fits together and used in
Ubuntu / snappy? If it's never interactive, why not use
systemd-sysusers support then?

-- 
Regards,

Dimitri.
98 sleeps till Christmas

https://clearlinux.org
Open Source Technology Center
Intel Corporation (UK) Ltd. - Co. Reg. #1134945 - Pipers Way, Swindon SN3 1RJ.

Message #20 received at 791661@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 791661@bugs.debian.org, Michael Vogt <mvo@ubuntu.com>, Dimitri John Ledkov <dimitri.j.ledkov@intel.com>

Subject: Re: [Pkg-shadow-devel] Bug#791661: patches

Date: Sat, 21 Jan 2017 20:40:13 +0100

Control: tags -1 moreinfo patch upstream

Hi,

On Fri, 18 Sep 2015 10:27:11 +0100 Dimitri John Ledkov
<dimitri.j.ledkov@intel.com> wrote:
> Hello,
> 
> On 18 September 2015 at 08:13, Michael Vogt <mvo@ubuntu.com> wrote:
> > Hi,
> >
> > looks like the actual patches are missing for some reason. Attached
> > are the two patches that add support for libnss-extrausers.
> >
> 
> These patches look weird. Are these used to manipulate
> /var/lib/extrausers/* ? and why not use systemd-sysusers for that?
> 
> E.g. in clearlinux.org we have sysusers.d config files, which at build
> time are used to generate {passwd,group,shadow,...}
> 
> The patches that we have for shadow (and i believe i have even
> published some of them) go further - that is they load information
> from both databases and allow manipulating it. Such that kvm group is
> defined in altfiles location, yet one can still add users to said
> group. In those patches a lookup is done to alternative location, and
> the entry is copied across into the writable /etc/group, if one wants
> custom user accounts to be added into a "system" group. There we use
> libnss-altfiles modules.
> 
> Could you please elaborate how this patch fits together and used in
> Ubuntu / snappy? If it's never interactive, why not use
> systemd-sysusers support then?

Could you please upstream [1] the Ubuntu or the ClearLinux version?
I would happily update the package with the fix, but I would prefer one
you could agree on.

Cheers,
Balint

[1] https://github.com/shadow-maint/shadow

Message #27 received at 791661@bugs.debian.org (full text, mbox, reply):

From: Oliver Grawert <ogra@ubuntu.com>

To: 791661@bugs.debian.org

Subject: support for alternative passwd location (i.e. libnss-extrausers)

Date: Mon, 23 Jan 2017 18:24:36 +0100

[Message part 1 (text/plain, inline)]

hi,
On Fri, 18 Sep 2015 10:27:11 +0100 Dimitri John Ledkov
<dimitri.j.ledkov@intel.com> wrote:
> Hello,
> 
> On 18 September 2015 at 08:13, Michael Vogt <mvo@ubuntu.com> wrote:
> > Hi,
> >
> > looks like the actual patches are missing for some reason. Attached
> > are the two patches that add support for libnss-extrausers.
> >
> 
> These patches look weird. Are these used to manipulate
> /var/lib/extrausers/* ? and why not use systemd-sysusers for that?
> 
> E.g. in clearlinux.org we have sysusers.d config files, which at
build
> time are used to generate {passwd,group,shadow,...}
> 
> The patches that we have for shadow (and i believe i have even
> published some of them) go further - that is they load information
> from both databases and allow manipulating it. Such that kvm group is
> defined in altfiles location, yet one can still add users to said
> group. In those patches a lookup is done to alternative location, and
> the entry is copied across into the writable /etc/group, if one wants
> custom user accounts to be added into a "system" group. There we use
> libnss-altfiles modules.
> 
> Could you please elaborate how this patch fits together and used in
> Ubuntu / snappy? If it's never interactive, why not use
> systemd-sysusers support then?

sadly this would not work with ubuntu-core/snappy since
passwd/group/shadow are read only inside a squashfs. they have to stay 
this way since the UIDs/GIDs will need to match for the lifetime of the
device (alternatively, to prevent filesystem permission problems we
would have to walk the whole file system to update IDs in the rw parts
every time the read only rootfs gets updated which is rather ... ugh
... ).

we add dynamic users and groups (even system ones) for additionally
installed snap packages that are not bound to the core snap squashfs to
the extrausers db dynamically.

the decision for extrausers was actually made based on the fact that
many internal debian servers seemed to use it for user mgmt back then,
so we had hope that added support for extrausers management in the
tools would be easily accepted and debian would benefit from it
alongside.

by the looks of it sysusers.d will not support adding non-system users
(which we would want) and will also not be able to keep the IDs locked
down (beyond the fact that the default password db files need to be rw)
so in the ubuntu snappy case this is a no-go.

ciao
	oli

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.