On Sun, Jun 27, 2010 at 12:01:12PM +0200, Bastian Blank wrote: > On Sat, Jun 26, 2010 at 11:36:12PM +0100, Roger Leigh wrote: > > On Thu, Jun 17, 2010 at 11:49:47AM +0200, Bastian Blank wrote: > > > 20nssdatabases checks for file equivalence and don't does anything in > > > thie case. However nss may include more modules then just "files" and > > > will fail to produce a usefull result in this case. > > However, we are checking the file device number and inode number, not > > the file contents. These should never be the same both inside and > > outside the chroot. If they are, something is very badly wrong: > > The problem is a completely different one: the result of getent passwd > and the contents of /etc/passwd are not equivalent. So in case of a > hardlinked file the result is a completely different (just it) then if > the script creates a new one (the contents all nss databases).
I'm not sure I completely understand here. I agree the contents are different, but why do we need to care about the content of /etc/passwd if we aren't using it? When you're mentioning hardlinked files, what is hardlinked to what, and why? > Okay, to be exact: getent passwd may not provide a complete view anyway > (because of query limits or so in case of remote databases, like ldap). Do you have any suggestions as to how to better cater for this type of setup? > > For example, 20nssdatabases does the equivalent of > > getent passwd > $chroot/etc/passwd > > It have to replace the old file in this case anyway and not truncate it. the '>' operator in the shell does an ftruncate prior to fork/exec (to set up the pipes), so when /etc/passwd is your only NSS database, it's gone completely before getent even runs. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature