Hi, I NMU-ed fakechroot with the patch from my last mail. The debdiff is attached. As per devref I uploaded to DELAYED/5 in case you have objections and want to cancel it.
Thanks! cheers, josch
diff -Nru fakechroot-2.19/debian/changelog fakechroot-2.19/debian/changelog
--- fakechroot-2.19/debian/changelog 2021-08-17 10:58:10.000000000 +0200
+++ fakechroot-2.19/debian/changelog 2021-09-09 19:50:34.000000000 +0200
@@ -1,3 +1,10 @@
+fakechroot (2.19-3.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Wrap __nss_files_fopen for getpwnam in glibc >= 2.32 (closes: #993946)
+
+ -- Johannes Schauer Marin Rodrigues <jo...@debian.org> Thu, 09 Sep 2021 19:50:34 +0200
+
fakechroot (2.19-3.4) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru fakechroot-2.19/debian/patches/0001-Wrap-__nss_files_fopen-for-getpwnam-in-glibc-2.32.patch fakechroot-2.19/debian/patches/0001-Wrap-__nss_files_fopen-for-getpwnam-in-glibc-2.32.patch
--- fakechroot-2.19/debian/patches/0001-Wrap-__nss_files_fopen-for-getpwnam-in-glibc-2.32.patch 1970-01-01 01:00:00.000000000 +0100
+++ fakechroot-2.19/debian/patches/0001-Wrap-__nss_files_fopen-for-getpwnam-in-glibc-2.32.patch 2021-09-09 19:48:29.000000000 +0200
@@ -0,0 +1,112 @@
+From 14ab1b7910bf080b715d8ae846f8fc24b72823ed Mon Sep 17 00:00:00 2001
+From: Johannes Schauer Marin Rodrigues <jo...@mister-muffin.de>
+Date: Thu, 9 Sep 2021 18:21:07 +0200
+Subject: [PATCH] Wrap __nss_files_fopen for getpwnam in glibc >= 2.32
+
+Starting with glibc 2.32 the compat nss module for getpwnam calls
+__nss_files_fopen (which is a GLIBC_PRIVATE symbol provided by glibc)
+instead of fopen (see 299210c1fa67e2dfb564475986fce11cd33db9ad). This
+leads to getpwnam calls accessing /etc/passwd from *outside* the chroot
+and as a result programs like adduser do not work correctly anymore
+under fakechroot.
+
+Adhemerval Zanella (azanella) argued on IRC:
+
+ > But another problem is the ship has sailed, so there are nss modules that
+ > will bind to an external symbol. And there is not much we can do about
+ > it. And since nss modules are most compat, I am not sure community will
+ > be willing to move back. I think it will be better to add the interpose
+ > logic of private symbols on fakechroot instead, it is ugly but it is
+ > better than messing even more with the nss interface.
+
+Thus, instead of changing glibc, we instead wrap __nss_files_fopen.
+---
+ configure.ac | 1 +
+ src/Makefile.am | 1 +
+ src/__nss_files_fopen.c | 60 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 62 insertions(+)
+ create mode 100644 src/__nss_files_fopen.c
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -134,6 +134,7 @@ AC_CHECK_FUNCS(m4_normalize([
+ __getwd_chk
+ __lxstat
+ __lxstat64
++ __nss_files_fopen
+ __open
+ __open_2
+ __open64
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -7,6 +7,7 @@ libfakechroot_la_SOURCES = \
+ __lxstat.c \
+ __lxstat64.c \
+ __lxstat64.h \
++ __nss_files_fopen.c \
+ __open.c \
+ __open64.c \
+ __open64_2.c \
+--- /dev/null
++++ b/src/__nss_files_fopen.c
+@@ -0,0 +1,60 @@
++/*
++ libfakechroot -- fake chroot environment
++ Copyright (c) 2010, 2013 Piotr Roszatycki <dex...@debian.org>
++
++ This library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ This library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with this library; if not, write to the Free Software
++ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++*/
++
++
++#include <config.h>
++
++/*
++ * Starting with glibc 2.32 the compat nss module for getpwnam calls
++ * __nss_files_fopen (which is a GLIBC_PRIVATE symbol provided by glibc)
++ * instead of fopen (see 299210c1fa67e2dfb564475986fce11cd33db9ad). This
++ * leads to getpwnam calls accessing /etc/passwd from *outside* the chroot
++ * and as a result programs like adduser do not work correctly anymore
++ * under fakechroot.
++ *
++ * Adhemerval Zanella (azanella) argued on IRC:
++ *
++ * > But another problem is the ship has sailed, so there are nss modules that
++ * > will bind to an external symbol. And there is not much we can do about
++ * > it. And since nss modules are most compat, I am not sure community will
++ * > be willing to move back. I think it will be better to add the interpose
++ * > logic of private symbols on fakechroot instead, it is ugly but it is
++ * > better than messing even more with the nss interface.
++ *
++ * Thus, instead of changing glibc, we instead wrap __nss_files_fopen.
++ *
++ */
++#ifdef HAVE___NSS_FILES_FOPEN
++
++#include <stdio.h>
++#include "libfakechroot.h"
++
++
++wrapper(__nss_files_fopen, FILE *, (const char * path))
++{
++ char fakechroot_abspath[FAKECHROOT_PATH_MAX];
++ char fakechroot_buf[FAKECHROOT_PATH_MAX];
++ debug("__nss_files_fopen(\"%s\")", path);
++ expand_chroot_path(path);
++ return nextcall(__nss_files_fopen)(path);
++}
++
++#else
++typedef int empty_translation_unit;
++#endif
diff -Nru fakechroot-2.19/debian/patches/series fakechroot-2.19/debian/patches/series
--- fakechroot-2.19/debian/patches/series 2021-08-17 10:54:16.000000000 +0200
+++ fakechroot-2.19/debian/patches/series 2021-09-09 19:48:17.000000000 +0200
@@ -2,3 +2,4 @@
disable-jemalloc-test
0001-New-statx-function.patch
0001-src-lckpwdf.c-create-an-empty-etc-.pwd.lock.patch
+0001-Wrap-__nss_files_fopen-for-getpwnam-in-glibc-2.32.patch
signature.asc
Description: signature
