Re: [gentoo-dev] [PATCH] user.eclass: die if hard coded UID or GID is already in use

[Robin H. Johnson]

On Mon, May 27, 2019 at 08:44:09PM -0400, Mike Gilbert wrote:
> On Mon, May 27, 2019 at 11:45 AM William Hubbs  wrote:
> >
> > If a package hard codes the UID or GID when adding a user or group to
> > the system and that UID/GID already exists, we should abort rather than
> > changing the UID/GID.
> These functions have behaved this way for a long time.
Yes, I recall this breakage being raised even prior to GLEP27.

Some coverage of prior work firstly.
2003/May: eid_database [1]
2004/May: GLEP27 [2]
2006/Summer: GSOC Project for GLEP27 implementation [3]
Later: Creandus [4][5]

[1] https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-src/eid_database/
[2] https://www.gentoo.org/glep/glep-0027.html
[3] 
https://github.com/creandus/creandus.github.com/blob/master/glep27-proposal.txt
[4] https://github.com/creandus/
[5] http://creandus.github.io/

> What problem are you trying to solve here?
Specifically:
1. Package A is emerged, and the ebuild specifies enewuser/enewgroup
with -1 as the numeric input, and some user or group is created with
value X.
2.  Package B is emerged, and the ebuild specifies enewuser/enewgroup
with a fixed UID/GID value Y && explicitly depends on having that
specific value.

If X == Y, then the actual outcome is that B gets dynamic allocation of
the UID/GID values, rather than the intended fixed values, and can
break. It also goes against the intent of passing a fixed value in the
first place!

Debian's solution [6][7] here is to have separate numeric ranges for
statically assigned values vs dynamically assigned values, so that they
will never conflict.

This does still run into trouble for some cases where multiple systems
want the same user/group to have the same numeric value, typically where
something is being shared (user databases, files).

I used to know RedHat's solution as well, but I can't remember any
details of it at the moment.

I'd like to accept WilliamH's patch as-is, and then add an additional
patch that moves the range of dynamically allocated users such that it
does not conflict.

[6] https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction
[7] https://salsa.debian.org/debian/base-passwd

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robb...@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136


signature.asc
Description: PGP signature

Re: [gentoo-dev] [PATCH] user.eclass: die if hard coded UID or GID is already in use

[Michał Górny]

On Mon, 2019-05-27 at 10:45 -0500, William Hubbs wrote:
> If a package hard codes the UID or GID when adding a user or group to
> the system and that UID/GID already exists, we should abort rather than
> changing the UID/GID.

I think the major usage of this argument is not to enforce a specific
UID/GID but to specify a 'preferred' UID/GID, i.e. somewhat attempt
to build Gentoo systems with stable UID/GIDs.  That's why it's non-
fatal.

I don't have a strong opinion on changing it.  I don't know if we have
any actual use cases where UID/GID needs to be enforced.

> ---
>  eclass/user.eclass | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/eclass/user.eclass b/eclass/user.eclass
> index f6a10a6bee2..0d0f9d9eb89 100644
> --- a/eclass/user.eclass
> +++ b/eclass/user.eclass
> @@ -130,7 +130,8 @@ enewuser() {
>   if [[ -n ${euid} && ${euid} != -1 ]] ; then
>   if [[ ${euid} -gt 0 ]] ; then
>   if [[ -n $(egetent passwd ${euid}) ]] ; then
> - euid="next"
> + eerror "UID is already taken"
> + die "user ${euser} needs a new UID"
>   fi
>   else
>   eerror "Userid given but is not greater than 0 !"
> @@ -290,7 +291,8 @@ enewgroup() {
>   if [[ ! -z ${egid} ]] ; then
>   if [[ ${egid} -gt 0 ]] ; then
>   if [[ -n $(egetent group ${egid}) ]] ; then
> - egid="next available; requested gid taken"
> + eerror "GID is already taken"
> + die "group ${egroup} needs a new GID"
>   fi
>   else
>   eerror "Groupid given but is not greater than 0 !"

-- 
Best regards,
Michał Górny



signature.asc
Description: This is a digitally signed message part

Re: [gentoo-portage-dev] [PATCH] Don't modify /etc/mtab from temporary namespaces

[Zac Medico]

On 5/27/19 1:23 PM, i.Dark_Templar wrote:
> These records are never removed and just pollute
> /etc/mtab if that's a regular file.
> And if /etc/mtab isn't a regular file,
> then attempts to modify it are pointless.
> ---
>  lib/portage/process.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/portage/process.py b/lib/portage/process.py
> index 0dba55de3..dfbda75de 100644
> --- a/lib/portage/process.py
> +++ b/lib/portage/process.py
> @@ -617,7 +617,7 @@ def _exec(binary, mycommand, opt_name, fd_pipes,
>   os._exit(1)
>   # mount new /proc for 
> our namespace
>   s = 
> subprocess.Popen(['mount',
> - '-t', 'proc', 
> 'proc', '/proc'])
> + '-n', '-t', 
> 'proc', 'proc', '/proc'])
>   mount_ret = s.wait()
>   if mount_ret != 0:
>   
> writemsg("Unable to mount new /proc: %d\n" % (mount_ret,),
> 

Thanks, merged:

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ee2e8e8d65713760f85664bcb004e67aed8228d3
-- 
Thanks,
Zac



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] [PATCH] user.eclass: die if hard coded UID or GID is already in use

[Mike Gilbert]

On Mon, May 27, 2019 at 11:45 AM William Hubbs  wrote:
>
> If a package hard codes the UID or GID when adding a user or group to
> the system and that UID/GID already exists, we should abort rather than
> changing the UID/GID.

These functions have behaved this way for a long time.

What problem are you trying to solve here?

[gentoo-portage-dev] [PATCH] Don't modify /etc/mtab from temporary namespaces

[i.Dark_Templar]

These records are never removed and just pollute
/etc/mtab if that's a regular file.
And if /etc/mtab isn't a regular file,
then attempts to modify it are pointless.
---
 lib/portage/process.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/portage/process.py b/lib/portage/process.py
index 0dba55de3..dfbda75de 100644
--- a/lib/portage/process.py
+++ b/lib/portage/process.py
@@ -617,7 +617,7 @@ def _exec(binary, mycommand, opt_name, fd_pipes,
os._exit(1)
# mount new /proc for 
our namespace
s = 
subprocess.Popen(['mount',
-   '-t', 'proc', 
'proc', '/proc'])
+   '-n', '-t', 
'proc', 'proc', '/proc'])
mount_ret = s.wait()
if mount_ret != 0:

writemsg("Unable to mount new /proc: %d\n" % (mount_ret,),
-- 
2.21.0

[gentoo-dev] [PATCH] user.eclass: die if hard coded UID or GID is already in use

[William Hubbs]

If a package hard codes the UID or GID when adding a user or group to
the system and that UID/GID already exists, we should abort rather than
changing the UID/GID.
---
 eclass/user.eclass | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index f6a10a6bee2..0d0f9d9eb89 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -130,7 +130,8 @@ enewuser() {
if [[ -n ${euid} && ${euid} != -1 ]] ; then
if [[ ${euid} -gt 0 ]] ; then
if [[ -n $(egetent passwd ${euid}) ]] ; then
-   euid="next"
+   eerror "UID is already taken"
+   die "user ${euser} needs a new UID"
fi
else
eerror "Userid given but is not greater than 0 !"
@@ -290,7 +291,8 @@ enewgroup() {
if [[ ! -z ${egid} ]] ; then
if [[ ${egid} -gt 0 ]] ; then
if [[ -n $(egetent group ${egid}) ]] ; then
-   egid="next available; requested gid taken"
+   eerror "GID is already taken"
+   die "group ${egroup} needs a new GID"
fi
else
eerror "Groupid given but is not greater than 0 !"
-- 
2.21.0