[Pkg-shadow-devel] Bug#791661: support for alternative passwd location (i.e. libnss-extrausers)

Oliver Grawert ogra at ubuntu.com
Mon Jan 23 17:24:36 UTC 2017 

hi,
On Fri, 18 Sep 2015 10:27:11 +0100 Dimitri John Ledkov
<dimitri.j.ledkov at intel.com> wrote:
> Hello,
> 
> On 18 September 2015 at 08:13, Michael Vogt <mvo at ubuntu.com> wrote:
> > Hi,
> >
> > looks like the actual patches are missing for some reason. Attached
> > are the two patches that add support for libnss-extrausers.
> >
> 
> These patches look weird. Are these used to manipulate
> /var/lib/extrausers/* ? and why not use systemd-sysusers for that?
> 
> E.g. in clearlinux.org we have sysusers.d config files, which at
build
> time are used to generate {passwd,group,shadow,...}
> 
> The patches that we have for shadow (and i believe i have even
> published some of them) go further - that is they load information
> from both databases and allow manipulating it. Such that kvm group is
> defined in altfiles location, yet one can still add users to said
> group. In those patches a lookup is done to alternative location, and
> the entry is copied across into the writable /etc/group, if one wants
> custom user accounts to be added into a "system" group. There we use
> libnss-altfiles modules.
> 
> Could you please elaborate how this patch fits together and used in
> Ubuntu / snappy? If it's never interactive, why not use
> systemd-sysusers support then?

sadly this would not work with ubuntu-core/snappy since
passwd/group/shadow are read only inside a squashfs. they have to stay 
this way since the UIDs/GIDs will need to match for the lifetime of the
device (alternatively, to prevent filesystem permission problems we
would have to walk the whole file system to update IDs in the rw parts
every time the read only rootfs gets updated which is rather ... ugh
... ).

we add dynamic users and groups (even system ones) for additionally
installed snap packages that are not bound to the core snap squashfs to
the extrausers db dynamically.

the decision for extrausers was actually made based on the fact that
many internal debian servers seemed to use it for user mgmt back then,
so we had hope that added support for extrausers management in the
tools would be easily accepted and debian would benefit from it
alongside.

by the looks of it sysusers.d will not support adding non-system users
(which we would want) and will also not be able to keep the IDs locked
down (beyond the fact that the default password db files need to be rw)
so in the ubuntu snappy case this is a no-go.

ciao
	oli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20170123/93fe8203/attachment.sig>

More information about the Pkg-shadow-devel mailing list