Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

useradd seems not to properly respect documented --root option (subid problems when building with mock) #897

Open
mhjacks opened this issue Jan 9, 2024 · 8 comments
Open

useradd seems not to properly respect documented --root option (subid problems when building with mock) #897

mhjacks opened this issue Jan 9, 2024 · 8 comments

Comments

@mhjacks
Copy link

mhjacks commented Jan 9, 2024

https://bugzilla.redhat.com/show_bug.cgi?id=2257452

When using mock on a FreeIPA-enrolled system where FreeIPA is managing subids, the configuration of how subids should be looked up will almost certainly differ between the host and the chroot. (In my case, the chroot should NOT be using FreeIPA for subid lookup, but the strace shows that it is doing so).

Attached is an strace file that runs the command as mock would that indicates the problem.

At issue in particular is this statement in the useradd manpage:

-R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration files from the
           CHROOT_DIR directory. Only absolute paths are supported.

What appears to be happening is that the host config is "leaking" into the chroot, at least when the subid lookup is done.
@mhjacks
Copy link
Author

mhjacks commented Jan 9, 2024

strace.txt

@ikerexxe ikerexxe mentioned this issue Jan 10, 2024
Closed
@ikerexxe
Copy link
Collaborator

@hallyn do you agree that in a chroot environment the subid lookup should be done according to the configuration from this chroot environment?

@mhjacks
Copy link
Author

mhjacks commented Jan 10, 2024

I wonder - looking at

shadow/lib/root_flag.c

Line 70 in 4c0c7c5

static void change_root (const char* newroot)
should the code nss_init or something like that to pick up the new chroot's configuration?

@praiskup
Copy link

Indeed, I'd vote for fixing this. Calling shadow-utils with --root shouldn't leak any configuration from host ; at least from the Mock's perspective, it would be nice. We use the utilities barely to modify /<chroot>/etc/group and /<chroot>/etc/passwd files. I'd like to comment more on this subuid, but there seems to be yet another related problem with the --root option (so Mock currently uses --prefix).

@ikerexxe
Copy link
Collaborator

Indeed, I'd vote for fixing this. Calling shadow-utils with --root shouldn't leak any configuration from host ; at least from the Mock's perspective, it would be nice. We use the utilities barely to modify /<chroot>/etc/group and /<chroot>/etc/passwd files. I'd like to comment more on this subuid, but there seems to be yet another related problem with the --root option (so Mock currently uses --prefix).

It seems like useradd --root tries to modify /etc/group instead of /chroot/etc/group. Can you open a ticket for it?

@praiskup
Copy link

praiskup commented Feb 7, 2024

@ikerexxe I finally got to reporting this problem, sorry for the delay. But this seems like a SELinux-related problem.

@ikerexxe
Copy link
Collaborator

ikerexxe commented Feb 7, 2024

Perfect! I will take a look in the following days. Thank you.

@hallyn
Copy link
Member

hallyn commented Jul 26, 2024

@hallyn do you agree that in a chroot environment the subid lookup should be done according to the configuration from this chroot environment?

yup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hallyn @ikerexxe @praiskup @mhjacks