shadow-maint/shadow

useradd seems not to properly respect documented --root option (subid problems when building with mock)

mhjacks opened this issue · 8 comments

mhjacks commented

https://bugzilla.redhat.com/show_bug.cgi?id=2257452

When using mock on a FreeIPA-enrolled system where FreeIPA is managing subids, the configuration of how subids should be looked up will almost certainly differ between the host and the chroot. (In my case, the chroot should NOT be using FreeIPA for subid lookup, but the strace shows that it is doing so).

Attached is an strace file that runs the command as mock would that indicates the problem.

At issue in particular is this statement in the useradd manpage:

-R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration files from the
           CHROOT_DIR directory. Only absolute paths are supported.

What appears to be happening is that the host config is "leaking" into the chroot, at least when the subid lookup is done.

ikerexxe commented

@hallyn do you agree that in a chroot environment the subid lookup should be done according to the configuration from this chroot environment?

mhjacks commented

I wonder - looking at

shadow/lib/root_flag.c

Line 70 in 4c0c7c5

static void change_root (const char* newroot)
should the code nss_init or something like that to pick up the new chroot's configuration?

praiskup commented

Indeed, I'd vote for fixing this. Calling shadow-utils with --root shouldn't leak any configuration from host ; at least from the Mock's perspective, it would be nice. We use the utilities barely to modify /<chroot>/etc/group and /<chroot>/etc/passwd files. I'd like to comment more on this subuid, but there seems to be yet another related problem with the --root option (so Mock currently uses --prefix).

ikerexxe commented

Indeed, I'd vote for fixing this. Calling shadow-utils with --root shouldn't leak any configuration from host ; at least from the Mock's perspective, it would be nice. We use the utilities barely to modify /<chroot>/etc/group and /<chroot>/etc/passwd files. I'd like to comment more on this subuid, but there seems to be yet another related problem with the --root option (so Mock currently uses --prefix).

It seems like useradd --root tries to modify /etc/group instead of /chroot/etc/group. Can you open a ticket for it?

praiskup commented

@ikerexxe I finally got to reporting this problem, sorry for the delay. But this seems like a SELinux-related problem.

  • 🚀1
ikerexxe commented

Perfect! I will take a look in the following days. Thank you.