Ubuntu
swtpm package

Please create swtpm user/group

Bug #1949060 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

As outlined in bug 1948880 the intention is to utilize the user "swtpm" instead of "tss" to avoid too much permissions of "tss" which is in use in other places.

But I realized that dependencies using swtpm would mostly be to package "swtpm" and not "swtpm-tools".
Therefore I'd ask to have package swtpm to establish that user instead of swtpm-tools.

Furthermore (I'll flag that in the MIR bug 1948748) the postinst uses adduser without a dependency which is Build-Essential but not Essential and therefore needs a dependency.
Lintian:
  W: swtpm-tools: maintainer-script-needs-depends-on-adduser adduser [control/postinst:18] (does not satisfy adduser)

And while this will touch postinst, also as heads up:
  W: swtpm source: maintainer-script-lacks-debhelper-token debian/swtpm-tools.postinst

Revision history for this message
Steve Langasek (vorlon) wrote :

You have said in 1948748 that libvirt doesn't need swtpm-tools, but that was not my experience in testing on impish: through virt-manager, a VM with swtpm failed to initialize without the swtpm_setup command present, I had to install the swtpm-tools package to get it to work. So I don't think it's correct that things don't need a dependency on swtpm-tools, and if not, it doesn't seem necessary to move the user creation to the swtpm package.

Changed in swtpm (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Very interesting, thanks Steve.
I was going by grep through code, but what I thought to be internal names are in fact an abstraction to tools names.
I want to change my assertion to:
"It will need swtpm, swtpm_setup and swtpm_ioctl, and thereby both packages pkg:swtpm and pkg:swtpm-tools.

We will need to adapt the MIR to reflect that, i'll do that and re-review the src:swtpm part.

I now agree that it can stay with swtpm-helper, but for this bug it still remains to:
1. let the swtpm user/group creation happen
2. fix the adduser dependency
3. fix the debhelper token

Christian Ehrhardt  (paelzer)
summary: - establish user swtpm, by the base package
+ Please create swtpm user/group
Revision history for this message
Steve Langasek (vorlon) wrote :

-0ubuntu3 uploaded with these three changes.

NB I have not handled migrating permissions from the tss user to the swtpm user on upgrade from -0ubuntu[12]. The package has been in jammy for a handful of days so I haven't bothered - the upgrade handling could be added later if there are complaints.

Changed in swtpm (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.6.1-0ubuntu3

---------------
swtpm (0.6.1-0ubuntu3) jammy; urgency=medium

  * Don't use the tss user for swtpm, this overloads a user already used for
    physical tpm ACLs. LP: #1949060.
  * Add missing adduser dependency to swtpm-tools.
  * Add missing debhelper token to swtpm-tools.postinst.

 -- Steve Langasek <email address hidden> Thu, 28 Oct 2021 05:47:30 -0700

Changed in swtpm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.