[SRU] Please support group manipulation with "extrausers"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shadow (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Won't Fix
|
Low
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* In order to use the microk8s snap in Ubuntu Core, one currently needs to be root. This is far from optimal, since normally (on desktop and server installations) this is not necessary.
* This make it hard to provide consistent documentation on microk8s across all supported device, if we have to take the "sudo" command into account, and how file permissions for generated files might be affected.
[Test Plan]
The issue can be reproduced on Ubuntu Core 18, 20 and 22. The steps are as following (replace "<uc.img>" with the actual path of your Ubuntu Core image file:
qemu-
-netdev user,id=
-device virtio-
-drive file=<uc.
After configuring your account, connect to youd device via SSH:
ssh <user>@localhost -p 8022
And issue these commands
sudo snap install microk8s --channel=
# microk8s is going to eat up all your disk space, so stop it as soon
# as the prompt comes back:
sudo microk8s stop
# Add your user to the microk8s group
sudo usermod -G snap_microk8s $(whoami)
The last command will fail unless this bug is fixed. If the bug is fixed, the command will succeed, and after logging out and in again, you can verify that you've been added to the snap_microk8s group by running the "groups" command.
[Where problems could occur]
* The patch only touches error code paths and adds a fallback mechanism in them. Therefore, "normal" operations, where these commands would have succeeded before, will not be affected at all.
* In those cases when usermod fails because it failed to find or load the requested user/group, we reset the user/group database paths to our writable user/group databases, and retry the operation. Note that the path for our database is hardcoded in the program source, so the security risk seems contained. We do not add additional command-line parameters.
[Other Info]
Original bug description
=======
Currently doing something like:
sudo usermod -a -G snap_microk8s dbeamonte
on a Ubuntu Core system will fail with
usermod: /etc/group.15965: Read-only file system
This is because the existing usermod patches to detect
the extrausers file do not cover this case. Attached
a simple patch that enables it. I will give this patch
a test run in our image PPA for jammy and if things look
good I would like upload to 22.04 and SRU for 20.04 and
18.04.
tags: | added: patch |
description: | updated |
description: | updated |
Changed in shadow (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in shadow (Ubuntu Focal): | |
status: | New → In Progress |
tags: |
added: verification-done removed: verification-needed |
I tested a newer version of the patch that Michael sent me, and I verify that it works properly :-)
I'm attaching it here; it includes changes to the 1015_add_ zsys_support. patch, but that's only as a result of a quilt refresh, since the patch did not apply cleanly anymore (since src/usermod.c was modified in our patch before).
I've been testing this on Focal.