firstlogin script fails because /root is not readable in new VMs

The main problem here is that the vmbuilder script assumes that the first user who logs in will be root. While thinking about how to solve this problem, I realized that vmbuilder's --help is a little ambiguous:

    --firstlogin=PATH Specify a script that will be copied into the guest
                        and will be executed the first time the user logs in.
                        This script can be interactive.

I have the following questions:

1) What does it mean by "the user"? The user defined in --user? Any user? Root?
2) Or does it mean "a user", which would mean the script should be invoked the first time _any_ user logs in. As in, not the first login per-machine, but the first login per-user. Due to permission issues, I do believe that this would actually be easier to implement.

Thoughts?

Thought 1: "Well, it used to work." Obviously, that's a pretty dumb justification, but that's what lead me to raise this in the first place.

Thought 2: The instructions on the Ubuntu community wiki (https://help.ubuntu.com/community/JeOSVMBuilder#Finishing%20install%20on%20first%20boot%20and%20login) imply, but don't actually state outright, that the script will be run as whichever user happens to log in first. Up-file from there the tutorial also covers configuring vmbuilder to create a user, and the firstlogin script goes out of its way to use sudo for all administrative actions.

I'm aware that you can add an SSH key for root logins via the ubuntu plugin's ssh-key option. However, someone following the directions on the community wiki (like me, before I did my research :) is in for a rude surprise when the firstlogin script never fires.

The example firstlogin script also does some package installation, which is unlikely to fit well in a per-user firstlogin script. This is fairly close to what I'm doing, and having an enforced configuration stage for stuff that's either difficult or impossible to configure via templates or packages during VM creation (for example, configuring VMs to act as LDAP auth clients, which is what I'm doing) that happens once, the first time you interact with the VM, is pretty useful.

A possible solution is to move the firstlogin_done file outside of root's home directory (/root). Perhaps it should be moved to /etc or even in /var somewhere. Are there any reasons why this shouldn't happen?

Putting the script in a subdirectory of /usr/local/share or /usr/share seems like the right thing per the FHS. Storing the firstlogin-run flag file in /var/lib/misc seems equally like the right thing. I'm leery of putting runnable objects (even scripts) in /etc, but there's some precedent for it (/etc/bash.bashrc and friends, which is exactly how firstlogin works anyways).

Doesn't Debian or Ubuntu have a mechanism for this? Or do we live in the future, where all packages do everything they need in postinst or on first startup?

Oof. What was I thinking? Of course there are scripts in /etc: /etc/init.d is full of them, as well as /etc/cron.d. Objection retracted; putting the firstlogin script in there somewhere seems fine too.

Based on this thread we should:
* Place firstlogin script in /usr/local/share/firstlogin
* Place flag file in /var/lib/misc - User will need sudo access

Based on the sudo requirement, is it appropriate to *not* execute the first login script if the user logging in does not have sudo access? (And then there's the possibility of a modified sudoers file that could let any user create the flag file)

The purpose of the firstlogin script seems to me to be to perform a series of initial system configuration tasks that require user interaction. I think that no user unable to execute the script should be able to login before the script has run since the person logging in should have the wherewithal to handle any decision-making processes required.

Allowing "regular" users to login before the script has run might leave the system in a semi-configured state that would not be helpful for those users.

The modified sudoers file would work but, again, there is no guarantee that the first user to log in will actually be able to make the right decisions during the script's execution.

Is this going to be fixed anytime soon?

Its a rather large annoyance to have to patch the vmbuilder scripts everytime there is an update because my newly created machines dont preconfigure themselves as they should.

Just throwing an idea out there, would it be possible to change firstlogin so that it only applies to the user specified by the --user parameter (or ubuntu)? That way we could simply put the first_login script in that user's home dir.

This problem still exists in 12.04 and has been open for three years. Is anyone going to fix it? It would take all of about 10 minutes to fix.

What's the 10 minute fix?
I just tried creating a vm with a firstlogin script and hit this bug.
Every shell that starts prompts for the password. I don't think the firstlogin script even runs since it too is in /root and thus inaccessible.

Hey guys, is vmbuilder still under active dev? I've just started using it have hit 3 bugs all of which seem to have a well documented history with no fix. Have just hit this problem myself on my 12.04 server, found the --iso problem yesterday and last week found the problem using --raw to an lvm. Has vmb been deprecated in favour of something else I haven't found yet?