adduser should support managing additional password/shadow/group files from libnss-extrausers

Bug #1323732 reported by Oliver Grawert on 2014-05-27
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
adduser (Debian)
Confirmed
Unknown
adduser (Ubuntu)
High
Steve Langasek
Vivid
Undecided
Unassigned

Bug Description

with our readonly system-image setup when adding a user or changing a password using the /etc/{passwd,shadow,group} is not actually possible.
we plan to solve this via using libnss-extrausers and patching the config in /etc/nsswitch.conf at image build-time. this way we can make /var/lib/extrausers writable and use passwd,shadow and group from there.

unfortunately adduser is not able to operate on these files in the non-standard location. to set a user password (for having a properly working lock screen), add new users or drop the "nopasswordlogin" group from the phablet user it needs to learn handling these files so that we do not need to use weird hacks to manage users on system-image installs.

Related branches

Oliver Grawert (ogra) on 2014-05-27
Changed in adduser (Ubuntu):
importance: Undecided → High
assignee: nobody → Steve Langasek (vorlon)
Michael Terry (mterry) wrote :

Poke on this. We'd like to land support for using PAM on the phone within the next few weeks.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in adduser (Ubuntu):
status: New → Confirmed
Steve Langasek (vorlon) on 2014-07-07
Changed in adduser (Ubuntu):
milestone: none → ubuntu-14.07
Michael Vogt (mvo) on 2015-07-02
Changed in adduser (Ubuntu):
status: Confirmed → In Progress
Dimitri John Ledkov (xnox) wrote :

Hm. I don't think I like this patch =)

In Clearlinux.org we use nss-altfiles, not extrausers project. And I have extensively patched shadow to support altfiles. Ideally I would like that support to be reviewed and landed upstream. Specifically all system accounts & groups are defined in altfiles, yet one can do things like "add this system account to this system group" in which case relevant stanzas from system data files is copied and stored in files under /etc/.

Can we merge this support in shadow? At the moment it seems like clearlinux.org, ubuntu (snappy), fedora (atomic) are using altfiles/extrausers and all would want proper support in shadow of setups with split system-provided accounts & user/admin modified accounts.

Oliver Grawert (ogra) wrote :

does nss-altfiles allow us to keep a readonly locked down /etc/passwd|shadow|group|gshadow ? it is pretty essential that adduser can not change system accounts that are in one of the above files in our readonly setup, can nss-altfiles provide such a level of lockdown ?

Michael Vogt (mvo) on 2015-07-07
Changed in adduser (Ubuntu):
status: In Progress → Fix Released
Changed in adduser (Debian):
status: Unknown → New
Steve Langasek (vorlon) wrote :

Once the dust has settled on the implementation, I think we want to look at whether this is SRUable to vivid for use in core and phone there.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in adduser (Ubuntu Vivid):
status: New → Confirmed
Changed in adduser (Debian):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.