usermod --add-subuids fails for users not in /etc/passwd
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Canonical System Image |
High
|
Unassigned | ||
| | shadow (Ubuntu) |
High
|
Steve Langasek | ||
| | Vivid |
High
|
Unassigned | ||
Bug Description
[SRU justification]
The (distro patched) subuid/subgid support in the shadow 'usermod' command only works with users present in /etc/passwd. As /etc/subuid and /etc/subgid are separate databases that do not require modification of /etc/passwd, this is an unnecessary restriction that appears to be due to a simple logic bug in the patch and not as a deliberate design decision. As Ubuntu Touch and Ubuntu Snappy systems will as a class have users in different NSS backends from /etc/passwd, and lxc should be supported for these users with uid namespacing, this bug warrants fixing.
[Test case]
1. Install the libnss-extrausers package
2. Enable it by running "sudo sed -i -e'/passwd:/ s/$/ extrausers/' /etc/nsswitch.conf"
3. Create a test user by running "echo 'testuser:
4. Attempt to add subuids for this user by running "sudo usermod --add-subuids 10000-12000 testuser"
5. Confirm that this fails with the error message "usermod: user 'testuser' does not exist in /etc/passwd"
6. Install the new version of the 'passwd' package
7. Repeat the test from step 4
8. Confirm that the command now succeeds, and the user's entry has been added to /etc/subuid
9. Clean up by running 'sudo usermod --del-subuids 10000-12000 testuser" and removing the /var/lib/
[Regression potential]
This is a targeted bugfix in the behavior of usermod, and users are unlikely to be relying on the usermod command failing for non-local users.
[Original report]
currently we have need to utilize lxc on vivid+stable overlay which requires adding subuser & subgroup ids.
unfortunately, usermod currently fails since phablet password is readonly
Related branches
- Serge Hallyn: Approve on 2015-07-20
- Ubuntu branches: Pending requested 2015-07-17
-
Diff: 167 lines (+146/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/userns/subuids-nonlocal-users (+138/-0)
| Changed in canonical-devices-system-image: | |
| importance: | Undecided → High |
| Changed in shadow (Ubuntu): | |
| importance: | Undecided → High |
| summary: |
- changes to phablet to enable moduser on vivid+stable overlay ppa + usermod --add-subuids fails for users not in /etc/passwd |
| Steve Langasek (vorlon) wrote : | #1 |
| Serge Hallyn (serge-hallyn) wrote : | #2 |
Thanks, no objection from me.
| Changed in shadow (Ubuntu): | |
| status: | New → Triaged |
| description: | updated |
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package shadow - 1:4.1.5.
---------------
shadow (1:4.1.
* debian/
subuid/subgid support to local users. Closes LP: #1475749.
-- Steve Langasek <email address hidden> Mon, 20 Jul 2015 18:44:12 -0700
| Changed in shadow (Ubuntu): | |
| status: | Triaged → Fix Released |
Hello kevin, or anyone else affected,
Accepted shadow into vivid-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in shadow (Ubuntu Vivid): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed |
As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shadow from vivid-proposed was performed and bug 1493590 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-
| tags: | added: verification-failed |
| tags: |
added: bot-stop-nagging removed: verification-failed |
| tags: | added: verification-failed |
| tags: | removed: verification-failed |
| Changed in canonical-devices-system-image: | |
| status: | New → Fix Released |
| Changed in shadow (Ubuntu Vivid): | |
| importance: | Undecided → High |
| tags: |
added: vivid removed: bot-stop-nagging |
| Changed in shadow (Ubuntu Vivid): | |
| status: | Fix Committed → Confirmed |
| Serge Hallyn (serge-hallyn) wrote : | #7 |
(sorry, i msread the bug history)
| Changed in shadow (Ubuntu Vivid): | |
| status: | Confirmed → Fix Committed |
| Serge Hallyn (serge-hallyn) wrote : | #8 |
The test case in the Description passed cleanly for me (and failed without -proposed)
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package shadow - 1:4.1.5.
---------------
shadow (1:4.1.
* debian/
subuid/subgid support to local users. Closes LP: #1475749.
-- Steve Langasek <email address hidden> Mon, 20 Jul 2015 22:58:18 -0700
| Changed in shadow (Ubuntu Vivid): | |
| status: | Fix Committed → Fix Released |
| Chris J Arges (arges) wrote : Update Released | #10 |
The verification of the Stable Release Update for shadow has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
This appears to be an issue with the patches to shadow for subuid/subgid support. The --{add,
Assuming there's no policy reason why non-local users are disallowed from /etc/sub{uid,gid}, this is a simple fix. Cc:ing Serge Hallyn for comment, as he originally pulled these patches in.