FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Embedded

 
 
LinkBack Thread Tools
 
Old 12-21-2009, 08:25 PM
Ahmed Ammar
 
Default emerge --root : users not created

On Tue, 2009-12-15 at 18:37 +0100, Peter Stuge wrote
> useradd is a C program and my idea is to make it use the chroot()
> system call. This system call changes the root directory for the
> calling process. The chroot utility uses this system call, and then
> executes a shell or other program inside the new root. The utility
> will of course not work cross platform.
>
> As long as the useradd C program does not rely on other executables
> at runtime, which I severly doubt considering the nature of the
> program, calling chroot() early in useradd would work regardless of
> what binaries, if any, are inside the new root dir. useradd only
> touches the user database text files.

Sounds like a simple enough idea. Patches welcome? Might be worth
looking at how Gentoo Prefix does it first though.

A.
 
Old 12-21-2009, 08:29 PM
Ned Ludd
 
Default emerge --root : users not created

On Mon, 2009-12-21 at 23:25 +0200, Ahmed Ammar wrote:
> On Tue, 2009-12-15 at 18:37 +0100, Peter Stuge wrote
> > useradd is a C program and my idea is to make it use the chroot()
> > system call. This system call changes the root directory for the
> > calling process. The chroot utility uses this system call, and then
> > executes a shell or other program inside the new root. The utility
> > will of course not work cross platform.
> >
> > As long as the useradd C program does not rely on other executables
> > at runtime, which I severly doubt considering the nature of the
> > program, calling chroot() early in useradd would work regardless of
> > what binaries, if any, are inside the new root dir. useradd only
> > touches the user database text files.
>
> Sounds like a simple enough idea. Patches welcome? Might be worth
> looking at how Gentoo Prefix does it first though.


FYI. This is GLEP-0027 and it's not handled anywhere properly yet afaik.

http://www.gentoo.org/proj/en/glep/glep-0027.html


--
Ned Ludd <solar@gentoo.org>
Gentoo Linux
 
Old 12-22-2009, 10:38 AM
Peter Stuge
 
Default emerge --root : users not created

Ned Ludd wrote:
> > > useradd is a C program and my idea is to make it use the chroot()
> > > system call.
> >
> > Sounds like a simple enough idea. Patches welcome? Might be worth
> > looking at how Gentoo Prefix does it first though.

I talked to upstream on freenode/#shadow and they welcome a patch for
adding --chroot

chroot() needs to happen really early since useradd and friends read
some configuration files to know e.g. which password encryption
method to use.


> FYI. This is GLEP-0027 and it's not handled anywhere properly yet
> afaik.
>
> http://www.gentoo.org/proj/en/glep/glep-0027.html

I like it, but how to deal with two packages that want the same
username but different settings such as home directory or shell?


//Peter
 
Old 02-09-2010, 04:48 AM
"P. Levine"
 
Default emerge --root : users not created

2009/12/14 Sven Rebhan <odinshorse@...>
> The correct way to solve this would be to add an option to
> useradd, allowing to specify a passwd file other than /etc/passwd.
> Afterwards patch the corresponding eclass to use this option. Patches
> are welcome. ;-)
>
>> Quite annoying - workarounds would be highly appreciated!

I submitted a fix for this at http://bugs.gentoo.org/show_bug.cgi?id=302570

Shadow doesn't seem to allow a purely static build.
Busybox is purely self-contained, so I used that.
It works on my end but it could use some testing.

Any feedback is appreciated.
 
Old 02-16-2010, 02:04 PM
"P. Levine"
 
Default emerge --root : users not created

Peter Stuge wrote:
> I talked to upstream on freenode/#shadow and they welcome a patch for
> adding --chroot
>
> chroot() needs to happen really early since useradd and friends read
> some configuration files to know e.g. which password encryption
> method to use.

Attached is a tentative patch to add a chroot flag to useradd and
groupadd (via --chroot or -R). It compiles and works on my end
(--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags
enabled. I'm hoping for others to test it and get some feedback before
I submit it to shadow upstream.

There do exist a couple of issues:

sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would
report the maximum allowable number of groups per user on the build
system, not the target. To my knowledge, this is set by the kernel and
would have to be used. However, this tends to be a very high number for
linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux
kernel >= 2.6.3).

There are a number of calls to "getXXbyYY" functions (i.e., getgrgid,
getpwnam, etc...). These seem to be dynamically preloaded and access
preloaded databases. They are unaffected by chroot() (even after
setting __nss_configure_lookup(foo, files)). I've instead used shadow's
own method of macro expansion to generate functions doing the
equivalent, with recursive calls to fgetXXent functions.

And PAM functionality doesn't work and has to be disabled while using
chroot(). I don't know very much about PAM. Would this be a problem?

Also, the chroot functionality could probably be easily extended to
other modules but I'm not sure if this would be acceptable upstream.

There are a couple of cosmetic changes I'm considering as well (such as
how --chroot flag is parsed).

-- Peter Levine
 
Old 02-16-2010, 02:20 PM
"P. Levine"
 
Default emerge --root : users not created

On 02/16/2010 10:04 AM, P. Levine wrote:
> Peter Stuge wrote:
>> I talked to upstream on freenode/#shadow and they welcome a patch for
>> adding --chroot
>>
>> chroot() needs to happen really early since useradd and friends read
>> some configuration files to know e.g. which password encryption
>> method to use.
>
> Attached is a tentative patch to add a chroot flag to useradd and
> groupadd (via --chroot or -R). It compiles and works on my end
> (--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags
> enabled. I'm hoping for others to test it and get some feedback before
> I submit it to shadow upstream.
>
> There do exist a couple of issues:
>
> sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would
> report the maximum allowable number of groups per user on the build
> system, not the target. To my knowledge, this is set by the kernel and
> would have to be used. However, this tends to be a very high number for
> linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux
> kernel >= 2.6.3).
>
> There are a number of calls to "getXXbyYY" functions (i.e., getgrgid,
> getpwnam, etc...). These seem to be dynamically preloaded and access
> preloaded databases. They are unaffected by chroot() (even after
> setting __nss_configure_lookup(foo, files)). I've instead used shadow's
> own method of macro expansion to generate functions doing the
> equivalent, with recursive calls to fgetXXent functions.
>
> And PAM functionality doesn't work and has to be disabled while using
> chroot(). I don't know very much about PAM. Would this be a problem?
>
> Also, the chroot functionality could probably be easily extended to
> other modules but I'm not sure if this would be acceptable upstream.
>
> There are a couple of cosmetic changes I'm considering as well (such as
> how --chroot flag is parsed).
>
> -- Peter Levine

Sorry, wrong patch.

I've attached the correct one.

-- Peter Levine
 
Old 02-16-2010, 02:42 PM
"P. Levine"
 
Default emerge --root : users not created

On 02/16/2010 10:04 AM, P. Levine wrote:
> Peter Stuge wrote:
>> I talked to upstream on freenode/#shadow and they welcome a patch for
>> adding --chroot
>>
>> chroot() needs to happen really early since useradd and friends read
>> some configuration files to know e.g. which password encryption
>> method to use.
>
> Attached is a tentative patch to add a chroot flag to useradd and
> groupadd (via --chroot or -R). It compiles and works on my end
> (--chroot /usr/armv4tl-softfloat-linux-gnueabi) with various other flags
> enabled. I'm hoping for others to test it and get some feedback before
> I submit it to shadow upstream.
>
> There do exist a couple of issues:
>
> sysconf(_SC_NGROUPS_MAX) is called by useradd early on. This would
> report the maximum allowable number of groups per user on the build
> system, not the target. To my knowledge, this is set by the kernel and
> would have to be used. However, this tends to be a very high number for
> linux kernel >= 2.6.3 (65536) so it seems like a mute point (for linux
> kernel >= 2.6.3).
>
> There are a number of calls to "getXXbyYY" functions (i.e., getgrgid,
> getpwnam, etc...). These seem to be dynamically preloaded and access
> preloaded databases. They are unaffected by chroot() (even after
> setting __nss_configure_lookup(foo, files)). I've instead used shadow's
> own method of macro expansion to generate functions doing the
> equivalent, with recursive calls to fgetXXent functions.
>
> And PAM functionality doesn't work and has to be disabled while using
> chroot(). I don't know very much about PAM. Would this be a problem?
>
> Also, the chroot functionality could probably be easily extended to
> other modules but I'm not sure if this would be acceptable upstream.
>
> There are a couple of cosmetic changes I'm considering as well (such as
> how --chroot flag is parsed).
>
> -- Peter Levine

Sorry, wrong patch.

I've attached the correct one.

-- Peter Levine
 
Old 02-16-2010, 02:56 PM
"P. Levine"
 
Default emerge --root : users not created

On 02/16/2010 10:04 AM, P. Levine wrote:
> Attached is a tentative patch to add a chroot flag to useradd and
> groupadd (via --chroot or -R).

Sorry, wrong patch.

I've attached the correct one.

-- Peter Levine
 
Old 02-16-2010, 03:14 PM
"P. Levine"
 
Default emerge --root : users not created

On 02/16/2010 10:56 AM, P. Levine wrote:
> Sorry, wrong patch.
>
> I've attached the correct one.
>

Sorry for the reposts.
Problems on my end.

-- Peter Levine
 
Old 02-22-2010, 01:41 PM
"P. Levine"
 
Default emerge --root : users not created

Attached is the final version of the chroot patch. I'll submit it in
the next few days.

It seems absurd to add support for chroot() in useradd and groupadd
without userdel and groupdel, so the patch includes support for them.
Also, to create a smaller footprint, I've combined all applicable
functions into one file. The downside is more complex macro expansions
(comments included, though), but it allows for a more integrated
interface (generated function xfgetXXbyYY calls generated functions
xfsetXXent, xfgetXXent, and xfendXXent), and less alteration of shadow's
own code.
PAM isn't a concern because chroot() only strictly works in a process
with an su uid. And a function to parse the chroot flag before any
others (leaving argv and argc in a pristine state) is included.

-- Peter Levine
 

Thread Tools




All times are GMT. The time now is 05:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org