[Bug 1959375] Re: [SRU] Please support group manipulation with "extrausers"
Chris Halse Rogers
1959375 at bugs.launchpad.net
Wed May 18 02:09:59 UTC 2022
Yeeeeeeah, ok.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1959375
Title:
[SRU] Please support group manipulation with "extrausers"
Status in shadow package in Ubuntu:
Fix Released
Status in shadow source package in Bionic:
Fix Committed
Status in shadow source package in Focal:
Fix Committed
Status in shadow source package in Impish:
Won't Fix
Status in shadow source package in Jammy:
Fix Released
Bug description:
[Impact]
* In order to use the microk8s snap in Ubuntu Core, one currently
needs to be root. This is far from optimal, since normally (on desktop
and server installations) this is not necessary.
* This make it hard to provide consistent documentation on microk8s
across all supported device, if we have to take the "sudo" command
into account, and how file permissions for generated files might be
affected.
[Test Plan]
The issue can be reproduced on Ubuntu Core 18, 20 and 22. The steps
are as following (replace "<uc.img>" with the actual path of your
Ubuntu Core image file:
qemu-system-x86_64 -enable-kvm -smp 2 -m 1500 \
-netdev user,id=mynet0,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80 \
-device virtio-net-pci,netdev=mynet0 \
-drive file=<uc.img>,format=raw
After configuring your account, connect to youd device via SSH:
ssh <user>@localhost -p 8022
And issue these commands
sudo snap install microk8s --channel=latest/edge/stable
# microk8s is going to eat up all your disk space, so stop it as soon
# as the prompt comes back:
sudo microk8s stop
# Add your user to the microk8s group
sudo usermod -G snap_microk8s $(whoami)
The last command will fail unless this bug is fixed. If the bug is
fixed, the command will succeed, and after logging out and in again,
you can verify that you've been added to the snap_microk8s group by
running the "groups" command.
[Where problems could occur]
* The patch only touches error code paths and adds a fallback
mechanism in them. Therefore, "normal" operations, where these
commands would have succeeded before, will not be affected at all.
* In those cases when usermod fails because it failed to find or load
the requested user/group, we reset the user/group database paths to
our writable user/group databases, and retry the operation. Note that
the path for our database is hardcoded in the program source, so the
security risk seems contained. We do not add additional command-line
parameters.
[Other Info]
Original bug description
========================
Currently doing something like:
sudo usermod -a -G snap_microk8s dbeamonte
on a Ubuntu Core system will fail with
usermod: /etc/group.15965: Read-only file system
This is because the existing usermod patches to detect
the extrausers file do not cover this case. Attached
a simple patch that enables it. I will give this patch
a test run in our image PPA for jammy and if things look
good I would like upload to 22.04 and SRU for 20.04 and
18.04.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1959375/+subscriptions
More information about the foundations-bugs
mailing list