Re: Bug#930428: debootstrap should ensure matching _apt uid

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Philipp Kern-2
On 2019-06-21 07:51, Trek wrote:
> On Thu, 20 Jun 2019 22:31:15 +0200
> Ansgar Burchardt <[hidden email]> wrote:
>
>> If _apt deserves a special solution, I would suggest assigning the
>> _apt user a static uid instead of patching debootstrap.
>
> it seems to me the simplest approach, from a technical point of view,
> and it's the one I'm using since _apt user was introduced (making sure
> uids match)

Adding [hidden email]. APT maintainers, please see the context in the bug.
Do you think there should be logic in debootstrap to handle the case of
trying to have the same UID within a chroot and outside, or could you
apply for a static UID assignment? I would also prefer the latter, but I
honestly don't know how messy the migration would be...

(If so, I guess this bug should be reassigned to apt.)

Kind regards and thanks
Philipp Kern

Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Michael Schaller-2
> But the effects of the patch are different from calling adduser, for
> example the _apt user it creates has no entry in /etc/shadow.  Such
> inconsistencies are not good.

Oops. Added a fix for that to the merge request.


> P.S.: the patch seems ok to me, I don't like hard-conding the _apt user
> line in /etc/passwd, as apt postinst uses adduser, but it's not clear
> to me when adduser is installed during debootstrap

adduser and apt are installed as part of the base packages.
base-passwd is installed earlier as part of the required packages.
Hence I also added a fix that moves the setup_* calls for apt directly
before the base package installation.

With that I get the following log output:
$ debootstrap ...
...
I: Configuring required packages...
...
I: Configuring base-passwd...
...
I: Unpacking the base system...
I: Added _apt user with uid 103
I: Unpacking adduser...
I: Unpacking apt...
...


> Do you think there should be logic in debootstrap to handle the case of
> trying to have the same UID within a chroot and outside, or could you
> apply for a static UID assignment? I would also prefer the latter, but I
> honestly don't know how messy the migration would be...

I would prefer if _apt would use a reserved uid (reserved by
base-passwd). I presume that the migration of the existing _apt user
would be messy though, particularly because of existing firewall
rules. So I suggest reserving a completely new user name / uid in
base-passwd for that purpose. As the _apt user seems to only be used
for fetches the new user could be named _apt_fetch.

On Sun, Jun 23, 2019 at 3:18 PM Philipp Kern <[hidden email]> wrote:

>
> On 2019-06-21 07:51, Trek wrote:
> > On Thu, 20 Jun 2019 22:31:15 +0200
> > Ansgar Burchardt <[hidden email]> wrote:
> >
> >> If _apt deserves a special solution, I would suggest assigning the
> >> _apt user a static uid instead of patching debootstrap.
> >
> > it seems to me the simplest approach, from a technical point of view,
> > and it's the one I'm using since _apt user was introduced (making sure
> > uids match)
>
> Adding [hidden email]. APT maintainers, please see the context in the bug.
> Do you think there should be logic in debootstrap to handle the case of
> trying to have the same UID within a chroot and outside, or could you
> apply for a static UID assignment? I would also prefer the latter, but I
> honestly don't know how messy the migration would be...
>
> (If so, I guess this bug should be reassigned to apt.)
>
> Kind regards and thanks
> Philipp Kern

Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Johannes Schauer-3
In reply to this post by Philipp Kern-2
Hi all,

Quoting Philipp Kern (2019-06-23 15:14:34)

> On 2019-06-21 07:51, Trek wrote:
> >> If _apt deserves a special solution, I would suggest assigning the
> >> _apt user a static uid instead of patching debootstrap.
> > it seems to me the simplest approach, from a technical point of view,
> > and it's the one I'm using since _apt user was introduced (making sure
> > uids match)
> Adding [hidden email]. APT maintainers, please see the context in the bug.
> Do you think there should be logic in debootstrap to handle the case of
> trying to have the same UID within a chroot and outside, or could you
> apply for a static UID assignment? I would also prefer the latter, but I
> honestly don't know how messy the migration would be...
with my mmdebstrap-maintainer hat on, I wanted to quickly chime in and express
my support for the _apt user having a reproducible user id. The status quo is,
that the apt user id depends on the order in which the maintainer scripts are
executed. Because of this I had to disable some mmdebstrap tests where I
compare the mmdebstrap chroot against the debootstrap chroot because the _apt
uid would be different. One of the goals of mmdebstrap is to be a
proof-of-concept of moving more and more of the mechanics that are currently
hardcoded in debootstrap into apt and dpkg. So from my perspective, fixing the
_apt uid is one piece of the puzzle that would make the life of debootstrap
alternatives like mmdebstrap easier.

Thanks!

cheers, josch

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Michael Schaller-2
Looks like there is no reply from the Apt maintainers. Should I open a
bug against apt?

Also could the proposed patch be added to debootstrap as a temporary
workaround until this is fixed in Apt?

Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Julian Andres Klode-4
On Mon, Jul 01, 2019 at 02:47:08PM +0200, Michael Schaller wrote:
> Looks like there is no reply from the Apt maintainers. Should I open a
> bug against apt?

The _apt user is used in stable, and various Ubuntu LTS, and so far,
nobody cared about us creating it dynamically. So this is not a matter
of urgency.

>
> Also could the proposed patch be added to debootstrap as a temporary
> workaround until this is fixed in Apt?

There is nothing to fix here in apt atm.

The only sensible option long term would be to migrate to a different
user I guess, and that sucks, because the user name is nice.

But this is a long-term effort, and not something that will take
place in the short term.

Adding a workaround to debootstrap sounds reasonable, but probably
to be done post-buster release.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply | Threaded
Open this post in threaded view
|

Re: Bug#930428: debootstrap should ensure matching _apt uid

Michael Schaller-2
Congrats to the successful Buster launch, everyone.
Also thanks to Julian for the reply on Apt.

Julian, should I open a bug for Apt?

Everyone, what do you think about the proposed patch to debootstrap?
Is that something you'd be willing to carry until Apt gets fixed
(which might or might not happen)?