[packages/filesystem] - can't use any non-root groups in this package and not depend on setup package, do similar workardo

Jeffrey Johnson n3npq at me.com
Thu Nov 1 19:44:45 CET 2012 

On Nov 1, 2012, at 2:29 PM, Elan Ruusamäe wrote:

> On 01.11.2012 15:10, Jakub Bogusz wrote:
>> On Wed, Oct 31, 2012 at 07:42:21AM +0100, glen wrote:
>>> >commit aefd25979c44a66fc4eecfc32a27d2d119f31d76
>>> >Author: Elan Ruusamäe<glen at delfi.ee>
>>> >Date:   Wed Oct 31 08:41:13 2012 +0200
>>> >
>>> >     - can't use any non-root groups in this package and not depend on setup package, do similar workardound as FHS package
>> And what is the problem with requiring setup here?
>> setup requires just FHS, not filesystem.
>> 
>> Your change causes rpm -V to report /var/log/archive group inconsistency on every system.
>> 
>> 
> so does it in FHS, no-one complained.
> 
> we need proper fix here.

Yes you do.

> simplistic one would be if rpm allowed numeric ownership in %files specification
> 

Numeric was what was used in RPM in 1997, changed to use strings through /etc/passwd
lookup in 1998 (with libc5) for maximum flexibility/configurability.

Meanwhile here is what is wrong with "modern" distros
	The /etc/passwd file MUST exist for lookups to occur in packages that follow.

The original intent was setup was first pkg installed with /etc/passwd, and filesystem (or FHS or …)
carried a prerequisite (which is Requires: in modern RPM).

The problem there is that dependency LOOP's cause setup (or whatever carries /etc/passwd)
_NOT_ to be installed first.

So there is a band-aid in RPM where certain users/groups are hardwired for
lookup. Unless additional users/groups (in this case the "logs" group) are
compiled into RPM, then there are --verify failures.

The simplest fix is to ensure that /etc/passwd (and group) is _ALWAYS_ present in empty chroot's.

The next simplest fix is to ensure that /etc/passwd (and group) ALWAYS contains all
users/groups for libc prerequisites (libc carries the name service libraries needed to do
the lookup).

There are also "probe dependencies" to ensure that user/group can be looked up _BEFORE_
any package is installed. These look like
	Requires: user(root)
or (with numeric id assertion)
	Requires: user(root) = 0
and group(…) for group lookups.

At this point in time, there is simple,y no reason _NOT_ to hardwire a check that all
user/group strings mentioned in _EVERY_ package can be looked up, with a virtual
	Provides: user(foo) = 1234
to hint that a script let is about to invoke user add etc.

Since shadowutils (yes _ALL_ of shadowutils) is carried in rpm-5.x.y through lua
bindings, there is no need to add snarly dependencies on user add packages etc.
RPM+LUA+SHADOWUTILS is every bit as functional as /usr/sbin/useradd is.

hth

73 de Jeff
> -- 
> glen
> 
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list