Project

General

Profile

Bug #16604

buster: UID/GID stability?

Added by CyrilBrulebois 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Build system
Target version:
Start date:
03/22/2019
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

I've just pushed 483c87dd82d35fa4aacf73911a34c4cbd043ca98 to fix the FTBFS due to a fuzzy patch, and stumbled upon a new issue.

I thought this had been disabled in buster but apparently not (as the last and only commit to this file is 46c028aa4b230fd76673b997a4bb2d3e4303b2f0, dated mid-2018):

Checking UIDs and GIDs stability
/usr/share/tails/build/passwd /etc/passwd differ: char 1256, line 24
/etc/passwd differs from expected:
--- /usr/share/tails/build/passwd    2019-03-20 09:28:36.000000000 +0000
+++ /etc/passwd    2019-03-22 09:13:40.039408082 +0000
@@ -21,13 +21,13 @@
 systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
 systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
 memlockd:x:104:109:memlockd system account,,,:/usr/lib/memlockd:/bin/false
-debian-tor:x:105:110::/var/lib/tor:/bin/false
-messagebus:x:106:112::/nonexistent:/usr/sbin/nologin
-monkeysphere:x:107:113:monkeysphere authentication user,,,:/var/lib/monkeysphere:/bin/bash
-colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
-saned:x:109:119::/var/lib/saned:/usr/sbin/nologin
-speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
-pulse:x:111:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+messagebus:x:105:110::/nonexistent:/usr/sbin/nologin
+debian-tor:x:106:111::/var/lib/tor:/bin/false
+monkeysphere:x:107:114:monkeysphere authentication user,,,:/var/lib/monkeysphere:/usr/sbin/nologin
+pulse:x:108:117:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:109:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
+saned:x:110:120::/var/lib/saned:/usr/sbin/nologin
+colord:x:111:121:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
 hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
 Debian-gdm:x:113:122:Gnome Display Manager:/var/lib/gdm3:/bin/false
 tails-persistence-setup:x:114:123::/home/tails-persistence-setup:/usr/sbin/nologin
 config/chroot_local-hooks/99-zzz_check_uids_and_gids failed (exit non-zero). You should check for errors.

I'm not entirely sure what to do here.

Should it be fine to break this kind of stability when upgrading to a new major releae? I'd think so.

This seems to be confirmed by this commit message:

commit 07a043876d99f321d3d87b5ee173a4095807a704
Author: intrigeri <intrigeri@boum.org>
Date:   Fri Jan 4 18:04:21 2019 +0000

    Re-introduce 04-change-gids-and-uids hook (refs: #15854)

    We won't need it for Tails 4.0 but we'll probably need it later
    in the 4.x cycle. So let's bring the functions back but not call
    them for now.

So I'm tempted to update the reference file in the feature/buster branch with the file that's currently being generated.

Thoughts?


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocks Tails - Bug #16290: Remove Scribus Resolved 01/05/2019
Blocks Tails - Feature #15182: Drop Qt4 on Buster Resolved 01/05/2019

Associated revisions

Revision 0058e862 (diff)
Added by CyrilBrulebois 11 months ago

Drop monkeysphere and msva-perl (refs: #16604).

Installing (or later on: no longer installing) this package leads to
UID/GID changes that can interfere with IUKs. Users can install this
package separately anyway, so let's remove it from the base image
during the preparations for 4.0.

Revision 54b33724 (diff)
Added by CyrilBrulebois 11 months ago

Drop monkeysphere and msva-perl (refs: #16604).

Installing (or later on: no longer installing) this package leads to
UID/GID changes that can interfere with IUKs. Users can install this
package separately anyway, so let's remove it from the base image
during the preparations for 4.0.

Revision f07f0760 (diff)
Added by CyrilBrulebois 11 months ago

Update reference passwd and group files (refs: #16604).

There won't be any IUKs to upgrade to 4.0, so let's register whatever
new UIDs/GIDs are current now.

History

#1 Updated by CyrilBrulebois 11 months ago

  • Parent task set to #16209

#2 Updated by CyrilBrulebois 11 months ago

  • Parent task deleted (#16209)

#3 Updated by CyrilBrulebois 11 months ago

#4 Updated by intrigeri 11 months ago

Should it be fine to break this kind of stability when upgrading to a new major releae? I'd think so.
[…]
So I'm tempted to update the reference file in the feature/buster branch with the file that's currently being generated.

I understand that in this context, you mean "a new major release" == "a release that we won't provide automatic (incremental) upgrades to", such as 4.0, and not any Tails major release.

In such a release, you're totally correct: it's totally fine to reset those reference files, because it's a requirement for disabling the UID/GID fixups in config/chroot_local-hooks/04-change-gids-and-uids. One has to restart from scratch there at some point, otherwise the renumbering dance will become unmanageable.

And while we're at it, it would be a good time to stop installing monkeysphere (and dropping the corresponding tweaks — git grep monkeysphere -- config/chroot_local-*): it's one of the obvious candidates for removal on #15291 and if we don't do that in 4.0, we'll have to renumber craploads of UIDs/GIDs as soon as we'll do this change. Feel free to do so directly in feature/buster.

#5 Updated by intrigeri 11 months ago

  • Priority changed from Normal to High

#6 Updated by CyrilBrulebois 11 months ago

  • Status changed from Confirmed to In Progress

#7 Updated by CyrilBrulebois 11 months ago

intrigeri wrote:

I understand that in this context, you mean "a new major release" == "a release that we won't provide automatic (incremental) upgrades to", such as 4.0, and not any Tails major release.

Yes, a partial rewording went wrong: I meant to mention “a new major release of Debian, meaning a big +1 on the Tails side”.

In such a release, you're totally correct: it's totally fine to reset those reference files, because it's a requirement for disabling the UID/GID fixups in config/chroot_local-hooks/04-change-gids-and-uids. One has to restart from scratch there at some point, otherwise the renumbering dance will become unmanageable.

ACK. We had to tweak some other bits (due to recent changes in buster), in addition to the removal of monkeysphere, mentioned below:

And while we're at it, it would be a good time to stop installing monkeysphere (and dropping the corresponding tweaks — git grep monkeysphere -- config/chroot_local-*): it's one of the obvious candidates for removal on #15291 and if we don't do that in 4.0, we'll have to renumber craploads of UIDs/GIDs as soon as we'll do this change. Feel free to do so directly in feature/buster.

Currently waiting on some refreshed apparmor patch to get the new passwd/group files fed back into the feature/buster branch.

#8 Updated by intrigeri 11 months ago

Currently waiting on some refreshed apparmor patch

Done :)

#9 Updated by intrigeri 11 months ago

#10 Updated by intrigeri 11 months ago

#11 Updated by intrigeri 11 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF