Source: cron
Version: 3.0pl1-142
Severity: normal
X-Debbugs-Cc: jo...@debian.org, georg...@debian.org, c...@debian.org
Hi,
with the introduction of the cron-daemon-common package, the group id of
the "crontab" group became unreproducible depending on how the chroot is
created, i.e. whether one uses debootstrap or mmdebstrap. Steps to
reproduce:
$ cat > script.sh << END
#!/bin/sh
set -exu
ssh -F "$1" qemu mmdebstrap --aptopt=Acquire::Check-Valid-Until\\\
\\\"false\\\" unstable --variant=- - $DEBIAN_BISECT_MIRROR \
| tar --to-stdout -x ./etc/group \
> group.mm
ssh -F "$1" qemu debootstrap unstable /tmp/debian-unstable
$DEBIAN_BISECT_MIRROR
ssh -F "$1" qemu cat /tmp/debian-unstable/etc/group > group.debootstrap
diff -u group.mm group.debootstrap
END
$ chmod +x script.sh
$ debbisect --depends=mmdebstrap,debootstrap,cron --qemu=defaults \
--cache=./cache --no-find-exact-package 20220608T153059Z 20220608T210836Z
./script.sh
[...]
bisection finished successfully
last good timestamp: 2022-06-08 15:30:59+00:00
first bad timestamp: 2022-06-08 21:08:36+00:00
the following packages differ between the last good and first bad timestamp:
cron 3.0pl1-139 -> 3.0pl1-142
cron-daemon-common (n.a.) -> 3.0pl1-142
iproute2 5.17.0-2 -> 5.18.0-1
The output of the failing diff command above with the new cron package
is:
--- group.mm»···2022-06-10 15:38:03.473732762 +0200
+++ group.debootstrap»··2022-06-10 15:39:13.591459985 +0200
@@ -37,10 +37,10 @@
games:x:60:
users:x:100:
nogroup:x:65534:
-crontab:x:101:
-systemd-journal:x:102:
-systemd-network:x:103:
-systemd-resolve:x:104:
+systemd-journal:x:101:
+systemd-network:x:102:
+systemd-resolve:x:103:
+crontab:x:104:
input:x:105:
sgx:x:106:
kvm:x:107:
The reason is that with the new cron-daemon-common package, apt now
orders postinst scripts differently.
I'm not proposing to undo the recent changes in src:cron. There is also
nothing that apt can do about this. Reproducible uid/gid values is still
an open problem, see #963788.
One possible solution though is for the crontab group being assigned a
static gid by base-passwd. This is what we attempt to do for the _apt
user in #969631.
Do you think the crontab group would be another good candidate for a
static gid by base-passwd? If yes, please reassign this bug to
base-passwd. In that case, you might also want to propose some small
text explaining why this group is useful and what members of this group
are allowed to do. Probably this is about being able to run the crontab
command?
Maybe since cron is such an old and established utility and because it's
part of the Priority:standard set, it would be a good fit for a static
gid from base-passwd.
Thanks!
cheers, josch
