Hi Simon, Thanks for the all work on this. This seems almost good to go for release, but I wanted to check 3 points with your first.
1) Are these uppercase messages expected by default? They seem unrelated to the proposed changes; just checking. uppercase messages by default? + groupadd --extrausers extragroup ENTER EXTRAUSERS_GROUP_FILEEXIT EXTRAUSERS_GROUP_FILEENTER EXTRAUSERS_SHADOWGROUP_FILEEXIT EXTRAUSERS_SHADOWGROUP_FILE+ useradd --extrausers --groups extragroup extrauser + groupadd --extrausers extragroup2 ENTER EXTRAUSERS_GROUP_FILEEXIT EXTRAUSERS_GROUP_FILEENTER EXTRAUSERS_SHADOWGROUP_FILEEXIT EXTRAUSERS_SHADOWGROUP_FILE+ useradd --extrausers --groups extragroup2 extrauser3 2) There's a small difference in the test steps executed (comment #12) vs. in bug description: Executed: + mount -o bind,ro /etc-rw /etc + groupadd --extrausers extragroup2 ENTER EXTRAUSERS_GROUP_FILEEXIT EXTRAUSERS_GROUP_FILEENTER EXTRAUSERS_SHADOWGROUP_FILEEXIT EXTRAUSERS_SHADOWGROUP_FILE+ useradd --extrausers --groups extragroup2 extrauser3 + id extrauser3 + grep extragroup2 uid=1004(extrauser3) gid=1008(extrauser3) groups=1008(extrauser3),1007(extragroup2) [Test Plan]: mount -o bind,ro /etc-rw /etc # ok groupadd --extrausers extragroup2 # ok useradd --extrausers --groups etcgroup extrauser3 # etcgroup vs extragroup2 id extrauser4 | grep etcgroup # extrauser4 vs extrauser3 (typo?) That is, the Test Plan uses `etcgroup`, which I guess is possibly to go through the code path that locked /etc/group and failed as described in [Impact]. Could you please confirm/clarify? 3) Other than the above, do you consider this is good for release? Specifically, can we consider verification-done-noble based on comment #18 from Ubuntu Core team _and_ your clarification above? Thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2063200 Title: useradd --extrausers --groups tries to lock /etc/group Status in shadow package in Ubuntu: Fix Released Status in shadow source package in Jammy: Invalid Status in shadow source package in Mantic: Won't Fix Status in shadow source package in Noble: Fix Committed Status in shadow source package in Oracular: Fix Released Bug description: [ Impact ] On Ubuntu Core 24 calling the command line useradd --extrausers --groups somegroup somenewuser ... fails with: useradd: cannot lock /etc/group; try again later. It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers. [ Test Plan ] Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case. In addition, the following commands should be run as root in a fresh container: ``` # Install prerequisites apt install libnss-extrausers sed -i -r '/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow # Sanity checks of "normal" path groupadd etcgroup useradd --groups etcgroup etcuser id etcuser | grep etcgroup groupadd etcgroup2 usermod --groups etcgroup2 etcuser id etcuser | grep etcgroup2 useradd --groups nullgroup etcuser || echo Successfully rejected invalid group ls /var/lib/extrausers/ # should be empty # Sanity checks of "extrausers" path in rw context groupadd --extrausers extragroup useradd --extrausers --groups extragroup extrauser # currently fails id extrauser | grep extragroup useradd --extrausers extrauser2 id extrauser2 # Sanity checks of "extrausers" path in ro context mv /etc /etc-rw mkdir /etc mount -o bind,ro /etc-rw /etc groupadd --extrausers extragroup2 useradd --extrausers --groups etcgroup extrauser3 id extrauser4 | grep etcgroup ``` Furthermore, validation from the Ubuntu Core team that this actually fixes their use case is required. [ Where problems could occur ] Regression potential is in the group validation stage of the `usermod` and `useradd` tools. Besides the usual risks related to C code, the various failure scenarios that come to mind are: * try to add the user to an non-existing local group, which would fail further down with a different error message * actually fail to identify a valid local group * Fail to either add the user to the system, or the user to the group * Update the wrong file (/var/lib/extrausers/* vs /etc/*) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063200/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
