Difference between revisions of "User:Przemoc/Todo/Users and groups for AL 3.4"

From Alpine Linux
Jump to: navigation, search
(Update)
m (Fix mailing list links (sourcehut-based).)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
What I want to do for AL.
+
What I wanted to do and did before AL 3.4 release and some fixing done afterwards.
  
 
__TOC__
 
__TOC__
  
== Users and groups ==
+
== Pre-install/upgrade scripts ==
  
=== Pre-install/upgrade scripts ===
+
=== Improvements ===
  
==== Improvements ====
+
==== Make all packages create only ''system'' users and groups ====
 
 
===== Make all packages create only ''system'' users and groups =====
 
  
 
'''(MOSTLY DONE)'''
 
'''(MOSTLY DONE)'''
Line 34: Line 32:
  
 
My commit:
 
My commit:
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=ccc056dbf9d3 ccc056dbf9d3] Add lacking -S option (system) to adduser/addgroup in scripts. (2016-04-25)
+
  * [https://git.alpinelinux.org/aports/commit/?id=ccc056dbf9d3 ccc056dbf9d3] Add lacking -S option (system) to adduser/addgroup in scripts. [2016-04-25]
  
 
It was part of patch set:
 
It was part of patch set:
* [http://lists.alpinelinux.org/alpine-aports/2909.html Pre-upgrade/pre-install addgroup/adduser cleanings] (7 patches)
+
* [https://lists.alpinelinux.org/~alpine/aports/patches/2713 Pre-upgrade/pre-install addgroup/adduser cleanings] (7 patches) [2016-04-23]
  
==== Corrections ====
+
=== Corrections ===
  
===== Fix problems introduced by adding -S to adduser =====
+
==== Fix problems introduced by adding -S to adduser ====
  
 
'''(MOSTLY DONE)'''
 
'''(MOSTLY DONE)'''
Line 97: Line 95:
  
 
My commits fixing them are:
 
My commits fixing them are:
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=1de4b02204f7 1de4b02204f7] main/lighttpd: Fix lighttpd user's primary group. (2016-06-03)
+
  * [https://git.alpinelinux.org/aports/commit/?id=1de4b02204f7 1de4b02204f7] main/lighttpd: Fix lighttpd user's primary group.                       [2016-06-03]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=f27dface22b3 f27dface22b3] testing/at: Properly set primary group in .pre-install. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=f27dface22b3 f27dface22b3] testing/at: Properly set primary group in .pre-install.                 [2016-06-07]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=40521bdafd3c 40521bdafd3c] main/dovecot: Properly set primary group in .pre-install. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=40521bdafd3c 40521bdafd3c] main/dovecot: Properly set primary group in .pre-install.               [2016-06-07]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=3c1fa46624bd 3c1fa46624bd] main/{npre, postgrey}: Properly set primary group in .pre-install. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=3c1fa46624bd 3c1fa46624bd] main/{npre, postgrey}: Properly set primary group in .pre-install.     [2016-06-07]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=a7d67c695ca2 a7d67c695ca2] main/[various]: Add group and use it as primary in .pre-* scripts. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=a7d67c695ca2 a7d67c695ca2] main/[various]: Add group and use it as primary in .pre-* scripts.     [2016-06-07]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=5708404c50a7 5708404c50a7] community/[various]: Add group and use it as primary in .pre-* scripts. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=5708404c50a7 5708404c50a7] community/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-07]
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=a835b6916533 a835b6916533] testing/[various]: Add group and use it as primary in .pre-* scripts. (2016-06-07)
+
  * [https://git.alpinelinux.org/aports/commit/?id=a835b6916533 a835b6916533] testing/[various]: Add group and use it as primary in .pre-* scripts.   [2016-06-07]
  
 
They are (apart from the first one) part of patch set:
 
They are (apart from the first one) part of patch set:
* [http://lists.alpinelinux.org/alpine-aports/3059.html Pre-upgrade/pre-install addgroup/adduser fixes.] (15 patches)
+
* [https://lists.alpinelinux.org/~alpine/aports/patches/928 Pre-upgrade/pre-install addgroup/adduser fixes.] (15 patches) [2016-06-06]
 +
 
 +
Patches for main and community are already cherry-picked in 3.4-stable branch as of 2016-06-20.
  
 
Following packages were overlooked before:
 
Following packages were overlooked before:
Line 114: Line 114:
  
 
My commit fixing them is:
 
My commit fixing them is:
  * [http://git.alpinelinux.org/cgit/aports/commit/?id=94e0b0631f37 94e0b0631f37] testing/[various]: Add group and use it as primary in .pre-* scripts.
+
  * [https://git.alpinelinux.org/aports/commit/?id=94e0b0631f37 94e0b0631f37] testing/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-20]
  
 
It is part of patch set:
 
It is part of patch set:
* [http://lists.alpinelinux.org/alpine-aports/3109.html Forgotten pre-install addgroup/adduser fixes and fixes.] (5 patches)
+
* [https://lists.alpinelinux.org/~alpine/aports/patches/994 Forgotten pre-install addgroup/adduser fixes and fixes.] (5 patches) [2016-06-17]
  
===== Fix problems for those who already installed above mentioned packages in Alpine Linux 3.4.0  =====
+
==== Fix problems for those who already installed above mentioned packages in Alpine Linux 3.4.0  ====
  
 
Fixes in previous sections work only for people that haven't installed above mentioned packages within Alpine Linux 3.4.0.
 
Fixes in previous sections work only for people that haven't installed above mentioned packages within Alpine Linux 3.4.0.
Line 125: Line 125:
 
You can remove these old entries before reinstallation using <code>deluser</code>, but before that you have to find all the files owned by that user (<code>find / -user NAME</code>) to fix ownership after package reinstallation, as group id will change and user id may change.
 
You can remove these old entries before reinstallation using <code>deluser</code>, but before that you have to find all the files owned by that user (<code>find / -user NAME</code>) to fix ownership after package reinstallation, as group id will change and user id may change.
  
We cannot and shouldn't do such invasive changes in automatic way during upgrade, but we can at least add missing groups and add users to them. Mind that such users's primary group will not be changed either (from <code>nogroup</code>), because user could have changed it on her/his own.
+
We cannot and shouldn't do such invasive changes in automatic way during upgrade.
 +
 
 +
I wanted to at least add missing groups and add users to them via upgrades in AL 3.4. (Mind that such users's primary group will not be changed either, i.e. from <code>nogroup</code>, because user could have changed it on her/his own.) But there wasn't much interest, even though I provided some patches, like for below examples (so called AL 3.4 band-aids for ccc056dbf9d3 in .pre-* script).
  
Below I'll try to document all known problems:
+
Examples of known problems for people upgrading from Alpine Linux 3.4.0:
  
* main/apache2: No <code>apache</code> group. (Default config uses <code>apache:apache</code>, so daemon won't start.)<br>(sent to ML already, but it's postponed as it will be a part of bigger pull request(s) - it was discussed with ncopa on IRC)
+
* main/apache2: No <code>apache</code> group. (Default config uses <code>apache:apache</code>, so daemon won't start.)
 +
* main/lighttpd: No <code>lighttpd</code> group.
  
{{todo|Go through all packages, starting from main.}}
+
I consider this topic in the context of AL 3.4 closed.

Latest revision as of 11:58, 2 July 2021

What I wanted to do and did before AL 3.4 release and some fixing done afterwards.

Pre-install/upgrade scripts

Improvements

Make all packages create only system users and groups

(MOSTLY DONE) Call adduser and addgroup with -S option in pre-install/upgrade scripts. It's mostly done already and only mostly, because 1) some new packages might have been added that aren't using -S yet and 2) it introduced problems, which aren't fully fixed yet.

Note:

System user creation doesn't add same named group and uses nogroup as primary group unless explicitly specified via -G.

It means that system user creation (adduser with -S option present) differs from normal user creation (adduser without -S option) in more ways than the range of used UIDs and the default GECOS field.

Normal user, when created via adduser, gets its own automatically created group, and this group becomes primary group of that user. Group creation can be avoided if -G option is used, but then already existing group has to be provided there.

System user, when created via adduser, never gets its own automatically created group and by default primary group of that user becomes group called nogroup, unless -G option is used to provide other already existing group.

My commit:

* ccc056dbf9d3 Add lacking -S option (system) to adduser/addgroup in scripts. [2016-04-25]

It was part of patch set:

Corrections

Fix problems introduced by adding -S to adduser

(MOSTLY DONE) I somehow overlooked different adduser behavior explained in above note and thus my sole adding of -S to adduser calls in commit ccc056dbf9d3 (i.e. without proper -G option and preceding addgroup call when needed) proved to be drastic in effects, i.e. status quo has not been preserved, because primary groups of those users in new Alpine Linux installations has been changed. Alpine Linux 3.4.0 is affected by this.

Lesson relearned. Beware of such small and allegedly "cosmetic" changes!

Pre-install/upgrade scripts are already mostly fixed in master branch of aports repository.

Packages creating users that were badly touched by commit ccc056dbf9d3 and should have been already fixed:

  • community/caddy
  • community/domoticz
  • community/oscam
  • community/syncthing
  • main/apache2
  • main/aports-build
  • main/atheme-iris
  • main/clamav
  • main/clamsmtp
  • main/coova-chilli
  • main/dhcp
  • main/djbdns
  • main/dovecot
  • main/ez-ipupdate
  • main/fetchmail
  • main/freeswitch
  • main/gitolite
  • main/gnats
  • main/gross
  • main/icecast
  • main/lighttpd
  • main/memcached
  • main/ngircd
  • main/nrpe
  • main/openntpd
  • main/postgrey
  • main/snort
  • main/squid
  • main/transmission
  • main/znc
  • testing/at
  • testing/dbmail
  • testing/dspam
  • testing/opensips
  • testing/pdns
  • testing/qpage
  • testing/rrdbot
  • testing/wt

My commits fixing them are:

* 1de4b02204f7 main/lighttpd: Fix lighttpd user's primary group.                       [2016-06-03]
* f27dface22b3 testing/at: Properly set primary group in .pre-install.                 [2016-06-07]
* 40521bdafd3c main/dovecot: Properly set primary group in .pre-install.               [2016-06-07]
* 3c1fa46624bd main/{npre, postgrey}: Properly set primary group in .pre-install.      [2016-06-07]
* a7d67c695ca2 main/[various]: Add group and use it as primary in .pre-* scripts.      [2016-06-07]
* 5708404c50a7 community/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-07]
* a835b6916533 testing/[various]: Add group and use it as primary in .pre-* scripts.   [2016-06-07]

They are (apart from the first one) part of patch set:

Patches for main and community are already cherry-picked in 3.4-stable branch as of 2016-06-20.

Following packages were overlooked before:

  • testing/buildbot
  • testing/buildbot-slave
  • testing/clapf

My commit fixing them is:

* 94e0b0631f37 testing/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-20]

It is part of patch set:

Fix problems for those who already installed above mentioned packages in Alpine Linux 3.4.0

Fixes in previous sections work only for people that haven't installed above mentioned packages within Alpine Linux 3.4.0. Even package removal and reinstallation is not enough, because old entries in /etc/passwd and /etc/group remain. You can remove these old entries before reinstallation using deluser, but before that you have to find all the files owned by that user (find / -user NAME) to fix ownership after package reinstallation, as group id will change and user id may change.

We cannot and shouldn't do such invasive changes in automatic way during upgrade.

I wanted to at least add missing groups and add users to them via upgrades in AL 3.4. (Mind that such users's primary group will not be changed either, i.e. from nogroup, because user could have changed it on her/his own.) But there wasn't much interest, even though I provided some patches, like for below examples (so called AL 3.4 band-aids for ccc056dbf9d3 in .pre-* script).

Examples of known problems for people upgrading from Alpine Linux 3.4.0:

  • main/apache2: No apache group. (Default config uses apache:apache, so daemon won't start.)
  • main/lighttpd: No lighttpd group.

I consider this topic in the context of AL 3.4 closed.