Ubuntu
shadow package

[SRU] Please support group manipulation with "extrausers"

Bug #1959375 reported by Michael Vogt
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Won't Fix
Low
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

* In order to use the microk8s snap in Ubuntu Core, one currently needs to be root. This is far from optimal, since normally (on desktop and server installations) this is not necessary.

* This make it hard to provide consistent documentation on microk8s across all supported device, if we have to take the "sudo" command into account, and how file permissions for generated files might be affected.

[Test Plan]

The issue can be reproduced on Ubuntu Core 18, 20 and 22. The steps are as following (replace "<uc.img>" with the actual path of your Ubuntu Core image file:

    qemu-system-x86_64 -enable-kvm -smp 2 -m 1500 \
        -netdev user,id=mynet0,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80 \
        -device virtio-net-pci,netdev=mynet0 \
        -drive file=<uc.img>,format=raw

After configuring your account, connect to youd device via SSH:

    ssh <user>@localhost -p 8022

And issue these commands

    sudo snap install microk8s --channel=latest/edge/stable

    # microk8s is going to eat up all your disk space, so stop it as soon
    # as the prompt comes back:
    sudo microk8s stop

    # Add your user to the microk8s group
    sudo usermod -G snap_microk8s $(whoami)

The last command will fail unless this bug is fixed. If the bug is fixed, the command will succeed, and after logging out and in again, you can verify that you've been added to the snap_microk8s group by running the "groups" command.

[Where problems could occur]

* The patch only touches error code paths and adds a fallback mechanism in them. Therefore, "normal" operations, where these commands would have succeeded before, will not be affected at all.

* In those cases when usermod fails because it failed to find or load the requested user/group, we reset the user/group database paths to our writable user/group databases, and retry the operation. Note that the path for our database is hardcoded in the program source, so the security risk seems contained. We do not add additional command-line parameters.

[Other Info]

Original bug description
========================

Currently doing something like:

    sudo usermod -a -G snap_microk8s dbeamonte

on a Ubuntu Core system will fail with

    usermod: /etc/group.15965: Read-only file system

This is because the existing usermod patches to detect
the extrausers file do not cover this case. Attached
a simple patch that enables it. I will give this patch
a test run in our image PPA for jammy and if things look
good I would like upload to 22.04 and SRU for 20.04 and
18.04.

See original description
Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Alberto Mardegan (mardy) wrote :

I tested a newer version of the patch that Michael sent me, and I verify that it works properly :-)

I'm attaching it here; it includes changes to the 1015_add_zsys_support.patch, but that's only as a result of a quilt refresh, since the patch did not apply cleanly anymore (since src/usermod.c was modified in our patch before).

I've been testing this on Focal.

Revision history for this message
Alberto Mardegan (mardy) wrote :
Revision history for this message
Alberto Mardegan (mardy) wrote :
Revision history for this message
Alberto Mardegan (mardy) wrote :
Revision history for this message
Alberto Mardegan (mardy) wrote :

Marking as Invalid for Impish, since the issue only happens with a read-only rootfs like we use in Ubuntu Core, and UC is only based on LTS releases.

Changed in shadow (Ubuntu Impish):
status: New → Won't Fix
importance: Undecided → Low
Alberto Mardegan (mardy)
description: updated
Alberto Mardegan (mardy)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.8.1-2ubuntu2

---------------
shadow (1:4.8.1-2ubuntu2) jammy; urgency=medium

  [ Michael Vogt ]
  * debian/patches/1010_extrausers.patch:
    Add automatic detection of "extrausers" for usermod -G
    (LP: #1959375)

 -- Alberto Mardegan <email address hidden> Mon, 14 Mar 2022 11:59:13 +0300

Changed in shadow (Ubuntu Jammy):
status: New → Fix Released
Michael Vogt (mvo)
Changed in shadow (Ubuntu Bionic):
status: New → In Progress
Changed in shadow (Ubuntu Focal):
status: New → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted shadow into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu5.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shadow (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in shadow (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Michael, or anyone else affected,

Accepted shadow into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.5-1ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Alberto Mardegan (mardy) wrote :

Hi Brian,
  I finally tested the new packages on Ubuntu Core 18 (with the bionic packages) and Ubuntu Core 20 (with the focal ones). I first tried to reproduce the issue in Ubuntu Desktop, by making /etc/groups and /etc/passwd read-only and indeed I couldn't add my user to a group, but unfortunately then I couldn't get the extrausers database setup correctly, so I gave up and just ran a quick smoke test to verify that the new binaries work as expected and instead focused on Ubuntu Core, that's where we initially had the issue.

The only problem is that I didn't test the entire deb packages, since the root FS in UC is read-only and not debian-based, but I just extrated the binaries from the passwd deb package and bind-mounted them over the original UC ones. Then I was able to add my user to a group, without needing to specify the --extrausers parameter.

I hope that this is good enough as a verification.

tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal
Alberto Mardegan (mardy)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Chris Halse Rogers (raof) wrote :

Yeeeeeeah, ok.

Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for shadow has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.8.1-1ubuntu5.20.04.2

---------------
shadow (1:4.8.1-1ubuntu5.20.04.2) focal; urgency=medium

  [ Michael Vogt ]
  * debian/patches/1010_extrausers.patch:
    Add automatic detection of "extrausers" for usermod -G
    (LP: #1959375)

 -- Alberto Mardegan <email address hidden> Mon, 14 Mar 2022 11:26:09 +0300

Changed in shadow (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hey Chris! Any reason you only released the focal one?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.5-1ubuntu2.3

---------------
shadow (1:4.5-1ubuntu2.3) bionic; urgency=medium

  [ Michael Vogt ]
  * debian/patches/1010_extrausers.patch:
    Add automatic detection of "extrausers" for usermod -G
    (LP: #1959375)

 -- Alberto Mardegan <email address hidden> Mon, 14 Mar 2022 13:49:40 +0300

Changed in shadow (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote :

Probably because only focal was showing as releasable when I got here the first time? I couldn't tell you now :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.