Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/update-users-groups: /etc/shadow owned by root:shadow #98676

Merged
merged 1 commit into from Sep 26, 2020
Merged

nixos/update-users-groups: /etc/shadow owned by root:shadow #98676

merged 1 commit into from Sep 26, 2020

Conversation

cole-h
Copy link
Member

@cole-h cole-h commented Sep 24, 2020
edited

Motivation for this change

Closes #93580.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

I tried using Perl's chown with getpwnam/getgrnam, but getpwnam "root" and getgrnam "shadow" didn't work... So, I had to use system and call out to the chown binary.

cc @NixOS/nixos-release-managers (since this is on the 20.09 blockers list).

@cole-h cole-h mentioned this pull request Sep 24, 2020
Closed
@aanderse
Copy link
Member

I tried using Perl's chown with getpwnam/getgrnam, but getpwnam "root" and getgrnam "shadow" didn't work... So, I had to use system and call out to the chown binary.

@volth or @stigtsp any interest in taking a look at this?

@cole-h
Copy link
Member Author

cole-h commented Sep 24, 2020
edited

FWIW, the problem was that the script would say Argument "root" isn't numeric in chown at .... when doing:

chown getpwnam "root", getgrnam "shadow", "/etc/shadow";

So, for some reason, getpwnam "root" and getgrnam "shadow" aren't resolving the numeric ids.

@cole-h
Copy link
Member Author

cole-h commented Sep 24, 2020
edited

Ah, I think I found my problem: if I use my $uid = getpwnam "root";, $uid becomes the $uid returned by the list of getpwnam (same for $gid).

Now this can be totally in Perl :)

EDIT: I put it in a scope because I saw $gid and $uid used elsewhere and didn't want to affect those (if it's even possible to do so). I can remove that if desired.

@stigtsp
Copy link
Member

stigtsp commented Sep 24, 2020
edited 

chown getpwnam "root", getgrnam "shadow", "/etc/shadow";

This might be because getpwnam and getgrnam are called in list context sending a list of 10 items to chown:

perl -MData::Dumper -E 'say Dumper getpwnam "root", getgrnam "shadow", "/etc/shadow"'
$VAR1 = 'root';
$VAR2 = 'x';
$VAR3 = 0;
$VAR4 = 0;
$VAR5 = '';
$VAR6 = '';
$VAR7 = 'System administrator';
$VAR8 = '/root';
$VAR9 = '/run/current-system/sw/bin/bash';
$VAR10 = '/etc/shadow';

As you point out, the patch with my $uid = getpwnam "root"; calls it in scalar context which returns what's expected. :)

$ perldoc -f getpwnam
[..]        
            In scalar context, you get the name, unless the function was a
            lookup by name, in which case you get the other thing, whatever
            it is. (If the entry doesn't exist you get the undefined value.)
[..]

ADD: Scoping $uid and $gid is reasonable, since it makes it clear that the variables are not used elsewhere.

@cole-h
Copy link
Member Author

cole-h commented Sep 24, 2020
edited

@ofborg eval

(I think I broke it by force-pushing too fast :P)

@cole-h cole-h added the 9.needs: port to stable A PR needs a backport to the stable release. label Sep 25, 2020
@worldofpeace
Copy link
Contributor

@ofborg test installer.simple

@worldofpeace worldofpeace merged commit c4d016a into NixOS:master Sep 26, 2020
@cole-h cole-h deleted the shadow-owns-shadow branch September 27, 2020 01:22
@cole-h cole-h mentioned this pull request Sep 27, 2020
Merged
10 tasks
@cole-h cole-h added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Oct 26, 2020
@jluttine
Copy link
Member

jluttine commented Mar 17, 2021
edited

Hi! I just encountered the issue that this PR solved when I was using a bit old nixpkgs version. I now used this patch to fix the issue, thanks! However, I'm wondering why the permissions are still kept at 0600 instead of 0640? I would have expected this patch to give read-access to /etc/shadow file for the group, what's the purpose of setting the group otherwise? So, probably I'm missing something and I'd like to understand. Thanks for help!

@cole-h
Copy link
Member Author

cole-h commented Mar 17, 2021

Just an oversight. I'd happily accept a PR fixing that :)

@jluttine jluttine mentioned this pull request Mar 17, 2021
Merged
10 tasks
@jluttine
Copy link
Member

PR opened: #116644

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stigtsp stigtsp stigtsp left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

/etc/shadow should belong to the shadow group
5 participants
@cole-h @aanderse @stigtsp @worldofpeace @jluttine