Re: Bug#930428: debootstrap should ensure matching _apt uid

To: Philipp Kern <phil@philkern.de>, 930428-quiet@bugs.debian.org
Cc: Trek <trek00@inbox.ru>, 930428@bugs.debian.org, deity@lists.debian.org, Ansgar Burchardt <ansgar@43-1.org>, 930428-submitter@bugs.debian.org
Subject: Re: Bug#930428: debootstrap should ensure matching _apt uid
From: Michael Schaller <misch@google.com>
Date: Mon, 24 Jun 2019 12:31:52 +0200
Message-id: <[🔎] CALt099KiX6DG6Kfr+x-3fLF6gcBCvDaasGymRfx=qXY78CiLBQ@mail.gmail.com>
In-reply-to: <[🔎] 4e5b904075ca9f581667487cf862f239@philkern.de>
References: <156034404951.121521.2929892805726935031.reportbug@katla.muc.corp.google.com> <20190621075124.39138533@enterprise> <[🔎] 4e5b904075ca9f581667487cf862f239@philkern.de>

> But the effects of the patch are different from calling adduser, for
> example the _apt user it creates has no entry in /etc/shadow.  Such
> inconsistencies are not good.

Oops. Added a fix for that to the merge request.


> P.S.: the patch seems ok to me, I don't like hard-conding the _apt user
> line in /etc/passwd, as apt postinst uses adduser, but it's not clear
> to me when adduser is installed during debootstrap

adduser and apt are installed as part of the base packages.
base-passwd is installed earlier as part of the required packages.
Hence I also added a fix that moves the setup_* calls for apt directly
before the base package installation.

With that I get the following log output:
$ debootstrap ...
...
I: Configuring required packages...
...
I: Configuring base-passwd...
...
I: Unpacking the base system...
I: Added _apt user with uid 103
I: Unpacking adduser...
I: Unpacking apt...
...


> Do you think there should be logic in debootstrap to handle the case of
> trying to have the same UID within a chroot and outside, or could you
> apply for a static UID assignment? I would also prefer the latter, but I
> honestly don't know how messy the migration would be...

I would prefer if _apt would use a reserved uid (reserved by
base-passwd). I presume that the migration of the existing _apt user
would be messy though, particularly because of existing firewall
rules. So I suggest reserving a completely new user name / uid in
base-passwd for that purpose. As the _apt user seems to only be used
for fetches the new user could be named _apt_fetch.

On Sun, Jun 23, 2019 at 3:18 PM Philipp Kern <phil@philkern.de> wrote:
>
> On 2019-06-21 07:51, Trek wrote:
> > On Thu, 20 Jun 2019 22:31:15 +0200
> > Ansgar Burchardt <ansgar@43-1.org> wrote:
> >
> >> If _apt deserves a special solution, I would suggest assigning the
> >> _apt user a static uid instead of patching debootstrap.
> >
> > it seems to me the simplest approach, from a technical point of view,
> > and it's the one I'm using since _apt user was introduced (making sure
> > uids match)
>
> Adding deity@l.d.o. APT maintainers, please see the context in the bug.
> Do you think there should be logic in debootstrap to handle the case of
> trying to have the same UID within a chroot and outside, or could you
> apply for a static UID assignment? I would also prefer the latter, but I
> honestly don't know how messy the migration would be...
>
> (If so, I guess this bug should be reassigned to apt.)
>
> Kind regards and thanks
> Philipp Kern

Reply to:

References:
- Re: Bug#930428: debootstrap should ensure matching _apt uid
  - From: Philipp Kern <phil@philkern.de>

Prev by Date: Bug#930788: creating /var/lib/dpkg/cmethopt
Next by Date: Re: Bug#930428: debootstrap should ensure matching _apt uid
Previous by thread: Re: Bug#930428: debootstrap should ensure matching _apt uid
Next by thread: Re: Bug#930428: debootstrap should ensure matching _apt uid
Index(es):
- Date
- Thread