Re: Bug#969631: can base-passwd provide the user _apt?

To: 969631@bugs.debian.org, deity@lists.debian.org
Subject: Re: Bug#969631: can base-passwd provide the user _apt?
From: Johannes Schauer Marin Rodrigues <josch@debian.org>
Date: Sat, 23 Oct 2021 12:13:23 +0200
Message-id: <[🔎] 163498400372.417366.10988902153383195014@localhost>
Mail-followup-to: 969631@bugs.debian.org, deity@lists.debian.org
In-reply-to: <162987807541.1840.17399477371043520253@localhost>
References: <20200906074826.GA5168@alf.mars> <162987807541.1840.17399477371043520253@localhost>

Hi,

Quoting Johannes Schauer Marin Rodrigues (2021-08-25 09:54:35)
> Quoting Helmut Grohne (2020-09-06 09:48:26)
> > Another benefit of this change (if a static uid is allocated) is that we
> > improve reproducible installations where currently uids may depend on
> > configuration order.
> 
> I'm very interested in having this bug fixed because of the reason above.
> 
> And there is yet another use-case that would be solved by the _apt user being
> shipped by base-passwd: since apt would no longer require adduser, we would
> automatically get DPKG_ROOT support for Essential:yes packages plus apt.
> 
> What do we need to implement this change? I observed that when I apply this
> patch to base-passwd:
> 
> diff -Nru base-passwd-3.5.51/passwd.master base-passwd-3.5.51+nmu1/passwd.master
> --- base-passwd-3.5.51/passwd.master   2021-07-10 13:57:43.000000000 +0200
> +++ base-passwd-3.5.51+nmu1/passwd.master      2021-08-24 20:08:52.000000000 +0200
> @@ -15,4 +15,5 @@
>  list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
>  irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin
>  gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
> +_apt:*42:42::/nonexistent:/usr/sbin/nologin
>  nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> 
> Then not only will the _apt user be created as expected, but I also observed
> that when upgrading base-passwd on a system with an existing _apt user with uid
> 100 from basepasswd 3.5.51 to my patched 3.5.51+nmu1, the uid of the _apt user
> remained the same as it should.
> 
> Is my observation correct or is anything else missing?

from the discussion it seems that there are two separate issues.

 1. giving _apt the static uid 42 for new installations

The policy has an argument against it but Russ argues that might be reading the
policy requirement too strictly.

 2. switching _apt uid on existing installations

This can break setups relying on file:// and copy:// but David Kalnischkies
points out a possible migration strategy.

So other than reading the policy in a very strict way, what speaks against
adding apt as uid 42 today and then implement the migration path after the next
stable release with warnings of apt as David suggests?

Having _apt with a stable uid does fix problems with uid allocation,
dependencies on adduser and DPKG_ROOT today and does not cause any problems on
user's systems. Can we do this now as a first step? Is anything else missing
other than the trivial diff I wrote above?

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply to:

Prev by Date: Bug#675748: Where is the show command?
Next by Date: Bug#996115: apt upgrade --no-download --fix-missing --auto-remove: "E: Internal error, InstallPackages was called with broken packages!"
Previous by thread: Bug#675748: Where is the show command?
Next by thread: Bug#997800: Missing "--fix-broken" in apt documentation
Index(es):
- Date
- Thread