Bug #15407
Prevent system user uid:s and gid:s from changing between releases
100%
Description
In Tails 3.6 the uid and gid are different compared to previous releases, making incremental upgrades impossible. I.e. it is Bug #13426 all over again (see discussion there for details on why it breaks incremental upgrades). Let’s fix this for good this time!
The automatic upgrade bug this will fix was identified in aufs. Assuming overlayfs hasn’t this bug:
- either
Feature #15281is done strictly beforeFeature #8415, and then we need to implement this ticket as part ofFeature #15281; - or
Feature #8415is done beforeFeature #15281(or simultaneously), and then we can reject this ticket after confirming that overlayfs is not affected.
Files
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-07-05 | |
Related to Tails - |
Resolved | 2018-06-28 | |
Related to Tails - |
Rejected | 2018-03-16 | |
Related to Tails - |
Resolved | 2014-12-18 | |
Related to Tails - |
Resolved | 2018-06-30 |
History
#1 Updated by anonym 2018-03-13 15:00:54
- blocks
Feature #13245: Core work 2018Q1: Foundations Team added
#2 Updated by anonym 2018-03-13 15:01:16
- related to
Bug #13426: Tor does not start on Tails 3.0.1 automatically upgraded from 3.0 added
#3 Updated by anonym 2018-03-13 15:04:19
The real solution is Feature #8415 (see Bug #13426#note-10) but we probably want to solve it before that by hardcoding the uid:s and gid:s that the system users get, some how.
#4 Updated by anonym 2018-03-14 14:55:51
- File passwd-3.5 added
- File passwd-3.6 added
- File passwd-3.6-rc1 added
So in Tails 3.5 the debian-tor
uid was 108 and in Tails 3.6 it is 107, which causes this new instance of Bug #13426. The reason is simple: in Tails 3.5 we have the systemd-bus-proxy
user, but it is not present in Tails 3.6 due to the systemd
upgrade.
(Now you might wonder why we didn’t catch this when testing Tails 3.6~rc1, since the systemd
upgrade was in by then. Well, for some reason (I failed to find why) the Debian-exim
user was added in Tails 3.6~rc1 only, which “took” systemd-bus-proxy
’s place so the uid for debian-tor
was the same as in Tails 3.5. Talk about bad luck! :/)
#5 Updated by intrigeri 2018-03-16 16:47:40
- related to
Bug #15419: Detect earlier in the dev process if we're breaking automatic upgrades added
#6 Updated by intrigeri 2018-03-16 16:49:21
- Assignee deleted (
intrigeri) - Target version changed from Tails_3.7 to Tails_4.0
Sadly, there won’t be incremental upgrades to the first release that includes the proper fix suggested on this ticket (using fixed UID+GID for the debian-tor
user and possibly a few others). So I think we should do this in 4.0. I’m thus postponing this ticket accordingly. In passing, another option would be to use systemd dynamic users but it’s much more involved.
See Bug #15419 and Bug #15418 for the shorter-term workarounds.
#7 Updated by intrigeri 2018-03-16 17:14:57
- Assignee set to segfault
- Target version changed from Tails_4.0 to Tails_3.6.1
Actually there’s an ugly way (config/chroot_local-hooks/04-change-gids-and-uids
) to freeze UID:s/GID:s without breaking automatic upgrades. segfault is giving it a try.
#8 Updated by segfault 2018-03-16 20:02:07
- related to
Bug #15424: Use fixed UID and GID for debian-tor added
#9 Updated by intrigeri 2018-03-16 20:51:44
- Assignee deleted (
segfault) - Target version changed from Tails_3.6.1 to Tails_4.0
What segfault has prepared (Bug #15424) is a small subset of what this ticket is about.
#10 Updated by intrigeri 2018-03-21 13:41:18
- Parent task set to
Feature #15281
#11 Updated by intrigeri 2018-03-22 08:24:28
- Description updated
#12 Updated by intrigeri 2018-03-22 08:24:42
- blocked by deleted (
)Feature #13245: Core work 2018Q1: Foundations Team
#13 Updated by intrigeri 2018-03-28 09:23:29
- Target version changed from Tails_4.0 to Tails_3.8
#14 Updated by intrigeri 2018-04-11 09:29:01
- Description updated
#15 Updated by intrigeri 2018-04-14 08:16:50
- Assignee set to intrigeri
See Bug #15424#note-12 for updates. During next cycle I want to make a decision wrt. the timing/relevance of this task (see ticket description) and then make sure the corresponding work is assigned to someone.
#16 Updated by intrigeri 2018-04-14 08:17:15
- blocks
Feature #15139: Core work 2018Q2: Foundations Team added
#17 Updated by intrigeri 2018-06-19 16:28:48
- Target version changed from Tails_3.8 to Tails_3.9
#18 Updated by intrigeri 2018-06-28 13:59:03
- blocked by deleted (
)Feature #15139: Core work 2018Q2: Foundations Team
#19 Updated by intrigeri 2018-06-28 13:59:04
- blocks
Feature #15334: Core work 2018Q3: Foundations Team added
#20 Updated by intrigeri 2018-06-28 20:35:01
- Description updated
#21 Updated by intrigeri 2018-06-28 20:35:52
- related to
Feature #8415: Migrate from aufs to overlayfs added
#22 Updated by intrigeri 2018-06-28 20:39:21
- blocked by
Bug #15689: Test if overlayfs is affected by the DAC bug wrt. incremental upgrades changing UID/GID added
#23 Updated by intrigeri 2018-06-28 20:48:58
- blocks deleted (
)Bug #15689: Test if overlayfs is affected by the DAC bug wrt. incremental upgrades changing UID/GID
#24 Updated by intrigeri 2018-06-28 20:49:32
- Assignee deleted (
intrigeri)
#25 Updated by intrigeri 2018-06-28 20:49:40
- blocked by deleted (
)Feature #15334: Core work 2018Q3: Foundations Team
#26 Updated by intrigeri 2018-06-28 20:55:52
- Target version deleted (
Tails_3.9)
#27 Updated by intrigeri 2018-06-30 12:48:26
- related to
Bug #15695: Avoid breaking automatic upgrades to Tails 3.9 added
#28 Updated by intrigeri 2018-08-14 14:59:29
- Status changed from Confirmed to In Progress
- Assignee set to segfault
- Target version set to Tails_3.9
- QA Check set to Ready for QA
The branch for Bug #15695 does this.
#29 Updated by intrigeri 2018-08-14 15:00:02
- Feature Branch set to bugfix/15695-avoid-breaking-automatic-upgrades-to-tails-3-9
#30 Updated by intrigeri 2018-08-14 15:49:31
- Assignee changed from segfault to CyrilBrulebois
#31 Updated by CyrilBrulebois 2018-08-14 16:30:38
- Assignee changed from CyrilBrulebois to intrigeri
- QA Check changed from Ready for QA to Pass
- Feature Branch changed from bugfix/15695-avoid-breaking-automatic-upgrades-to-tails-3-9 to kibi:bugfix/15695-avoid-breaking-automatic-upgrades-to-tails-3-9
The changes look good to me, even if there were quite a few merges and fixups needed.
I’ve pushed a branch with the same name to my repository, only with a few squashed commits. git diff
against the branch on the main repository shows no differences.
We could probably compare sorted lists, but after discussion with intrigeri, that looks to be happening seldomly enough that it’s not worth the cost.
#32 Updated by intrigeri 2018-08-14 16:54:09
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 0 to 100
#33 Updated by intrigeri 2018-09-05 16:21:29
- Status changed from Fix committed to Resolved