Bug #16604

buster: UID/GID stability?

Added by CyrilBrulebois 2019-03-22 09:33:31 . Updated 2019-04-02 15:18:48 .

Status:
Resolved
Priority:
High
Assignee:
Category:
Build system
Target version:
Start date:
2019-03-22
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

I’ve just pushed commit:483c87dd82d35fa4aacf73911a34c4cbd043ca98 to fix the FTBFS due to a fuzzy patch, and stumbled upon a new issue.

I thought this had been disabled in buster but apparently not (as the last and only commit to this file is commit:46c028aa4b230fd76673b997a4bb2d3e4303b2f0, dated mid-2018):

Checking UIDs and GIDs stability
/usr/share/tails/build/passwd /etc/passwd differ: char 1256, line 24
/etc/passwd differs from expected:
--- /usr/share/tails/build/passwd   2019-03-20 09:28:36.000000000 +0000
+++ /etc/passwd 2019-03-22 09:13:40.039408082 +0000
@@ -21,13 +21,13 @@
 systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
 systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
 memlockd:x:104:109:memlockd system account,,,:/usr/lib/memlockd:/bin/false
-debian-tor:x:105:110::/var/lib/tor:/bin/false
-messagebus:x:106:112::/nonexistent:/usr/sbin/nologin
-monkeysphere:x:107:113:monkeysphere authentication user,,,:/var/lib/monkeysphere:/bin/bash
-colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
-saned:x:109:119::/var/lib/saned:/usr/sbin/nologin
-speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
-pulse:x:111:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+messagebus:x:105:110::/nonexistent:/usr/sbin/nologin
+debian-tor:x:106:111::/var/lib/tor:/bin/false
+monkeysphere:x:107:114:monkeysphere authentication user,,,:/var/lib/monkeysphere:/usr/sbin/nologin
+pulse:x:108:117:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:109:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
+saned:x:110:120::/var/lib/saned:/usr/sbin/nologin
+colord:x:111:121:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
 hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
 Debian-gdm:x:113:122:Gnome Display Manager:/var/lib/gdm3:/bin/false
 tails-persistence-setup:x:114:123::/home/tails-persistence-setup:/usr/sbin/nologin
 config/chroot_local-hooks/99-zzz_check_uids_and_gids failed (exit non-zero). You should check for errors.

I’m not entirely sure what to do here.

Should it be fine to break this kind of stability when upgrading to a new major releae? I’d think so.

This seems to be confirmed by this commit message:

commit 07a043876d99f321d3d87b5ee173a4095807a704
Author: intrigeri <intrigeri@boum.org>
Date:   Fri Jan 4 18:04:21 2019 +0000

    Re-introduce 04-change-gids-and-uids hook (refs: <del><a class='issue tracker-1 status-3 priority-4 priority-default closed child' href='/code/issues/15854' title='Re-add UID/GID stability checks on feature/buster'>Bug #15854</a></del>)

    We won't need it for Tails 4.0 but we'll probably need it later
    in the 4.x cycle. So let's bring the functions back but not call
    them for now.

So I’m tempted to update the reference file in the feature/buster branch with the file that’s currently being generated.

Thoughts?


Subtasks


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed
Blocks Tails - Bug #16290: Remove Scribus Resolved 2019-01-05
Blocks Tails - Feature #15182: Drop Qt4 on Buster Resolved 2019-01-05

History

#1 Updated by CyrilBrulebois 2019-03-22 09:34:28

#2 Updated by CyrilBrulebois 2019-03-22 09:35:44

#3 Updated by CyrilBrulebois 2019-03-22 09:35:57

#4 Updated by intrigeri 2019-03-24 06:37:02

> Should it be fine to break this kind of stability when upgrading to a new major releae? I’d think so.
> […]
> So I’m tempted to update the reference file in the feature/buster branch with the file that’s currently being generated.

I understand that in this context, you mean “a new major release” == “a release that we won’t provide automatic (incremental) upgrades to”, such as 4.0, and not any Tails major release.

In such a release, you’re totally correct: it’s totally fine to reset those reference files, because it’s a requirement for disabling the UID/GID fixups in config/chroot_local-hooks/04-change-gids-and-uids. One has to restart from scratch there at some point, otherwise the renumbering dance will become unmanageable.

And while we’re at it, it would be a good time to stop installing monkeysphere (and dropping the corresponding tweaks — git grep monkeysphere -- config/chroot_local-*): it’s one of the obvious candidates for removal on Feature #15291 and if we don’t do that in 4.0, we’ll have to renumber craploads of UIDs/GIDs as soon as we’ll do this change. Feel free to do so directly in feature/buster.

#5 Updated by intrigeri 2019-04-02 08:36:19

  • Priority changed from Normal to High

#6 Updated by CyrilBrulebois 2019-04-02 09:55:46

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|0058e862ce2ae2eafd46d05ebd3abe847b724186.

#7 Updated by CyrilBrulebois 2019-04-02 13:34:18

intrigeri wrote:
> I understand that in this context, you mean “a new major release” == “a release that we won’t provide automatic (incremental) upgrades to”, such as 4.0, and not any Tails major release.

Yes, a partial rewording went wrong: I meant to mention “a new major release of Debian, meaning a big +1 on the Tails side”.

> In such a release, you’re totally correct: it’s totally fine to reset those reference files, because it’s a requirement for disabling the UID/GID fixups in config/chroot_local-hooks/04-change-gids-and-uids. One has to restart from scratch there at some point, otherwise the renumbering dance will become unmanageable.

ACK. We had to tweak some other bits (due to recent changes in buster), in addition to the removal of monkeysphere, mentioned below:

> And while we’re at it, it would be a good time to stop installing monkeysphere (and dropping the corresponding tweaks — git grep monkeysphere -- config/chroot_local-*): it’s one of the obvious candidates for removal on Feature #15291 and if we don’t do that in 4.0, we’ll have to renumber craploads of UIDs/GIDs as soon as we’ll do this change. Feel free to do so directly in feature/buster.

Currently waiting on some refreshed apparmor patch to get the new passwd/group files fed back into the feature/buster branch.

#8 Updated by intrigeri 2019-04-02 13:42:38

> Currently waiting on some refreshed apparmor patch

Done :)

#9 Updated by intrigeri 2019-04-02 13:43:49

#10 Updated by intrigeri 2019-04-02 13:43:52

#11 Updated by intrigeri 2019-04-02 15:18:48

  • Status changed from In Progress to Resolved