Re: [PATCH] added 'isar-cfg-userpw' package

[Henning Schild <henning.schild@siemens.com>]

On Tue, 26 Feb 2019 20:47:25 +0100
Jan Kiszka <jan.kiszka@siemens.com> wrote:

> On 26.02.19 20:36, [ext] Jan Kiszka wrote:
> > On 25.02.19 11:34, [ext] Henning Schild wrote:  
> >> Hi,
> >>
> >> this is not related to the package. But to any package that goes
> >> through common.sh and checks the ids.
> >>
> >> https://groups.google.com/forum/#!searchin/isar-users/Align$20UID$20and$20GID$20%7Csort:date/isar-users/S5W8D3X4Lkg/n7HbASWnAwAJ 
> >>
> >>
> >> The result of this discussion was that we probably need to align
> >> the ids and hope we never get in trouble with the host. In this
> >> case we do!
> >>
> >> The alignment should be changed. If the group does exist (100)
> >> join the user and do not try and create a group. The check should
> >> be changed to make sure the gid is the main group gid, instead of
> >> 1000.  
> > 
> > FWIW, just ran into the same issue after purging my build folder
> > and retrying a clean "kas-docker --isar build". I'm not seeing it
> > with jailhouse-images where we do not use kas-docker yet and also
> > do not create the build folder outside of the container, thus with
> > host IDs.
> > 
> > So, this needs to be fixed in our kas-isar container, I suppose...  
> 
> No, the bug is really in common.sh, the container is fine:
> 
> That script checks for group names, which is probably pointless. In
> this case, we are in the right group, that group just has an alias
> called "builder", but was originally called "users".
> 
> Why the heck should we check the group?

Because that is the most conservative we can get to check the complete
file ownership. I guess we should keep checking the group but just make
sure the the current gid is the gid of the user.

- [ "$(id -gn)" != "builder" ]
+ [ "$(id -g)" != "$(id -g builder)"

... same for root.

Henning

> Jan
>