Re: putting users into groups (created by packages)

[Henning Schild <henning.schild@siemens.com>]

Am Thu, 22 Jul 2021 20:27:08 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 22.07.21 18:33, Henning Schild wrote:
> > Hi,
> > 
> > i just had a need to install docker and join a user into that group.
> > But even though the package would create the group ... i found
> > myself having to create the group anyways. Because we run
> > "ROOTFS_CONFIGURE_COMMAND" before installing packages.
> > 
> > So i need 
> > 
> > +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
> > +
> > +USER_admin[groups] += "docker"
> > 
> > and
> > 
> > +GROUPS += "docker"
> > +GROUPS_docker[flags] = "system"
> > 
> > Would it not be nice to move "image_configure_accounts" into
> > ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
> > needed. Especiall the last one is nasty ... because i have to mimic
> > the flags of a postinst.
> >   
> 
> When does debian preseed apply account settings, before or after
> installing packages? I would be surprised if they did that upfront
> but I also didn't check.

Worth checking for inspiration i guess. I do not see a reason why we
can not shift to POSTINST. Only that it would break existing layers.

- where groups to be created by packages already exist
- where packages that chown in postinst do not adduser

> Jan
> 
> PS: As we are discussing wishlists: Would be nice to also accept
> clear-text passwords (just like preseed does) to allow picking them up
> from upcoming "kas menu". Yes, security implications are understood.

That sounds easy enough to do and like a good idea. I keep seeing
layers where the cleartext password is a comment above the hash, or the
cleartext password is in the README. I guess if a user has a password,
its cleartext will almost always always have to be written down
somewhere ... most likely in the same layer. The move to the hash was
only to not have the cleartext in the rootfs.

Henning