From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6987789901979713536
X-Received: by 2002:a05:6512:3709:: with SMTP id z9mr2080402lfr.182.1627022486904;
        Thu, 22 Jul 2021 23:41:26 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:bf01:: with SMTP id c1ls1454179ljr.6.gmail; Thu, 22 Jul
 2021 23:41:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzsSdXIsQ6XoxuxHxwfysaVaWuIf3aulHamWtqdrlK9D6wEzqhMqYKsRhx1dLaYS1NdW9tb
X-Received: by 2002:a2e:9304:: with SMTP id e4mr2428025ljh.244.1627022485658;
        Thu, 22 Jul 2021 23:41:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627022485; cv=none;
        d=google.com; s=arc-20160816;
        b=WJlzMxxz7Rp7DWj8g4XErjMvIWFX6eivsbNTWNxtAgnLYps6k8JCGfa7Kw76qD/fbF
         SuNyq8H0HnPxafipczYafFXRN55cJlcnnd7KpQEZQ/SkWY7yew5fKpEdFDcnTjZAuqpf
         oI4c/8dMF5ujxE1P36FKAniW7rDdxP6RWVQ6IoS/a2y+JL9Mr5Is+6NKOL8wpTPalf7I
         bqWvumbAHfiidpUlR2UlcodRui4pRnlKaH3pePvInjvHR170JTeF4ypBkrE1AGpmyZ91
         BI06QzjPyC5dlbefndC8NSozWjAMQn7RbZngobnM5lSY4XinXJN059pTtxiBpgBT6oMs
         XgBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=GOO2kLvCdOXDeZPtT5FAqsXIHUUiDbBJNnYtVQVd/OY=;
        b=0pzlYUzv/8bToxQMw8flzsjP9LV18mZwztv7rqk3aELNnnsuZiLQ0ui6CEMOzHP34E
         0+LP62UcUsGwdxSv9LCGrVZE46IqSn4p7+YkTy4TdZ43gpGnIbJ134zRrqUWmTxYwxXM
         /szzZjm95hEMQmW5NFTLUXVvtuh7g/lQANPrGEE0mP5UgWWWbeKm5VKxP67s9djY+BYh
         qC10mt1ZDp32tYHP0gNeDJiAWBoShnlyNBvZ+R5jqdyyYyxUurBOkhni6XDaa1QR4fL8
         orkl78sY3Gp7DHweFToytrxp1sKsbypGBnek+FD6ewK07+k+/+Tyt5C5WaFoSaA1Uvpt
         6w+w==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id q4si545651lji.2.2021.07.22.23.41.25
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 22 Jul 2021 23:41:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 16N6fOYn011618
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 23 Jul 2021 08:41:24 +0200
Received: from md1za8fc.ad001.siemens.net ([167.87.0.154])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 16N6fNmt021942;
	Fri, 23 Jul 2021 08:41:24 +0200
Date: Fri, 23 Jul 2021 08:41:23 +0200
From: Henning Schild <henning.schild@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: <isar-users@googlegroups.com>, Claudius Heine <ch@denx.de>
Subject: Re: putting users into groups (created by packages)
Message-ID: <20210723084123.409fd3c8@md1za8fc.ad001.siemens.net>
In-Reply-To: <2ed2675d-f7f3-486a-665b-884611f55822@siemens.com>
References: <20210722183337.5ac359d2@md1za8fc.ad001.siemens.net>
	<2ed2675d-f7f3-486a-665b-884611f55822@siemens.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: IB+bGcfKg3LP

Am Thu, 22 Jul 2021 20:27:08 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 22.07.21 18:33, Henning Schild wrote:
> > Hi,
> > 
> > i just had a need to install docker and join a user into that group.
> > But even though the package would create the group ... i found
> > myself having to create the group anyways. Because we run
> > "ROOTFS_CONFIGURE_COMMAND" before installing packages.
> > 
> > So i need 
> > 
> > +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
> > +
> > +USER_admin[groups] += "docker"
> > 
> > and
> > 
> > +GROUPS += "docker"
> > +GROUPS_docker[flags] = "system"
> > 
> > Would it not be nice to move "image_configure_accounts" into
> > ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
> > needed. Especiall the last one is nasty ... because i have to mimic
> > the flags of a postinst.
> >   
> 
> When does debian preseed apply account settings, before or after
> installing packages? I would be surprised if they did that upfront
> but I also didn't check.

Worth checking for inspiration i guess. I do not see a reason why we
can not shift to POSTINST. Only that it would break existing layers.

- where groups to be created by packages already exist
- where packages that chown in postinst do not adduser

> Jan
> 
> PS: As we are discussing wishlists: Would be nice to also accept
> clear-text passwords (just like preseed does) to allow picking them up
> from upcoming "kas menu". Yes, security implications are understood.

That sounds easy enough to do and like a good idea. I keep seeing
layers where the cleartext password is a comment above the hash, or the
cleartext password is in the README. I guess if a user has a password,
its cleartext will almost always always have to be written down
somewhere ... most likely in the same layer. The move to the hash was
only to not have the cleartext in the rootfs.

Henning