From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7002935164998254592 X-Received: by 2002:adf:c451:: with SMTP id a17mr4243173wrg.254.1630593428104; Thu, 02 Sep 2021 07:37:08 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:a314:: with SMTP id c20ls3160820wrb.2.gmail; Thu, 02 Sep 2021 07:37:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwmpmOeyJAkOkgO9H5uRF5YsXEzDTKvRoikmaJ7UXVNMn4YGge1YDWmYYLK3eN/4et1kOKQ X-Received: by 2002:adf:fc4f:: with SMTP id e15mr4109110wrs.95.1630593427080; Thu, 02 Sep 2021 07:37:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630593427; cv=none; d=google.com; s=arc-20160816; b=OEWU3aVzavQquaUT0TdpE1Hsq4FerE683nj+tLePlAn07WCZql6XHpAuDT/CFkDBxf qy0eYj7IF4CMaEB0/at+yn9iykEgj/QTCHRg30u2Lk7yYqKV0DElG4WFjT3+LXJZ1byJ yQt9Y6AjaPdJdLSVrOqqOoaqLH4xkjPEj9VhE6Rf0PklVMuIBvDVxpHHhq2hBDuh8l4o GalNOiFVuOnM23htBm9o9ML3DzHdjFLfkqsYB8LJD3gbB3uhVMtWQske/zuQX3ZG7My1 3eNPvgUxEYXaRbBcv997NGg94G/H0nQYnO6LD+t2jk+TZalXAX0UVbCLWrvIm7lZX0jV wMNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=/oM8gUt/oNrr03sDM4stykWRHPOge3tTqC+YR8KDVVY=; b=OkEtaP6zgW65Q5veDT2DVDh4be7i34EBjIxiI8wn2qpU8p6jQHr4SCFDCqomVj50PZ yIsdrvTOI1uiae6hCS/+nhty3sFrs/PQpEV3Q0Y/t0MottCbxs6WE+eQXFF7jjtIpASG 0f7qv70qdjIcuXBWYJ00veUL4+P+6iIqI9qJV0fBNv0lKEOBLrNYufvB77x9A1NVLMMJ 0gDy5MeCfMT+Qbir3sSAX5eBMjRZurp6P4d3B08+vA57ps0b8ylNIUzQgF/gmFscsXXj P28PvIp/pqXHDezBuFdwfTdQj3IlP86BlPs+y2OvzgH0p8cAXuvgXJWhIOkpv2jncB5P 0e1Q== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id q137si138110wme.1.2021.09.02.07.37.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Sep 2021 07:37:07 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 182Eb6Ym002043 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 2 Sep 2021 16:37:06 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.0.59]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 182Eb6RU023212; Thu, 2 Sep 2021 16:37:06 +0200 Date: Thu, 2 Sep 2021 16:37:05 +0200 From: Henning Schild To: "Schultschik, Sven" Cc: "isar-users@googlegroups.com" Subject: Re: Fixed user ids Message-ID: <20210902163705.4c51acf0@md1za8fc.ad001.siemens.net> In-Reply-To: References: <20210901175433.2b76961a@md1za8fc.ad001.siemens.net> <20210902111733.02f82926@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TUID: AQghGPVNvsyP Am Thu, 2 Sep 2021 13:48:00 +0000 schrieb "Schultschik, Sven" : > Hi Henning, >=20 > I just found the image-account-extension.bbclass of ISAR with this > you can define user accounts in the kas yml file. >=20 > There I added now the newly added accounts for shellinabox and _llpdp > with a fixed id so the other dynamic generated uuids keep the same > ids. With the addition of an integration test, which checks the > passwd and group file for each version, it could be a good mix of > both worlds. Sure, forgot to tell you about that one ;). It in fact runs pretty early but i was considering proposing a move to run it very late. That was discussed in "putting users into groups (created by packages)". If i was you i would still try to do user creation and chown all in posinst of packages. That is just more modular and flexible. The image-account-extension was mainly born out of the need to set passwords. We used to do that with postinst until we found that postinst scripts remain in the filesystem ... so clear text passwords ended up in the filesystem, even world readable. That is when the extension was born ... and it offers much more, but probably one might want to "use it only for passwords". Henning > -----Urspr=C3=BCngliche Nachricht----- > Von: Henning Schild =20 > Gesendet: Donnerstag, 2. September 2021 11:18 > An: Schultschik, Sven (DI PA DCP R&D 2) > Cc: isar-users@googlegroups.com > Betreff: Re: Fixed user ids >=20 > Am Thu, 2 Sep 2021 10:08:15 +0200 > schrieb "Schultschik, Sven (DI PA DCP R&D 2)" > : >=20 > > Hi Henning, > >=20 > > true, but the problem is different. > > A little bit OT to understand the reason. > > We have a A/B firmware update with a third partition which contains=20 > > the /etc as overlay. =20 >=20 > Ok understood. The proposed solution does not always create the same > uids and a build is not reproducible. >=20 > > Now the passwd is saved in third partition with the UIds of the > > V1.0 With the V1.1 two services and accounts are added. Now the > > build add those new accounts and shift a lot of userids around. If > > you do then a update from 1.0 to 1.1 the passwd from overlay > > overlays with different Uids. > >=20 > > A big migration script is not a good way too, so some sort of > > fixing some of the ids would keep the compatibility. =20 >=20 > I think a migration script would in fact be a clean solution. It > could be a postinst to your swupdate and "chown/chmod" a few times. > If that would end up "big" you probably have a "bigger" problem. In > fact that script could call the actual postinst scripts of your > "chowning" packages. >=20 > If you really want to go down the road of fixes ids you can probably > create a package which conditionally creates all users with fixed ids. > You make all users DEBIAN_DEPEND on that and try to make sure it gets > installed pretty early. But if the debian base decides to claim one of > "your" ids you might be pretty much out of luck. Say 42 is free in > stretch but "suddenly taken" in bullseye. >=20 > My feeling is that fixed ids with a postinst of a package that gets > installed "very early" might be possible. You can get super-early by > finding a package in the bootstrap-set and appending a "Depends:". > But cleaner would be to let users be created with "random" ids and > deal with the chown in postinst and using swupdate in a similar > postupdate. >=20 > regards, > Henning >=20 > > Regards > > Sven > >=20 > > -----Urspr=C3=BCngliche Nachricht----- > > Von: Henning Schild > > Gesendet: Mittwoch, 1. September 2021 17:55 > > An: Schultschik, Sven (DI PA DCP R&D 2) > > Cc: isar-users@googlegroups.com > > Betreff: Re: Fixed user ids > >=20 > > Hey, > >=20 > > pre-fixed user ids would be an anti-pattern and would only work if=20 > > debian would do it. > >=20 > > If you need files to be owned by a specific user you chown and=20 > > possibly chmod them in postinst. Using the name and not an id. You=20 > > create that user in case it is not already there. > >=20 > >=20 > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith > > ub.com%2Filbers%2Fisar%2Fblob%2Fmaster%2Fdoc%2Fuser_manual.md%23home-d > > irectory-contents-prefilling&data=3D04%7C01%7Csven.schultschik%40sie > > mens.com%7C67974e213b364875f8fb08d96df286f5%7C38ae3bcd95794fd4addab42e > > 1495d55a%7C1%7C0%7C637661710680057062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000& > > sdata=3D1rLjd6yWUpBTQRYy5s%2FrSzxb4YF%2B54ns2nt3LO6gMXA%3D&reserved= =3D > > 0 > >=20 > > and here the example postinst > >=20 > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith > > ub.com%2Filbers%2Fisar%2Fblob%2Fmaster%2Fmeta-isar%2Frecipes-app%2Fexa > > mple-raw%2Ffiles%2Fpostinst&data=3D04%7C01%7Csven.schultschik%40siem > > ens.com%7C67974e213b364875f8fb08d96df286f5%7C38ae3bcd95794fd4addab42e1 > > 495d55a%7C1%7C0%7C637661710680057062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s > > data=3DdPykBiiNg6PrShljhjdtGZoW4lKdlU%2FoazDq%2BTsxUow%3D&reserved= =3D0 > >=20 > > This is also how debian does things. i.e. when a webserver needs > > the user "www", all web-server packages would create that user if > > not there, and chown/chmod based on the name. > >=20 > > I think every file in a debian package will always belong to=20 > > root:root, and deviations need to be chowned in postinst. > >=20 > > Henning > >=20 > > Am Wed, 1 Sep 2021 12:04:57 +0000 > > schrieb "Schultschik, Sven" : > > =20 > > > Hi ISAR users, > > >=20 > > > =20 > > >=20 > > > I=E2=80=99m currently thinking about to freeze the users and group id= s. > > >=20 > > > =20 > > >=20 > > > I have different ideas in mind, but I wanted to ask which would > > > be the best way with ISAR to generate fixed user and group ids. > > >=20 > > > =20 > > >=20 > > > Or do you just pre create all needed user accounts before > > > installing the packages within the build process? > > >=20 > > > =20 > > >=20 > > > Mit freundlichen Gr=C3=BC=C3=9Fen > > > Sven Angelo Schultschik > > >=20 > > > Siemens AG > > > Digital Industries > > > Process Automation > > > Software House Khe > > > DI PA DCP R&D 2 > > > =C3=96stliche Rheinbr=C3=BCckenstr. 50 > > > 76187 Karlsruhe, Deutschland > > > Tel.: +49 721 6672-0128 > > > Mobil: +49 162 4975705 > > > > > > mailto:sven.schultschik@siemens.com =20 > > > www.siemens.com > > >=20 > > > Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Jim=20 > > > Hagemann Snabe; Vorstand: Roland Busch, Vorsitzender; Cedrik > > > Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Sitz der > > > Gesellschaft: Berlin und M=C3=BCnchen, Deutschland; Registergericht: > > > Berlin-Charlottenburg, HRB 12300, M=C3=BCnchen, HRB 6684; WEEE-Reg.-N= r. > > > DE 23691322 > > > =20 > > =20 >=20