AW: Fixed user ids

["Schultschik, Sven" <sven.schultschik@siemens.com>]

[-- Attachment #1: Type: text/plain, Size: 5994 bytes --]

Hi Henning,

I just found the image-account-extension.bbclass of ISAR with this you can
define user accounts in the kas yml file.

There I added now the newly added accounts for shellinabox and _llpdp with a
fixed id so the other dynamic generated uuids keep the same ids.
With the addition of an integration test, which checks the passwd and group
file for each version, it could be a good mix of both worlds.

-----Ursprüngliche Nachricht-----
Von: Henning Schild <henning.schild@siemens.com> 
Gesendet: Donnerstag, 2. September 2021 11:18
An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>
Cc: isar-users@googlegroups.com
Betreff: Re: Fixed user ids

Am Thu, 2 Sep 2021 10:08:15 +0200
schrieb "Schultschik, Sven (DI PA DCP R&D 2)"
<sven.schultschik@siemens.com>:

> Hi Henning,
> 
> true, but the problem is different.
> A little bit OT to understand the reason.
> We have a A/B firmware update with a third partition which contains 
> the /etc as overlay.

Ok understood. The proposed solution does not always create the same uids
and a build is not reproducible.

> Now the passwd is saved in third partition with the UIds of the V1.0 
> With the V1.1 two services and accounts are added. Now the build add 
> those new accounts and shift a lot of userids around. If you do then a 
> update from 1.0 to 1.1 the passwd from overlay overlays with different 
> Uids.
> 
> A big migration script is not a good way too, so some sort of fixing 
> some of the ids would keep the compatibility.

I think a migration script would in fact be a clean solution. It could be a
postinst to your swupdate and "chown/chmod" a few times. If that would end
up "big" you probably have a "bigger" problem. In fact that script could
call the actual postinst scripts of your "chowning"
packages.

If you really want to go down the road of fixes ids you can probably create
a package which conditionally creates all users with fixed ids.
You make all users DEBIAN_DEPEND on that and try to make sure it gets
installed pretty early. But if the debian base decides to claim one of
"your" ids you might be pretty much out of luck. Say 42 is free in stretch
but "suddenly taken" in bullseye.

My feeling is that fixed ids with a postinst of a package that gets
installed "very early" might be possible. You can get super-early by finding
a package in the bootstrap-set and appending a "Depends:".
But cleaner would be to let users be created with "random" ids and deal with
the chown in postinst and using swupdate in a similar postupdate.

regards,
Henning

> Regards
> Sven
> 
> -----Ursprüngliche Nachricht-----
> Von: Henning Schild <henning.schild@siemens.com>
> Gesendet: Mittwoch, 1. September 2021 17:55
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>
> Cc: isar-users@googlegroups.com
> Betreff: Re: Fixed user ids
> 
> Hey,
> 
> pre-fixed user ids would be an anti-pattern and would only work if 
> debian would do it.
> 
> If you need files to be owned by a specific user you chown and 
> possibly chmod them in postinst. Using the name and not an id. You 
> create that user in case it is not already there.
> 
> 
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Filbers%2Fisar%2Fblob%2Fmaster%2Fdoc%2Fuser_manual.md%23home-d
> irectory-contents-prefilling&amp;data=04%7C01%7Csven.schultschik%40sie
> mens.com%7C67974e213b364875f8fb08d96df286f5%7C38ae3bcd95794fd4addab42e
> 1495d55a%7C1%7C0%7C637661710680057062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;
> sdata=1rLjd6yWUpBTQRYy5s%2FrSzxb4YF%2B54ns2nt3LO6gMXA%3D&amp;reserved=
> 0
> 
> and here the example postinst
> 
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Filbers%2Fisar%2Fblob%2Fmaster%2Fmeta-isar%2Frecipes-app%2Fexa
> mple-raw%2Ffiles%2Fpostinst&amp;data=04%7C01%7Csven.schultschik%40siem
> ens.com%7C67974e213b364875f8fb08d96df286f5%7C38ae3bcd95794fd4addab42e1
> 495d55a%7C1%7C0%7C637661710680057062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;s
> data=dPykBiiNg6PrShljhjdtGZoW4lKdlU%2FoazDq%2BTsxUow%3D&amp;reserved=0
> 
> This is also how debian does things. i.e. when a webserver needs the 
> user "www", all web-server packages would create that user if not 
> there, and chown/chmod based on the name.
> 
> I think every file in a debian package will always belong to 
> root:root, and deviations need to be chowned in postinst.
> 
> Henning
> 
> Am Wed, 1 Sep 2021 12:04:57 +0000
> schrieb "Schultschik, Sven" <sven.schultschik@siemens.com>:
> 
> > Hi ISAR users,
> > 
> >  
> > 
> > I’m currently thinking about to freeze the users and group ids.
> > 
> >  
> > 
> > I have different ideas in mind, but I wanted to ask which would be 
> > the best way with ISAR to generate fixed user and group ids.
> > 
> >  
> > 
> > Or do you just pre create all needed user accounts before installing 
> > the packages within the build process?
> > 
> >  
> > 
> > Mit freundlichen Grüßen
> > Sven Angelo Schultschik
> > 
> > Siemens AG
> > Digital Industries
> > Process Automation
> > Software House Khe
> > DI PA DCP R&D 2
> > Östliche Rheinbrückenstr. 50
> > 76187 Karlsruhe, Deutschland
> > Tel.: +49 721 6672-0128
> > Mobil: +49 162 4975705
> >  <mailto:sven.schultschik@siemens.com>
> > mailto:sven.schultschik@siemens.com <https://siemens.com> 
> > www.siemens.com
> > 
> > Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Jim 
> > Hagemann Snabe; Vorstand: Roland Busch, Vorsitzender; Cedrik Neike, 
> > Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Sitz der
> > Gesellschaft: Berlin und München, Deutschland; Registergericht:
> > Berlin-Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr.
> > DE 23691322
> >   
> 


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 14944 bytes --]