From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6987789901979713536 X-Received: by 2002:a2e:1646:: with SMTP id 6mr2716215ljw.418.1627032477940; Fri, 23 Jul 2021 02:27:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:2a85:: with SMTP id q127ls1524908ljq.1.gmail; Fri, 23 Jul 2021 02:27:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpPLARdYoddKSf3QjAZcXBpa1rY23j25b27O40Z0k+sjzm+vqrdrv2oWqpsmSD9kTA4dFF X-Received: by 2002:a2e:924d:: with SMTP id v13mr2759039ljg.369.1627032476862; Fri, 23 Jul 2021 02:27:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627032476; cv=none; d=google.com; s=arc-20160816; b=z5LphVeAP0RcM7ePfJGaqEOS8VLM5KCGEHmMj1TXcz1Xz977WiMg7ovmBgIrPj0BXC vompLnaGylmE0E0r0xgWdSnxr1dbDssCI8/q8XNV7QQqo6m8bWVH1A/sopb9TaQsPRlE QCJ2SD87YFZcPtMYiqPsRfwy2onfJYpFjt/MErx0iUY6sUJwJsUgt95j7XKXUiRdI/Hw y+kSbmKidxkovrazQFTHM5RSLDGMq4LAApNw5V5eYQmT7z0XECo5JIFRKuis+be9YelR 3pd0ACikim5/xu2UnxbMaC7NetTYn7F5j0iNayYal94VeS7rCntYne7yoMvCWE2QTUh6 tVkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:organization:from:references:cc:to :subject:dkim-signature; bh=s5CEtciaEpoowl06XnNvJmgs0UBqoeg0YZ0OUtzbZLg=; b=UH709+kHhPqrhfj8cBaCfysbMUeLrb7x5NPCrcYUsy+KWaqAqJtwfnqZo9qp1mnkyu k8hXKoCcYUlYgJVGIOy/ilpxAZLO3JuRkw0jNBp8K7D9N8cdU90PpnNWeUJGQBrctFVV eIWP9JVoISCpGopWE8Q3Qc6dVEo3J2c4yWOZ2/9xJMZcud2LyitqOKUBVtqL/oh++QIV RxEFY+yeRy9+W/yUoAV0clBebdUpxuVNQONos49Gwz50dWE6MvVmAK5wZ4RDbRipVyFm CnUOv1jh9mgZxJZmiE22ICx5HHmcucp141CSd1xswWp7UB+7xZ9KI+f/OS14XMz+Jcjk Jo4Q== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@denx.de header.s=phobos-20191101 header.b=QiphWoae; spf=pass (google.com: domain of ch@denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=ch@denx.de Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by gmr-mx.google.com with ESMTPS id q8si1627437ljg.4.2021.07.23.02.27.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Jul 2021 02:27:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ch@denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@denx.de header.s=phobos-20191101 header.b=QiphWoae; spf=pass (google.com: domain of ch@denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=ch@denx.de Received: from [10.88.0.104] (dslb-084-062-104-230.084.062.pools.vodafone-ip.de [84.62.104.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ch@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 0B00481FC6; Fri, 23 Jul 2021 11:27:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1627032476; bh=s5CEtciaEpoowl06XnNvJmgs0UBqoeg0YZ0OUtzbZLg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=QiphWoaemJdARh6fp0LWaEuJFixoAny830lIk8P0f8liTfZU356lWp9FvUJ4+E+VQ Cink+kokjyMr+F2Gr3TpyokQ27tTU2uWPIlO4X8Bz2+I0yy7/sZkgrTLUKTv2SPp+U JQM+AHJygdu1mpzASE3zuh/1MoOlNRbClipPk2NsxBgoeNJmZNbPLGk5mOYZVXfxe2 rrIbw2SzWCAHRufdD4Ae63XEa3pq4W8pCfkjQSGvlhHca7FR+GnisQYW/C7pAwY6N2 JYZEmM9PVBXlKjPefbeRsLVbIqUklwHep55C6O98I7LynCEOYqOoyJBQtwfHjUwE2X KZ3M+tuGAd45w== Subject: Re: putting users into groups (created by packages) To: Henning Schild , Jan Kiszka Cc: isar-users@googlegroups.com References: <20210722183337.5ac359d2@md1za8fc.ad001.siemens.net> <2ed2675d-f7f3-486a-665b-884611f55822@siemens.com> <20210723084123.409fd3c8@md1za8fc.ad001.siemens.net> From: Claudius Heine Organization: Denx Software Engineering Message-ID: Date: Fri, 23 Jul 2021 11:27:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20210723084123.409fd3c8@md1za8fc.ad001.siemens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean X-TUID: 90Pqo/xLHity Hi, On 2021-07-23 08:41, Henning Schild wrote: > Am Thu, 22 Jul 2021 20:27:08 +0200 > schrieb Jan Kiszka : > >> On 22.07.21 18:33, Henning Schild wrote: >>> Hi, >>> >>> i just had a need to install docker and join a user into that group. >>> But even though the package would create the group ... i found >>> myself having to create the group anyways. Because we run >>> "ROOTFS_CONFIGURE_COMMAND" before installing packages. >>> >>> So i need >>> >>> +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor" >>> + >>> +USER_admin[groups] += "docker" >>> >>> and >>> >>> +GROUPS += "docker" >>> +GROUPS_docker[flags] = "system" >>> >>> Would it not be nice to move "image_configure_accounts" into >>> ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be >>> needed. Especiall the last one is nasty ... because i have to mimic >>> the flags of a postinst. So a couple of points if we go that route. - ROOTFS_CONFIGURE_COMMAND is executed in the `do_rootfs_install` step, together (before) the installation of the system, while `ROOTFS_POSTPROCESS_COMMAND is executed in its own `do_rootfs_postprocess` task. This means we also need to take a look at the implementation of the account creation if it works in a separate task. It might already work, but it should still be checked if there are any missed cases or conditions where it fails. (partial task execution and repeating of tasks, deleting stamps, etc.) - Alternativly there is also ROOTFS_INSTALL_COMMAND, which could be used to create users... - It don't really remember any reasons why I chose to put account creation in the configuration part instead of the post-process part, but that doesn't mean they don't exist :) Doing it as a post-process seems a bit too obvious now ;) >> When does debian preseed apply account settings, before or after >> installing packages? I would be surprised if they did that upfront >> but I also didn't check. > > Worth checking for inspiration i guess. I do not see a reason why we > can not shift to POSTINST. Only that it would break existing layers. > > - where groups to be created by packages already exist > - where packages that chown in postinst do not adduser > >> Jan >> >> PS: As we are discussing wishlists: Would be nice to also accept >> clear-text passwords (just like preseed does) to allow picking them up >> from upcoming "kas menu". Yes, security implications are understood. > > That sounds easy enough to do and like a good idea. I keep seeing > layers where the cleartext password is a comment above the hash, or the > cleartext password is in the README. I guess if a user has a password, > its cleartext will almost always always have to be written down > somewhere ... most likely in the same layer. The move to the hash was > only to not have the cleartext in the rootfs. The current implementation pipes the password to `chpasswd`, so they don't appear in a `ps` listing at least. Otherwise maybe we could switch between encrypted and clear text passwords via a user flag: USER_user[flags] = "clear-text-password" regards, Claudius