putting users into groups (created by packages)

putting users into groups (created by packages)

[Henning Schild]

Hi,

i just had a need to install docker and join a user into that group.
But even though the package would create the group ... i found myself
having to create the group anyways. Because we run
"ROOTFS_CONFIGURE_COMMAND" before installing packages.

So i need 

+IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
+
+USER_admin[groups] += "docker"

and

+GROUPS += "docker"
+GROUPS_docker[flags] = "system"

Would it not be nice to move "image_configure_accounts" into
ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
needed. Especiall the last one is nasty ... because i have to mimic the
flags of a postinst.

Henning

Re: putting users into groups (created by packages)

[Jan Kiszka]

On 22.07.21 18:33, Henning Schild wrote:
> Hi,
> 
> i just had a need to install docker and join a user into that group.
> But even though the package would create the group ... i found myself
> having to create the group anyways. Because we run
> "ROOTFS_CONFIGURE_COMMAND" before installing packages.
> 
> So i need 
> 
> +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
> +
> +USER_admin[groups] += "docker"
> 
> and
> 
> +GROUPS += "docker"
> +GROUPS_docker[flags] = "system"
> 
> Would it not be nice to move "image_configure_accounts" into
> ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
> needed. Especiall the last one is nasty ... because i have to mimic the
> flags of a postinst.
> 

When does debian preseed apply account settings, before or after
installing packages? I would be surprised if they did that upfront but I
also didn't check.

Jan

PS: As we are discussing wishlists: Would be nice to also accept
clear-text passwords (just like preseed does) to allow picking them up
from upcoming "kas menu". Yes, security implications are understood.

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: putting users into groups (created by packages)

[Henning Schild]

Am Thu, 22 Jul 2021 20:27:08 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 22.07.21 18:33, Henning Schild wrote:
> > Hi,
> > 
> > i just had a need to install docker and join a user into that group.
> > But even though the package would create the group ... i found
> > myself having to create the group anyways. Because we run
> > "ROOTFS_CONFIGURE_COMMAND" before installing packages.
> > 
> > So i need 
> > 
> > +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
> > +
> > +USER_admin[groups] += "docker"
> > 
> > and
> > 
> > +GROUPS += "docker"
> > +GROUPS_docker[flags] = "system"
> > 
> > Would it not be nice to move "image_configure_accounts" into
> > ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
> > needed. Especiall the last one is nasty ... because i have to mimic
> > the flags of a postinst.
> >   
> 
> When does debian preseed apply account settings, before or after
> installing packages? I would be surprised if they did that upfront
> but I also didn't check.

Worth checking for inspiration i guess. I do not see a reason why we
can not shift to POSTINST. Only that it would break existing layers.

- where groups to be created by packages already exist
- where packages that chown in postinst do not adduser

> Jan
> 
> PS: As we are discussing wishlists: Would be nice to also accept
> clear-text passwords (just like preseed does) to allow picking them up
> from upcoming "kas menu". Yes, security implications are understood.

That sounds easy enough to do and like a good idea. I keep seeing
layers where the cleartext password is a comment above the hash, or the
cleartext password is in the README. I guess if a user has a password,
its cleartext will almost always always have to be written down
somewhere ... most likely in the same layer. The move to the hash was
only to not have the cleartext in the rootfs.

Henning

Re: putting users into groups (created by packages)

[Claudius Heine]

Hi,

On 2021-07-23 08:41, Henning Schild wrote:
> Am Thu, 22 Jul 2021 20:27:08 +0200
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> On 22.07.21 18:33, Henning Schild wrote:
>>> Hi,
>>>
>>> i just had a need to install docker and join a user into that group.
>>> But even though the package would create the group ... i found
>>> myself having to create the group anyways. Because we run
>>> "ROOTFS_CONFIGURE_COMMAND" before installing packages.
>>>
>>> So i need
>>>
>>> +IMAGE_PREINSTALL += "docker.io ca-certificates apparmor"
>>> +
>>> +USER_admin[groups] += "docker"
>>>
>>> and
>>>
>>> +GROUPS += "docker"
>>> +GROUPS_docker[flags] = "system"
>>>
>>> Would it not be nice to move "image_configure_accounts" into
>>> ROOTFS_POSTPROCESS_COMMAND? So these last two lines would not be
>>> needed. Especiall the last one is nasty ... because i have to mimic
>>> the flags of a postinst.

So a couple of points if we go that route.
- ROOTFS_CONFIGURE_COMMAND is executed in the `do_rootfs_install` step, 
together (before) the installation of the system, while 
`ROOTFS_POSTPROCESS_COMMAND is executed in its own 
`do_rootfs_postprocess` task. This means we also need to take a look at 
the implementation of the account creation if it works in a separate 
task. It might already work, but it should still be checked if there are 
any missed cases or conditions where it fails. (partial task execution 
and repeating of tasks, deleting stamps, etc.)

- Alternativly there is also ROOTFS_INSTALL_COMMAND, which could be used 
to create users...

- It don't really remember any reasons why I chose to put account 
creation in the configuration part instead of the post-process part, but 
that doesn't mean they don't exist :) Doing it as a post-process seems a 
bit too obvious now ;)

>> When does debian preseed apply account settings, before or after
>> installing packages? I would be surprised if they did that upfront
>> but I also didn't check.
> 
> Worth checking for inspiration i guess. I do not see a reason why we
> can not shift to POSTINST. Only that it would break existing layers.
> 
> - where groups to be created by packages already exist
> - where packages that chown in postinst do not adduser
> 
>> Jan
>>
>> PS: As we are discussing wishlists: Would be nice to also accept
>> clear-text passwords (just like preseed does) to allow picking them up
>> from upcoming "kas menu". Yes, security implications are understood.
> 
> That sounds easy enough to do and like a good idea. I keep seeing
> layers where the cleartext password is a comment above the hash, or the
> cleartext password is in the README. I guess if a user has a password,
> its cleartext will almost always always have to be written down
> somewhere ... most likely in the same layer. The move to the hash was
> only to not have the cleartext in the rootfs.

The current implementation pipes the password to `chpasswd`, so they 
don't appear in a `ps` listing at least. Otherwise maybe we could switch 
between encrypted and clear text passwords via a user flag:

     USER_user[flags] = "clear-text-password"

regards,
Claudius