[Rpm-maint] rpm --chroot and glibc/nscd
Panu Matilainen
pmatilai at laiskiainen.org
Tue May 17 13:27:08 UTC 2011
On 05/12/2011 07:17 PM, Michael Schroeder wrote:
>
> Hi folks,
>
> we had lots of trouble with rpm's user and group handling in
> our kiwi system (which creates bootable ISOs). kiwi uses
> rpm --root to install the selected rpms into a directory,
> somehow we sometimes got wrong userids and groupids for
> files.
>
> It turns out the glibc and nscd are to blame. There seems
> to be no way to tell glibc to stop using nscd if it created
> a connection for some lookup. rpm always does lookups on
> startup, it has to get the home directory of the caller for
> example.
>
> Even if nscd is not started glibc's nss functions also cache
> their setting, so if you use some exotic nss module for
> authentification, it'll still be used after the chroot().
>
> At some point I basically gave up and wrote the attached
> patch. It changes rpmugUid/rpmugGid to do the lookup
> itself if a chroot() was done. I know it is a bit of a hack,
> but I have not found another way.
Did you try talking to glibc developers about this? Just asking so I
wont bother them again if they already told you to keep the pieces or
something to that effect...
> The patch also
> - fixes the cache usage. lastUnameLen/lastGnameLen were never
> set, so the code *always* did a getpwuid/gid call!
> - renames lastU/GnameLen to lastU/GnameAlloced in
> rpmugU/Gname, so that it is consistent with the
> rpmugU/Gid function.
>
> Even if you do not want the safe_lookup() part, having a
> rpmugChroot() function that calls endpwent()/endgrent() and
> drops the local caches if a chroot is done seems like a
> good idea.
Hmm, wouldn't it suffice to just store the rpmChrootDone() state in
rpmug and flush the caches etc when the chroot_done state has changed
between calls?
Other than that, will apply at least the other bits, I'll mull over the
safe_lookup() a bit (perhaps a bit academic but it might break if the
chrooted version is configured to use something else than files for user
information, but then it probably doesn't work now either due to glibc
remembering that stuff).
Thanks,
- Panu -
More information about the Rpm-maint
mailing list