[Rpm-maint] [rpm-software-management/rpm] sysusers.d support applies %attr() ownership before creating sysusers (Issue #3073)
Martin Pitt
notifications at github.com
Fri May 3 04:14:49 UTC 2024
We are currently [trying to move our project to systemd-sysusers](https://github.com/cockpit-project/cockpit/pull/20365), away from manual `useradd` calls in the package's `%pre` script. The [rpm manual](https://rpm-software-management.github.io/rpm/manual/users_and_groups.html) claims
> Rpm >= 4.19 has native support for declarative user and group creation through integration with systemd’s [sysusers.d](https://www.freedesktop.org/software/systemd/man/sysusers.d.html) format. Packagers will only need to package a sysusers.d file for their custom users and groups in /usr/lib/sysusers.d and rpm will take care of the rest.
I tried that on current Fedora 40 (rpm-4.19.1.1-1.fc40.x86_64), and an initial version with a [clean approach](https://github.com/travier/cockpit/commit/5de9a7a54bc179156c4484582171a96e142df811) just adds `%{_sysusersdir}/cockpit-ws.conf` file to the rpm. The diff doesn't show the existing
attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
in the spec which makes use of the dynamic group.
The rpm build does create the "magic" provides:
```
# rpm -q --provides cockpit-ws
cockpit-ws = 316.dev27+g1dc9d3b8f-1.fc40
cockpit-ws(x86-64) = 316.dev27+g1dc9d3b8f-1.fc40
config(cockpit-ws) = 316.dev27+g1dc9d3b8f-1.fc40
group(cockpit-ws)
group(cockpit-wsinstance)
user(cockpit-ws) = dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A
user(cockpit-wsinstance) = dSBjb2NrcGl0LXdzaW5zdGFuY2UgLSAiVXNlciBmb3IgY29ja3BpdC13cyBpbnN0YW5jZXMiIC0A
# echo dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A | base64 -d
u cockpit-ws - "User for cockpit web service" -
```
On install it does create the sysusers, but it tries to apply the `%attr` *before* creating the users:
```
# rpm -i --verbose /var/tmp/build/cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64.rpm
Verifying packages...
Preparing packages...
cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64
warning: group cockpit-wsinstance does not exist - using root
Creating group 'cockpit-ws' with GID 979.
Creating user 'cockpit-ws' (User for cockpit web service) with UID 979 and GID 979.
Creating group 'cockpit-wsinstance' with GID 978.
Creating user 'cockpit-wsinstance' (User for cockpit-ws instances) with UID 978 and GID 978.
```
and after installation, /usr/libexec/cockpit-session has the wrong ownership (group root).
So for the docs to actually work, it needs to create the sysusers before unpacking (i.e. what a `%pre` script would do) from its "magic" provides or other internal .rpm metadata, or defer the `%attr()` application after the initial unpacking of the files and sysusers creation.
I suppose that is the reason why the [Fedora packaging guidelines](https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation) have a completely different, and very hackish approach -- that suggests to duplicate the sysusers file downstream in the packaging dist-git, and using `%sysusers_create_compat` to basically create some `useradd` shell script out of the sysusers.d file. But this is awkward, error prone, a bit hard to automate for releases. It also feels backwards -- the whole point is to move and standardize all of this upstream.
I didn't find any existing upstream or Fedora downstream (bugzilla) bug report, so filing this one.
Thanks!
CC: @travier
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3073
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3073 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240502/60754440/attachment.html>
More information about the Rpm-maint
mailing list