mbox series

[0/3] Add sub dir for passwd files

Message ID 20231114203608.1490318-1-joakim.tjernlund@infinera.com
Headers show
Series Add sub dir for passwd files | expand

Message

Joakim Tjernlund Nov. 14, 2023, 8:34 p.m. UTC 
These patches adds the possibility to store passwd/shadow files
in a sub dir, like /etc/pwdb
In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
to support password changes etc.

This patchset is to probe wether OE would be interested in such feature


Joakim Tjernlund (3):
  base-passwd: Add PW_SUBDIR
  shadow: Add PW_SUBDIR
  pseudo: Add PW_SUBDIR

 .../base-passwd/base-passwd_3.5.29.bb         | 24 +++--
 meta/recipes-devtools/pseudo/pseudo.inc       | 11 ++-
 .../0001-Define-SUBUID_FILE-SUBGID_FILE.patch | 92 +++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc       | 30 +++++-
 4 files changed, 142 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch

Comments

Ross Burton Nov. 29, 2023, 11:56 a.m. UTC | #1 
On 14 Nov 2023, at 20:34, Joakim Tjernlund via lists.openembedded.org <Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> 
> These patches adds the possibility to store passwd/shadow files
> in a sub dir, like /etc/pwdb
> In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
> to support password changes etc.

What’s so special about passwd/shadow that they need special treatment in for read-only rootfs?  What happens when you next want to support changes to /etc/group: do we add another variable for that, or re-use PW_SUBDIR?  What about /etc/hostname?  This has a scaling problem: it’s solving your one particular problem but not the general problem.

Anyway, isn’t this a solved problem by using overlayfs?

Ross
Joakim Tjernlund Nov. 29, 2023, 12:14 p.m. UTC | #2 
On Wed, 2023-11-29 at 11:56 +0000, Ross Burton wrote:
> On 14 Nov 2023, at 20:34, Joakim Tjernlund via lists.openembedded.org <Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> > 
> > These patches adds the possibility to store passwd/shadow files
> > in a sub dir, like /etc/pwdb
> > In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
> > to support password changes etc.
> 
> What’s so special about passwd/shadow that they need special treatment in for read-only rootfs?  What happens when you next want to support changes to /etc/group: do we add another variable for that, or re-use PW_SUBDIR?  What about /etc/hostname?  This has a scaling problem: it’s solving your one particular problem but not the general problem.
> 
You don't think most users want to change default passwd in systems? group is included in this patch too should you want to add/change group
/etc/hostname can be fixed by using a symlink but managing passwd changes can not as shadow does not follow symlinks. --root/--prefix options
in shadow only works for root user

> Anyway, isn’t this a solved problem by using overlayfs?

That would create other problems, the underlaying RO FS needs to stay unchanged over time and a SW upgrade updating RO FS can change
anything in /etc. Could also be considered a security issue as one could update any file in /etc 

 Jocke  

> 
> Ross