/etc/passwd thoughts

/etc/passwd thoughts

[Warren Togami]

[warren@newcaprica dracut]$ grep -r \/etc\/passwd *
modules.d/95nfs/install:dracut_install /etc/netconfig /etc/passwd 
/etc/services
modules.d/95nfs/install:#echo 
"rpc:x:32:32:Rpcbind:/var/lib/rpcbind:/bin/false" >> "$initdir/etc/passwd"
modules.d/90mdraid/install:inst /etc/passwd

It seems that we want an /etc/passwd for certain things in the initrd 
image, but is it really necessary for it to copy whatever users are on 
the generating system into the image?

Could we do anything else?

Warren Togami
wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Bill Nottingham]

Warren Togami (wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org) said: 
> [warren@newcaprica dracut]$ grep -r \/etc\/passwd *
> modules.d/95nfs/install:dracut_install /etc/netconfig /etc/passwd  
> /etc/services
> modules.d/95nfs/install:#echo  
> "rpc:x:32:32:Rpcbind:/var/lib/rpcbind:/bin/false" >> 
> "$initdir/etc/passwd"
> modules.d/90mdraid/install:inst /etc/passwd
>
> It seems that we want an /etc/passwd for certain things in the initrd  
> image, but is it really necessary for it to copy whatever users are on  
> the generating system into the image?

If daemons we want/need to start want to drop privleges... yes.

Bill
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Warren Togami]

On 06/12/2009 04:20 PM, Bill Nottingham wrote:
> Warren Togami (wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org) said:
>> [warren@newcaprica dracut]$ grep -r \/etc\/passwd *
>> modules.d/95nfs/install:dracut_install /etc/netconfig /etc/passwd
>> /etc/services
>> modules.d/95nfs/install:#echo
>> "rpc:x:32:32:Rpcbind:/var/lib/rpcbind:/bin/false">>
>> "$initdir/etc/passwd"
>> modules.d/90mdraid/install:inst /etc/passwd
>>
>> It seems that we want an /etc/passwd for certain things in the initrd
>> image, but is it really necessary for it to copy whatever users are on
>> the generating system into the image?
>
> If daemons we want/need to start want to drop privleges... yes.
>

But it is also pulling in user accounts.

It seems the above modules.d/95nfs/install creates its own /etc/passwd 
entry that it expects to be there.  Why can't we do this for all cases 
where something in the initrd needs an /etc/passwd entry?

Warren Togami
wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Seewer Philippe]

Warren Togami wrote:
> On 06/12/2009 04:20 PM, Bill Nottingham wrote:
>> Warren Togami (wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org) said:
>>> [warren@newcaprica dracut]$ grep -r \/etc\/passwd *
>>> modules.d/95nfs/install:dracut_install /etc/netconfig /etc/passwd
>>> /etc/services
>>> modules.d/95nfs/install:#echo
>>> "rpc:x:32:32:Rpcbind:/var/lib/rpcbind:/bin/false">>
>>> "$initdir/etc/passwd"
>>> modules.d/90mdraid/install:inst /etc/passwd
>>>
>>> It seems that we want an /etc/passwd for certain things in the initrd
>>> image, but is it really necessary for it to copy whatever users are on
>>> the generating system into the image?
>>
>> If daemons we want/need to start want to drop privleges... yes.
>>
> 
> But it is also pulling in user accounts.
> 
> It seems the above modules.d/95nfs/install creates its own /etc/passwd 
> entry that it expects to be there.  Why can't we do this for all cases 
> where something in the initrd needs an /etc/passwd entry?

Actually 95nfs doesn't create its own entry. The part is commented out. 
But I agree we should do something about the passwd case.

Question: Who really needs passwd entries?
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[David Dillow]

On Fri, 2009-06-12 at 23:21 +0200, Seewer Philippe wrote:
> Actually 95nfs doesn't create its own entry. The part is commented out.

Right; I'm torn on this. We want to support both portmap and rpcbind,
and at least rpcbind needs a user to run as -- it won't run without it.
I don't know what portmap wants.

I have it copying the passwd file as that seemed to be the most
distro-agnostic way I could do it.

I see a few options --
1) Copy /etc/passwd from the distro into the initrd; exposes user names,
but passwords should be in /etc/shadow and hence not copied.
2) Make our own users for rpcbind (and portmap if different) and just
use that. rpcbind gets killed before we transition to root, so the uid
doesn't have to match up.
3) Remove the need for rpcbind/portmap. Get mount fixed so it doesn't
try to look for rpc.statd for NFSv4; also figure out a way to keep the
kernel from trying to talk to rpcbind/portmap when mounting an NFSv4
volume.
3b) don't support locks at all on NFS roots, NFSv4 or otherwise. I don't
like this, it artificially restricts options.

> But I agree we should do something about the passwd case.
> 
> Question: Who really needs passwd entries?

rpcbind, as above. I don't know about iSCSI, is there a user-space
component that persists and wants to drop permissions?


--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Seewer Philippe]

David Dillow wrote:
> On Fri, 2009-06-12 at 23:21 +0200, Seewer Philippe wrote:
>> Actually 95nfs doesn't create its own entry. The part is commented out.
> 
> Right; I'm torn on this. We want to support both portmap and rpcbind,
> and at least rpcbind needs a user to run as -- it won't run without it.
> I don't know what portmap wants.

Portmap doesn't want anything. In the past, I've even run it without an 
/etc at all.
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Warren Togami]

On 06/12/2009 10:12 PM, David Dillow wrote:
> On Fri, 2009-06-12 at 23:21 +0200, Seewer Philippe wrote:
>> Actually 95nfs doesn't create its own entry. The part is commented out.
>
> Right; I'm torn on this. We want to support both portmap and rpcbind,
> and at least rpcbind needs a user to run as -- it won't run without it.
> I don't know what portmap wants.
>
> I have it copying the passwd file as that seemed to be the most
> distro-agnostic way I could do it.
>
> I see a few options --
> 1) Copy /etc/passwd from the distro into the initrd; exposes user names,
> but passwords should be in /etc/shadow and hence not copied.
> 2) Make our own users for rpcbind (and portmap if different) and just
> use that. rpcbind gets killed before we transition to root, so the uid
> doesn't have to match up.

It seems the correct way would be:

If rpcbind, then write only the necessary user into the initrd's 
/etc/passwd.  Do not copy the generating system's /etc/passwd.

Any objections?

Warren Togami
wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Warren Togami]

On 06/17/2009 06:51 AM, Harald Hoyer wrote:
>> If rpcbind, then write only the necessary user into the initrd's
>> /etc/passwd. Do not copy the generating system's /etc/passwd.
>>
>> Any objections?
>
> s.th. like
>
> grep $user /etc/passwd >> ${initdir}/etc/passwd
>
> ?

Yes, except does the rpcbind user need to run as any userid number in 
particular?  rpcbind gets killed before switch_root right?  We might be 
able to do this without grep scraping.

Warren Togami
wtogami-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: /etc/passwd thoughts

[Harald Hoyer]

On 06/17/2009 07:08 PM, Warren Togami wrote:
> On 06/17/2009 06:51 AM, Harald Hoyer wrote:
>>> If rpcbind, then write only the necessary user into the initrd's
>>> /etc/passwd. Do not copy the generating system's /etc/passwd.
>>>
>>> Any objections?
>>
>> s.th. like
>>
>> grep $user /etc/passwd >> ${initdir}/etc/passwd
>>
>> ?
>
> Yes, except does the rpcbind user need to run as any userid number in
> particular? rpcbind gets killed before switch_root right? We might be
> able to do this without grep scraping.
>

right, OKFORME :)
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html