Re: [PATCH 0/3] pseudo+image.bbclass: changes to avoid host contamination

["Peter A. Bigot" <pab@pabigot.com>]

[-- Attachment #1: Type: text/plain, Size: 3726 bytes --]

On 10/13/2014 04:28 PM, Peter Seebach wrote:
> On Sun, 12 Oct 2014 18:49:52 -0500
> "Peter A. Bigot" <pab@pabigot.com> wrote:
>
>> I believe OE should add --without-passwd-fallback to the pseudo 1.6.2
>> configuration flags early in the 1.8 development cycle, to ensure there
>> are no host contamination issues.  I can think of no reason why the
>> build host passwd and group files should ever be considered suitable for
>> use in determining target user/group characteristics.
> I endorse this evaluation.
>
> I've been thinking about this more, and I'd like to wave a thought at people:
>
> I propose for consideration the idea that pseudo have a compile-time
> hard-coded default answer to "what is uid 0" and "what is gid 0", and use
> that instead of the "fallback path".
>
> The rationale is basically: Yes, it's a special case. But it's *the* special
> case. It's the special case that is the uid pseudo emulates by default, and
> it's the only one that most packages ever need. If we do this, then the only
> packages which need to depend on base-passwd are those which need to actually
> use a *non-root* uid/gid. And every such package had better already have
> a dependency either directly on the passwd stuff, or on some other package
> which does.


As I noted in an off-list message:

    The thing that worries me is the slippery slope of assumptions.
    Sure, assume that pw_name for uid 0 is "root". *Probably* pw_gid is
    0, but is that required by some standard?  pw_dir could be "/" or
    "/home/root"; which one?  "/bin/sh"?  Not on Ubuntu.  pw_gecos?
    Guesses can be made for all those, but for many there might be a
    legitimate reason why the actual final passwd file on the target
    selects different values, and decisions made based on the guesses
    might result in very difficult to diagnose inconsistencies.


Basically, even if "root" is a special case, taking this path means 
making assumptions about what the application is doing based on what 
system/libc functions it invokes.  Too often when somebody assumes a 
general tool will only be used specific ways, somebody else will prove 
them wrong.

I can't say it won't turn out to be the best approach, but I'd like to 
see some thought applied to how the dependency on base-passwd might be 
added without modifying every recipe.  E.g., something like:

DEPENDS_INSTALL ?= "base-passd:do_populate_sysroot"
d.appendVarFlag('do_install', 'depends', d.expand(' ${DEPENDS_INSTALL}'))

down in base.bbclass.  (Or whatever is necessary to get the intent of 
that snippet.)

> I am pretty sure that this makes more sense than the default fallback to
> host passwd/group. I might want to preserve the option of that fallback, but
> make it a non-default.
>
> Anyone have strong feelings on this? Thoughts I may not have thought through
> yet? I don't know that I actually had a coherent reason in mind for the
> original fallback behavior, and this analysis convinces me that falling back
> to host uid/gid is probably wrong for many-to-most use cases.
>
> I guess it might make sense for something more like a debian package build
> where you really are targeting the host, but even then, I am not sure that the
> default host fallback is a good idea.

I can't offhand think of a reason host fallback would be necessary, but 
since it already exists keeping it as a non-default option is maybe 
worthwhile (see "assumptions" above).

Note that with my enhancement you should be able to do:

PSEUDO_PASSWD = "${STAGING_DIR_TARGET}:"

and get the host files, but that's not a fixed fallback that's always 
available regardless of invocation options.

Peter

[-- Attachment #2: Type: text/html, Size: 4720 bytes --]