Handling of new user/group additions from binary packages is broken
w.r.t. the file ownerships given within binary archives, and it is
effectively broken in its design.
Currently it is inevitable that user and group names will end up with
different uid/gid values on target install systems, i.e. production
systems which are not "pristine" (just freshly installed), and where the
package does not specify explicit uid/gid values (and if it does then
uid/gid conflicts are likely).
The problem is that the binary archive file is fully extracted _before_
the username/groupname is created thus even though it contains both the
username and the uid (groupname and the gid) only the uid/gid numeric
values can ever be used. If the id number given in the archive is
already in use on the target system for an unrelated user then the file
will end up being owned by the existing group or user, then the expected
user and/or group will be created, but with a new uid/gid, and the file
will not have its ownership updated to match the new username/groupname.
Partly this is further exacerbated (i.e. made more likely) by the fact
that there is no way within pkgsrc to reserve a range of id numbers
explicitly for the use of packages (i.e. make use of the
useradd/groupadd '-r' option) -- ordinary user accounts will be created
by the local admin in the same range as accounts for packages will be
created on the build system. The build system, being what it is, will
not usually have the same local user accounts as production systems, and
may not even be operated by the same organization.
Previously I've mostly worked around it by carefully testing each
package build by hand and then ensuring all necessary users and groups
are manually (pre)installed on all my systems for all the packages I
normally build. However I'm now upgrading packages often enough on
production systems where it is not easy to continue to always manually
pre-add all the new package-specific users and groups needed. To some
extent I've been able to modify package modules to use specific UID/GID
values that I'm reasonably certain will be outside the range of normal
local users on all the systems I build packages for, but this doesn't
always work, especially when I miss checking some dependent package
which requires a new user and/or group.
The ideal solution would be to _never_ rely on the ownerships in the
binary package archive files and instead use the PLIST file exclusively
to set ownerships of all files (which need non-standard ownerships (and
permissions too?)) via a generated MTREE file (and I think this was the
intent of MTREE files in the original pkg_install design), but of course
that would likely require far more maintenance overhead for package
modules, at least for those which do require special users and/or
groups.
The hack would be to extract just the package meta files first, then run
the require(YES!) and pre-install scripts (thus creating any necessary
users and groups with appropriate conflict checking), _then_ finally
extract the rest of the archive thus allowing pax to change the
ownership of extracted files to match the owner IDs on the target
system. This breaks though if the package has internal knowledge of any
uid/gid numbers (even though that should be a bug by definition).
In any case though it would be _extremely_ valuable to make use of the
useradd/groupadd '-r' options (where available), and to make sure to do
so on the _target_ system too, not just the build system! I don't know
what to do about systems which do not support such a feature, but which
do have otherwise sufficient and/or necessary platform specific
useradd/groupadd tools. (In my local changes to a much earlier version
of pkgsrc I had some hacks to use '-r' on the build system, but they
weren't designed properly for binary packages either -- they avoided the
issues only by accident, not by design.)
--
Greg A. Woods
Planix, Inc.
<woods%planix.com@localhost> +1 416 218-0099 http://www.planix.com/
Attachment:
pgpTnlLhr1lob.pgp
Description: PGP signature