Skip to content

Commit

Permalink
flatcar-tmpfiles: Always copy missing entries over to the database
Browse files Browse the repository at this point in the history 
When a user or group entry is missing but the passwd/group file exists
it is not added by flatcar-tmpfiles and systemd-tmpfiles will then fail
because it can't resolve the user or group. We only care about the
fixed set of users like "core" because those are the ones that the user
will normally customize and this is also enough to fix the bug because
tmpfiles.d/baselayout-home.conf is the only place where not "root" is
used but another user which is "core".
Always copy the missing entries (from the fixed list of entries to be
copied) over to the database under /etc/, regardless if it exists or
not.
  • Loading branch information
@pothos
pothos committed Jan 18, 2023
1 parent a2326ba commit 5ea75b4
Showing 1 changed file with 15 additions and 12 deletions.
27 changes: 15 additions & 12 deletions scripts/flatcar-tmpfiles
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,21 @@ mkdir -p "${ROOT}/etc"

# readable files
umask 022
if [[ ! -e "${ROOT}/etc/passwd" ]]; then
grep -E -e "^(${COPY_USERS}):" "${BASE}/passwd" > "${ROOT}/etc/passwd"
fi
if [[ ! -e "${ROOT}/etc/group" ]]; then
grep -E -e "^(${COPY_GROUPS}):" "${BASE}/group" > "${ROOT}/etc/group"
fi
# Output those lines in BASE/passwd (that are to be copied) when they are not in /etc/passwd already and append to /etc/passwd.
# But since we don't want lines/half lines being added also be used as patterns, we copy the file first to memory
# (if it doesn't exist we are fine with empty output as patterns which means to match empty lines which inverted is all).
PATTERNS=$(cat "${ROOT}/etc/passwd" || true)
grep -v -F -x -f <(echo "${PATTERNS}") <(grep -E -e "^(${COPY_USERS}):" "${BASE}/passwd") >> "${ROOT}/etc/passwd"
PATTERNS=$(cat "${ROOT}/etc/group" || true)
grep -v -F -x -f <(echo "${PATTERNS}") <(grep -E -e "^(${COPY_GROUPS}):" "${BASE}/group") >> "${ROOT}/etc/group"

# secure files
umask 027
if [[ ! -e "${ROOT}/etc/shadow" ]]; then
grep -E -e "^(${COPY_USERS}):" "${BASE}/shadow" > "${ROOT}/etc/shadow"
fi
if [[ ! -e "${ROOT}/etc/gshadow" ]]; then
grep -E -e "^(${COPY_GROUPS}):" "${BASE}/gshadow" > "${ROOT}/etc/gshadow"
fi
PATTERNS=$(cat "${ROOT}/etc/shadow" || true)
grep -v -F -x -f <(echo "${PATTERNS}") <(grep -E -e "^(${COPY_USERS}):" "${BASE}/shadow") >> "${ROOT}/etc/shadow"
PATTERNS=$(cat "${ROOT}/etc/gshadow" || true)
grep -v -F -x -f <(echo "${PATTERNS}") <(grep -E -e "^(${COPY_GROUPS}):" "${BASE}/gshadow") >> "${ROOT}/etc/gshadow"

# The script runs without set -euo pipefail and allows grep to return 1, thus the last statement must not be grep
# because it would propagate the exit code 1 and let the systemd unit fail.
exit 0

0 comments on commit 5ea75b4

Please sign in to comment.