flatcar-tmpfiles: Copy over the shadow group and use it for shadow files#39
Merged
krnowak merged 2 commits intoflatcar-masterfrom Dec 10, 2025
Merged
flatcar-tmpfiles: Copy over the shadow group and use it for shadow files#39krnowak merged 2 commits intoflatcar-masterfrom
krnowak merged 2 commits intoflatcar-masterfrom
Conversation
2 tasks
chewi
approved these changes
Nov 28, 2025
chewi
left a comment
There was a problem hiding this comment.
I don't think these ever used caps? They were previously SUID root. There is an old Gentoo bug open about using caps, so I'm a little surprised that floppym went with SGID recently instead, but I suppose non-caps support was needed too.
Some binaries acting on those files are now owned by the shadow group with a sticky bit instead of having CAP_DAC_SEARCH (or CAP_DAC_OVERRIDE) caps. For them to work, shadow and gshadow files also need to be owned by the group shadow. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
0cadb3e to
b6bcb70
Compare
Member
Author
|
I think these were SUID root for a long time, because of our modifications. Then they started using caps because I moved some package to portage-stable and then, recently, they became SGID shadow. Also, I updated the PR for so flatcar-tmpfiles stops printing some warnings into journalctl. It initially confused me as being an issue. |
Member
Author
|
Also changed chgrp to chown - there is no chgrp in initrd and this change was faster to make than modifying bootengine to include chgrp. |
chewi
reviewed
Dec 10, 2025
In the logs there are warnings like: cut: /sysroot/etc/passwd: No such file or directory cut: /sysroot/etc/group: No such file or directory cut: /sysroot/etc/shadow: No such file or directory cut: /sysroot/etc/gshadow: No such file or directory They are confusing - we are fine with those files being absent, but we shouldn't be fine with printing such warnings. It misled me into thinking of being an issue. Also put the common part into a function, hopefully it's a bit easier to read. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
b6bcb70 to
8881cd8
Compare
chewi
approved these changes
Dec 10, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some binaries acting on those files are now owned by the shadow group
with a sticky bit instead of having CAP_DAC_SEARCH (or
CAP_DAC_OVERRIDE) caps. For them to work, shadow and gshadow files
also need to be owned by the group shadow.
Will be tested together with the weekly updates.