Ubuntu
shadow package

usermod --add-subuids fails for users not in /etc/passwd

Bug #1475749 reported by kevin gunn
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
Unassigned
shadow (Ubuntu)
Fix Released
High
Steve Langasek
Vivid
Fix Released
High
Unassigned

Bug Description

[SRU justification]
The (distro patched) subuid/subgid support in the shadow 'usermod' command only works with users present in /etc/passwd. As /etc/subuid and /etc/subgid are separate databases that do not require modification of /etc/passwd, this is an unnecessary restriction that appears to be due to a simple logic bug in the patch and not as a deliberate design decision. As Ubuntu Touch and Ubuntu Snappy systems will as a class have users in different NSS backends from /etc/passwd, and lxc should be supported for these users with uid namespacing, this bug warrants fixing.

[Test case]
1. Install the libnss-extrausers package
2. Enable it by running "sudo sed -i -e'/passwd:/ s/$/ extrausers/' /etc/nsswitch.conf"
3. Create a test user by running "echo 'testuser:x:2000:2000::/nonexistent:/bin/false' | sudo tee /var/lib/extrausers/passwd"
4. Attempt to add subuids for this user by running "sudo usermod --add-subuids 10000-12000 testuser"
5. Confirm that this fails with the error message "usermod: user 'testuser' does not exist in /etc/passwd"
6. Install the new version of the 'passwd' package
7. Repeat the test from step 4
8. Confirm that the command now succeeds, and the user's entry has been added to /etc/subuid
9. Clean up by running 'sudo usermod --del-subuids 10000-12000 testuser" and removing the /var/lib/extrausers/passwd file

[Regression potential]
This is a targeted bugfix in the behavior of usermod, and users are unlikely to be relying on the usermod command failing for non-local users.

[Original report]
currently we have need to utilize lxc on vivid+stable overlay which requires adding subuser & subgroup ids.
unfortunately, usermod currently fails since phablet password is readonly

See original description

Related branches

lp:~vorlon/ubuntu/wily/shadow/lp.1475749
Serge Hallyn: Approve
Ubuntu branches: Pending requested
Diff: 167 lines (+146/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/userns/subuids-nonlocal-users (+138/-0)
lp:ubuntu/wily-proposed/shadow
lp:ubuntu/vivid-proposed/shadow
kevin gunn (kgunn72)
Changed in canonical-devices-system-image:
importance: Undecided → High
Changed in shadow (Ubuntu):
importance: Undecided → High
Steve Langasek (vorlon)
summary: - changes to phablet to enable moduser on vivid+stable overlay ppa
+ usermod --add-subuids fails for users not in /etc/passwd
Revision history for this message
Steve Langasek (vorlon) wrote :

This appears to be an issue with the patches to shadow for subuid/subgid support. The --{add,del}-sub{uid,gid}s options don't operate on /etc/passwd, only on /etc/sub{uid,gid}; but the code causes usermod to fail if called for any non-local user.

Assuming there's no policy reason why non-local users are disallowed from /etc/sub{uid,gid}, this is a simple fix. Cc:ing Serge Hallyn for comment, as he originally pulled these patches in.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks, no objection from me.

Changed in shadow (Ubuntu):
status: New → Triaged
Steve Langasek (vorlon)
description: updated
Steve Langasek (vorlon)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.1.5.1-1.1ubuntu7

---------------
shadow (1:4.1.5.1-1.1ubuntu7) wily; urgency=medium

  * debian/patches/userns/subuids-nonlocal-users: Don't limit
    subuid/subgid support to local users. Closes LP: #1475749.

 -- Steve Langasek <email address hidden> Mon, 20 Jul 2015 18:44:12 -0700

Changed in shadow (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello kevin, or anyone else affected,

Accepted shadow into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shadow (Ubuntu Vivid):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [shadow/vivid] possible regression found

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shadow from vivid-proposed was performed and bug 1493590 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and tag 1493590 "bot-stop-nagging". Thanks!

tags: added: verification-failed
Serge Hallyn (serge-hallyn)
tags: added: bot-stop-nagging
removed: verification-failed
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: verification-failed
Serge Hallyn (serge-hallyn)
tags: removed: verification-failed
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: New → Fix Released
Mathew Hodson (mhodson)
Changed in shadow (Ubuntu Vivid):
importance: Undecided → High
tags: added: vivid
removed: bot-stop-nagging
Serge Hallyn (serge-hallyn)
Changed in shadow (Ubuntu Vivid):
status: Fix Committed → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(sorry, i msread the bug history)

Changed in shadow (Ubuntu Vivid):
status: Confirmed → Fix Committed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

The test case in the Description passed cleanly for me (and failed without -proposed)

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.1.5.1-1.1ubuntu4.1

---------------
shadow (1:4.1.5.1-1.1ubuntu4.1) vivid; urgency=medium

  * debian/patches/userns/subuids-nonlocal-users: Don't limit
    subuid/subgid support to local users. Closes LP: #1475749.

 -- Steve Langasek <email address hidden> Mon, 20 Jul 2015 22:58:18 -0700

Changed in shadow (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for shadow has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.