diff --git a/rpmostree-cxxrs.cxx b/rpmostree-cxxrs.cxx index 1e4bb1baa1..03c8240c55 100644 --- a/rpmostree-cxxrs.cxx +++ b/rpmostree-cxxrs.cxx @@ -2165,7 +2165,7 @@ extern "C" ::rpmostreecxx::Treefile &treefile) noexcept; ::rust::repr::PtrLen - rpmostreecxx$cxxbridge1$composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd) noexcept; + rpmostreecxx$cxxbridge1$composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd, bool sysusers) noexcept; ::rust::repr::PtrLen rpmostreecxx$cxxbridge1$compose_postprocess ( ::std::int32_t rootfs_dfd, ::rpmostreecxx::Treefile &treefile, ::rust::Str next_version, @@ -3945,9 +3945,9 @@ compose_prepare_rootfs (::std::int32_t src_rootfs_dfd, ::std::int32_t dest_rootf } void -composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd) +composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd, bool sysusers) { - ::rust::repr::PtrLen error$ = rpmostreecxx$cxxbridge1$composepost_nsswitch_altfiles (rootfs_dfd); + ::rust::repr::PtrLen error$ = rpmostreecxx$cxxbridge1$composepost_nsswitch_altfiles (rootfs_dfd, sysusers); if (error$.ptr) { throw ::rust::impl< ::rust::Error>::error (error$); diff --git a/rpmostree-cxxrs.h b/rpmostree-cxxrs.h index ab3af95e94..090d6ed811 100644 --- a/rpmostree-cxxrs.h +++ b/rpmostree-cxxrs.h @@ -1837,7 +1837,7 @@ void configure_build_repo_from_target (::rpmostreecxx::OstreeRepo const &build_r void compose_prepare_rootfs (::std::int32_t src_rootfs_dfd, ::std::int32_t dest_rootfs_dfd, ::rpmostreecxx::Treefile &treefile); -void composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd); +void composepost_nsswitch_altfiles (::std::int32_t rootfs_dfd, bool sysusers); void compose_postprocess (::std::int32_t rootfs_dfd, ::rpmostreecxx::Treefile &treefile, ::rust::Str next_version, bool unified_core); diff --git a/rust/src/composepost.rs b/rust/src/composepost.rs index cd8e6dab01..d651525d2e 100644 --- a/rust/src/composepost.rs +++ b/rust/src/composepost.rs @@ -640,7 +640,36 @@ fn strip_any_prefix<'a, 'b>(s: &'a str, prefixes: &[&'b str]) -> Option<(&'b str .find_map(|&p| s.strip_prefix(p).map(|r| (p, r))) } +#[context("Delete altfiles for passwd and group entries")] +fn del_altfiles(buf: &str) -> Result { + let mut r = String::with_capacity(buf.len()); + for line in buf.lines() { + let parts = if let Some(p) = strip_any_prefix(line, &["passwd:", "group:"]) { + p + } else { + r.push_str(line); + r.push('\n'); + continue; + }; + let (prefix, rest) = parts; + r.push_str(prefix); + + for elt in rest.split_whitespace() { + if elt == "altfiles" { + // skip altfiles + continue; + } else { + r.push(' '); + r.push_str(elt); + } + } + r.push('\n'); + } + Ok(r) +} + /// Inject `altfiles` after `files` for `passwd:` and `group:` entries. +#[allow(dead_code)] fn add_altfiles(buf: &str) -> Result { let mut r = String::with_capacity(buf.len()); for line in buf.lines() { @@ -677,20 +706,29 @@ fn add_altfiles(buf: &str) -> Result { Ok(r) } -/// Add `altfiles` entries to `nsswitch.conf`. +/// Add or delete `altfiles` entries to `nsswitch.conf`. /// -/// rpm-ostree currently depends on `altfiles` -#[context("Adding altfiles to /etc/nsswitch.conf")] -pub fn composepost_nsswitch_altfiles(rootfs_dfd: i32) -> CxxResult<()> { +/// rpm-ostree currently depends on `altfiles`, should remove it when +/// transfer to systemd-sysusers. +#[context("Adding / deleting altfiles to /etc/nsswitch.conf")] +pub fn composepost_nsswitch_altfiles(rootfs_dfd: i32, sysusers: bool) -> CxxResult<()> { let rootfs_dfd = unsafe { &crate::ffiutil::ffi_dirfd(rootfs_dfd)? }; let path = "usr/etc/nsswitch.conf"; if let Some(meta) = rootfs_dfd.symlink_metadata_optional(path)? { // If it's a symlink, then something else e.g. authselect must own it. + // Do nothing if disable systemd-sysusers. if meta.is_symlink() { - return Ok(()); + if !sysusers { + return Ok(()); + } } - let nsswitch = rootfs_dfd.read_to_string(path)?; - let nsswitch = add_altfiles(&nsswitch)?; + // Delete the symlink, create and update the config. + let target = "usr/etc/authselect/nsswitch.conf"; + let nsswitch = rootfs_dfd.read_to_string(target).with_context(|| format!("Reading target {}", target))?; + rootfs_dfd.remove_file(path).with_context(|| format!("Removing {}", path))?; + rootfs_dfd.create(path)?; + + let nsswitch = del_altfiles(&nsswitch)?; rootfs_dfd.atomic_write(path, nsswitch.as_bytes())?; } diff --git a/rust/src/lib.rs b/rust/src/lib.rs index 55b552e110..b735513fd6 100644 --- a/rust/src/lib.rs +++ b/rust/src/lib.rs @@ -282,7 +282,7 @@ pub mod ffi { dest_rootfs_dfd: i32, treefile: &mut Treefile, ) -> Result<()>; - fn composepost_nsswitch_altfiles(rootfs_dfd: i32) -> Result<()>; + fn composepost_nsswitch_altfiles(rootfs_dfd: i32, sysusers: bool) -> Result<()>; fn compose_postprocess( rootfs_dfd: i32, treefile: &mut Treefile, diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx index 383921772c..ae4769bcf6 100644 --- a/src/libpriv/rpmostree-postprocess.cxx +++ b/src/libpriv/rpmostree-postprocess.cxx @@ -417,11 +417,12 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un g_print ("Migrating /usr/etc/group to /usr/lib/\n"); ROSCXX_TRY (migrate_group_except_root (rootfs_dfd, preserve_groups_set), error); - - /* NSS configuration to look at the new files */ - ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd), error); } + /* NSS configuration to look at the new files, if we transfer to systemd-sysusers, + * should remove altfiles. */ + ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd, sysusers), error); + if (selinux) { if (!postprocess_selinux_policy_store_location (rootfs_dfd, cancellable, error))