Move the tss group to /etc so it can be mutated
This works around two issues: - First, rpm switched to reading users/groups directly for its implementation of systemd-sysusers, which meant it no longer reads via nss, which breaks nss-altfiles. xref: https://github.com/rpm-software-management/rpm/pull/2503#issuecomment-1536435351 and below. - Second, even if that was fixed, `keylime` wants to add its user to the group, which can't be done when it's a system uid. Since nothing in the OS content is owned by this group, we can move underneath `/etc` by default. Signed-off-by: Colin Walters <walters@verbum.org>
This commit is contained in:
Colin Walters
parent
78462e6c13
commit
993845d2a2
2 changed files with 11 additions and 0 deletions
|
|
@ -14,9 +14,14 @@ ignore-removed-users:
|
|||
- root
|
||||
ignore-removed-groups:
|
||||
- root
|
||||
# By default users and groups are injected to nss-altfiles
|
||||
# which is immutable. This list moves a selected set
|
||||
# to /etc/group instead, which is mutable per system
|
||||
# and allows local users to become part of these groups.
|
||||
etc-group-members:
|
||||
- wheel
|
||||
- systemd-journal
|
||||
- tss # https://issues.redhat.com/browse/BIFROST-618
|
||||
- adm
|
||||
|
||||
check-passwd:
|
||||
|
|
|
|||
6
tests/rootfs/cases/etc-group
Executable file
6
tests/rootfs/cases/etc-group
Executable file
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/bash
|
||||
set -xeuo pipefail
|
||||
# Verify group members
|
||||
getent group tss >/dev/null
|
||||
# This one needs to be in /etc
|
||||
grep -q tss /etc/group
|
||||
Loading…
Add table
Add a link
Reference in a new issue