From 993845d2a25a963973e6bad74cd6bbf92051f8b1 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 25 Mar 2025 17:26:18 -0400 Subject: [PATCH] Move the `tss` group to `/etc` so it can be mutated This works around two issues: - First, rpm switched to reading users/groups directly for its implementation of systemd-sysusers, which meant it no longer reads via nss, which breaks nss-altfiles. xref: https://github.com/rpm-software-management/rpm/pull/2503#issuecomment-1536435351 and below. - Second, even if that was fixed, `keylime` wants to add its user to the group, which can't be done when it's a system uid. Since nothing in the OS content is owned by this group, we can move underneath `/etc` by default. Signed-off-by: Colin Walters --- minimal/postprocess-conf.yaml | 5 +++++ tests/rootfs/cases/etc-group | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100755 tests/rootfs/cases/etc-group diff --git a/minimal/postprocess-conf.yaml b/minimal/postprocess-conf.yaml index 6b54a77..b1f6f95 100644 --- a/minimal/postprocess-conf.yaml +++ b/minimal/postprocess-conf.yaml @@ -14,9 +14,14 @@ ignore-removed-users: - root ignore-removed-groups: - root +# By default users and groups are injected to nss-altfiles +# which is immutable. This list moves a selected set +# to /etc/group instead, which is mutable per system +# and allows local users to become part of these groups. etc-group-members: - wheel - systemd-journal + - tss # https://issues.redhat.com/browse/BIFROST-618 - adm check-passwd: diff --git a/tests/rootfs/cases/etc-group b/tests/rootfs/cases/etc-group new file mode 100755 index 0000000..fceee84 --- /dev/null +++ b/tests/rootfs/cases/etc-group @@ -0,0 +1,6 @@ +#!/bin/bash +set -xeuo pipefail +# Verify group members +getent group tss >/dev/null +# This one needs to be in /etc +grep -q tss /etc/group