Bug 1223521

Summary: host files are used even without --use-installed
Product: [Fedora] Fedora Reporter: Florian Ludwig <vierzigundzwei>
Component: superminAssignee: Richard W.M. Jones <rjones>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ptoscano, rjones, vierzigundzwei
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-03 07:41:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Ludwig 2015-05-20 18:21:04 UTC 
Description of problem:

The examples states the following:

> If you see 'Permission denied' errors here, it could be because your
> distro has decided to engage in security-by-obscurity by making
> some host binaries unreadable by ordinary users. Normally you can
> ignore these errors.

This happens because supermin is trying to copy files from the host system. Which it is not supposed to do when running without --use-installed. Also it is not true that those can be ignored as it means the mentioned files are missing from the appliance.

Version-Release number of selected component (if applicable):
git
Comment 1 Richard W.M. Jones 2015-05-20 19:57:50 UTC 
Can you post the commands you are running.  It is expected that
supermin will read host files during the --build phase.
Comment 2 Florian Ludwig 2015-06-01 15:07:56 UTC 
Yes, it happens during the --build phase.

$ supermin --prepare shadow-utils -o /tmp/tmpFp9wyU
$ supermin --build -f chroot -o fedora_min /tmp/tmpFp9wyU
cp: cannot open '/usr/bin/chown' for reading: Permission denied
cp: cannot open '/usr/sbin/build-locale-archive' for reading: Permission denied
cp: cannot open '/usr/sbin/glibc_post_upgrade.x86_64' for reading: Permission denied
cp: cannot open '/usr/sbin/groupadd' for reading: Permission denied
cp: cannot open '/usr/sbin/groupdel' for reading: Permission denied
cp: cannot open '/usr/sbin/groupmems' for reading: Permission denied
cp: cannot open '/usr/sbin/groupmod' for reading: Permission denied
cp: cannot open '/usr/sbin/useradd' for reading: Permission denied
cp: cannot open '/usr/sbin/userdel' for reading: Permission denied
cp: cannot open '/usr/sbin/usermod' for reading: Permission denied

Could you elaborate om "is expected to read host files"?

Is it expected that files that get the "cannot open" error are missing? (what absolutely makes sense) But why does the example state "Normally you can ignore these errors." then?

Should i file a bug on shadow-utils for "security-by-obscurity"?
Comment 3 Richard W.M. Jones 2015-06-01 15:53:31 UTC 
That's how supermin works, at a fundamental level.

It copies the files from the host into the appliance during the
--build phase.

--use-installed is only for use in the --prepare phase (and then
only in a very strictly prescribed circumstances that likely don't
apply to you unless you're building a Debian package).

(In reply to Florian Ludwig from comment #2)
> cp: cannot open '/usr/bin/chown' for reading: Permission denied
> cp: cannot open '/usr/sbin/build-locale-archive' for reading: Permission
> denied
> cp: cannot open '/usr/sbin/glibc_post_upgrade.x86_64' for reading:
> Permission denied
> cp: cannot open '/usr/sbin/groupadd' for reading: Permission denied
> cp: cannot open '/usr/sbin/groupdel' for reading: Permission denied
> cp: cannot open '/usr/sbin/groupmems' for reading: Permission denied
> cp: cannot open '/usr/sbin/groupmod' for reading: Permission denied
> cp: cannot open '/usr/sbin/useradd' for reading: Permission denied
> cp: cannot open '/usr/sbin/userdel' for reading: Permission denied
> cp: cannot open '/usr/sbin/usermod' for reading: Permission denied
> 
> Is it expected that files that get the "cannot open" error are missing?
> (what absolutely makes sense) But why does the example state "Normally you
> can ignore these errors." then?

It's expected, and if you don't need those files in your appliance then
you can ignore the errors.  However

> Should i file a bug on shadow-utils for "security-by-obscurity"?

yes this is a bug.  For Fedora, it is now explicitly against policy
to have such unreadable files, unless the packager of shadow-utils
has a really good reason:

https://fedorahosted.org/fpc/ticket/467
Comment 4 Richard W.M. Jones 2015-07-03 07:41:50 UTC 
Closing - see previous comment.