| Summary: | Mock group no longer configurable | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chris St. Pierre <cstpierr> | ||||||
| Component: | mock | Assignee: | Clark Williams <williams> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 14 | CC: | mebrown, williams | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-05-26 07:37:30 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Chris St. Pierre
2011-07-05 18:53:48 UTC
I'm confused. I have over 50 groups in my /etc/group file, not counting the ones that are created by installing packages like mock, jack, tcpdump, pulseaudio, etc. GID's are 32-bit unsigned quantities in Linux. Since a GID is an unsigned integer, this means you have over four billion potential group id's to use. Why do you feel you are limited to 16? GIDs are not the limited resource, group membership is. A user can only be a member of so many groups. It turns out 16 is only the limit on Solaris and the BSDs -- on Linux it's 2^16 in 2.6 -- but the fact is that if you use LDAP or similar, then the lowest limit of any system on your network becomes the default site-wide limit. If I put myself in 17 groups it'll work fine on Linux 2.6, but Solaris boxes will semi-randomly pick 16 of them for me to be in. Hmmmm. I suspect the idea of allowing the group to be configurable breaks down is in the PAM launch code: auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet The reason I'm hesitant to hack a change here is that the code is fairly fragile and we *finally* have it working reliably (plus, I am in no way a PAM expert). I do notice the line following the above in /etc/pam.d/mock: # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid Do you get wheel as one of your Solaris/BSD groups? If so we could possibly add wheel to the check inside mock. Not sure if that would be enough though. Created attachment 562289 [details]
Updated patch
No, the 'wheel' group would not be sufficient. It's just hard-coding a second group when the real solution -- to make this configurable -- is trivial.
You do have to change "mock" in the first PAM line to whatever group you set "chrootgid" to. But that can be done, trivially, and a little documentation suffices.
I've attached an updated patch that a) works against the current source; and b) includes docs on the PAM change in site-defaults.cfg.
Applied and queued for next release. mock-1.1.22-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/mock-1.1.22-1.el6 mock-1.1.22-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc15 mock-1.0.29-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/mock-1.0.29-1.el5 mock-1.1.22-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc17 mock-1.1.22-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc16 mock-1.1.22-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mock-1.1.22-2.fc17 Package mock-1.1.22-2.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mock-1.1.22-2.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7324/mock-1.1.22-2.fc17 then log in and leave karma (feedback). mock-1.1.22-2.1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |