Description of problem: The examples states the following: > If you see 'Permission denied' errors here, it could be because your > distro has decided to engage in security-by-obscurity by making > some host binaries unreadable by ordinary users. Normally you can > ignore these errors. This happens because supermin is trying to copy files from the host system. Which it is not supposed to do when running without --use-installed. Also it is not true that those can be ignored as it means the mentioned files are missing from the appliance. Version-Release number of selected component (if applicable): git
Can you post the commands you are running. It is expected that supermin will read host files during the --build phase.
Yes, it happens during the --build phase. $ supermin --prepare shadow-utils -o /tmp/tmpFp9wyU $ supermin --build -f chroot -o fedora_min /tmp/tmpFp9wyU cp: cannot open '/usr/bin/chown' for reading: Permission denied cp: cannot open '/usr/sbin/build-locale-archive' for reading: Permission denied cp: cannot open '/usr/sbin/glibc_post_upgrade.x86_64' for reading: Permission denied cp: cannot open '/usr/sbin/groupadd' for reading: Permission denied cp: cannot open '/usr/sbin/groupdel' for reading: Permission denied cp: cannot open '/usr/sbin/groupmems' for reading: Permission denied cp: cannot open '/usr/sbin/groupmod' for reading: Permission denied cp: cannot open '/usr/sbin/useradd' for reading: Permission denied cp: cannot open '/usr/sbin/userdel' for reading: Permission denied cp: cannot open '/usr/sbin/usermod' for reading: Permission denied Could you elaborate om "is expected to read host files"? Is it expected that files that get the "cannot open" error are missing? (what absolutely makes sense) But why does the example state "Normally you can ignore these errors." then? Should i file a bug on shadow-utils for "security-by-obscurity"?
That's how supermin works, at a fundamental level. It copies the files from the host into the appliance during the --build phase. --use-installed is only for use in the --prepare phase (and then only in a very strictly prescribed circumstances that likely don't apply to you unless you're building a Debian package). (In reply to Florian Ludwig from comment #2) > cp: cannot open '/usr/bin/chown' for reading: Permission denied > cp: cannot open '/usr/sbin/build-locale-archive' for reading: Permission > denied > cp: cannot open '/usr/sbin/glibc_post_upgrade.x86_64' for reading: > Permission denied > cp: cannot open '/usr/sbin/groupadd' for reading: Permission denied > cp: cannot open '/usr/sbin/groupdel' for reading: Permission denied > cp: cannot open '/usr/sbin/groupmems' for reading: Permission denied > cp: cannot open '/usr/sbin/groupmod' for reading: Permission denied > cp: cannot open '/usr/sbin/useradd' for reading: Permission denied > cp: cannot open '/usr/sbin/userdel' for reading: Permission denied > cp: cannot open '/usr/sbin/usermod' for reading: Permission denied > > Is it expected that files that get the "cannot open" error are missing? > (what absolutely makes sense) But why does the example state "Normally you > can ignore these errors." then? It's expected, and if you don't need those files in your appliance then you can ignore the errors. However > Should i file a bug on shadow-utils for "security-by-obscurity"? yes this is a bug. For Fedora, it is now explicitly against policy to have such unreadable files, unless the packager of shadow-utils has a really good reason: https://fedorahosted.org/fpc/ticket/467
Closing - see previous comment.