2095461 – [RFE] sane-backends use systems-sysusers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2095461 - [RFE] sane-backends use systems-sysusers

Summary: [RFE] sane-backends use systems-sysusers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-08-29
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sane-backends
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Dohnal
QA Contact:	Petr Dancak
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-09 18:13 UTC by Pat Riehecky
Modified:	2022-11-15 11:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sane-backends-1.0.32-7.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2106390 (view as bug list)
Environment:
Last Closed:	2022-11-15 10:43:31 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-124892	0	None	None	None	2022-06-09 18:15:37 UTC
Red Hat Product Errata	RHBA-2022:8249	0	None	None	None	2022-11-15 10:43:32 UTC

Description Pat Riehecky 2022-06-09 18:13:58 UTC

Description of problem:
sane-backends has static useradd scripts

Version-Release number of selected component (if applicable):
sane-backends-1.0.32-6.el9

How reproducible:
100%

Steps to Reproduce:
1.review %pre
2.
3.

Actual results:
%pre daemon
getent group saned >/dev/null || groupadd -r saned
getent passwd saned >/dev/null || \
    useradd -r -g saned -d %{_datadir}/sane -s /sbin/nologin \
                -c "SANE scanner daemon user" saned
exit 0

Expected results:
use of system-sysusers 

Additional info:
https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html
https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format

Comment 2 Zdenek Dohnal 2022-06-10 07:42:18 UTC

Hi Pat,

thank you for reporting the feature request and the intent to contribute to CentOS Stream!

The feature looks fine from my POV - it migrates saned user, which is used by sane-backends-daemon, from being generated via useradd and groupadd commands to being handled completely by systemd-usersys service. saned in CentOS Stream will be created by using a uniform syntax and admins can check which package (sane-backends-daemon in this case) requires saned user and can even override it.

The ticket will be now reviewed by QE and once there is a decision, we will set the appropriate flags in bugzilla.

Proposal how to test:
---------------------

1) check if saned exists in /etc/group and /etc/passwd

2) check if saned exists in output of 'systemd-analyze cat-config sysusers.d/'

3) check whether scanning via saned works

- use USB scanner from our minilab and connect it to device/VM with RHEL/CentOS Stream 9 
- install sane-backends-daemon
- set /etc/sane/saned.conf with client's IP (localhost) and other stuff according 'man saned'
- enable sane in firewall - 'sudo firewall-cmd --add-service=sane'
- start saned.socket
- set /etc/sane.d/net.conf according the comments (set connection timeout and put 'localhost' into saned host part) in it
- 'scanimage -L' must contain an entry starting with 'net:localhost'
- use this entry for scanning and an output file must be generated - 'scanimage -d <device_uri from the found entry> > out.pnm'

========================================================

Petr, Joe, would you mind reviewing the RFE proposal as well?

Comment 5 Zdenek Dohnal 2022-06-17 08:26:27 UTC

(In reply to Zdenek Dohnal from comment #2)
> The feature looks fine from my POV - it migrates saned user, which is used
> by sane-backends-daemon, from being generated via useradd and groupadd
> commands to being handled completely by systemd-usersys service. saned in
> CentOS Stream will be created by using a uniform syntax and admins can check
> which package (sane-backends-daemon in this case) requires saned user and
> can even override it.

Additional notes:

- the change is about a different source of creation of saned group, which doesn't have a breaking impact on customers

- once tested that group and user is created, the change does not break anything else

Comment 7 Zdenek Dohnal 2022-06-20 08:20:32 UTC

Hi Pat,

the bug has passed the engineering review, so the merge request can be created referencing this bug.

Please post a link to the merge request here once you have it ready.


Thank you in advance!

Comment 9 Pat Riehecky 2022-06-28 14:24:50 UTC

https://gitlab.com/redhat/centos-stream/rpms/sane-backends/-/merge_requests/3

Comment 10 Zdenek Dohnal 2022-06-29 07:52:16 UTC

Note for QE:

systemd-sysusers does not remove the created user/group from /etc/group and /etc/passwd once the package which dynamically allocs the user/group is removed. It is designed like this to protect files with user:group set to the dynamically allocated user/group from losing its user:group.

Comment 11 Zdenek Dohnal 2022-06-29 10:15:11 UTC

(In reply to Zdenek Dohnal from comment #2)
> - set /etc/sane/saned.conf with client's IP (localhost) and other stuff
> according 'man saned'

The path is /etc/sane.d/saned.conf.

Comment 12 Zdenek Dohnal 2022-07-21 13:30:25 UTC

The PR is fine now, I'm setting the flags for getting the PR into CentOS Stream.

Comment 13 Zdenek Dohnal 2022-07-21 14:46:53 UTC

Committed as https://gitlab.com/redhat/centos-stream/rpms/sane-backends/-/commit/2af54a34f2ad10ab51a90f99975550a36fc08812?merge_request_iid=4 .

Comment 20 errata-xmlrpc 2022-11-15 10:43:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sane-backends bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8249

Note You need to log in before you can comment on or make changes to this bug.