Bug 5027 - Adjust TCB options in shadow-utils
: Adjust TCB options in shadow-utils
Status: VERIFIED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-09 18:26 MSK by Andrey Bondrov
Modified: 2015-02-11 23:39 MSK (History)
3 users (show)

See Also:
RPM Package: shadow-utils
ISO-related:
Bad POT generating:
Upstream:
firstlevel: qa_verified+
denis.silakov: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Bondrov 2015-02-09 18:26:33 MSK
We need to synchronize shadow-utils package from current with rosa2014.1. So we need to adjust TCB options in login.defs file.
Comment 1 Andrey Bondrov 2015-02-09 18:27:01 MSK
Advisory: "Adjust TCB options in shadow-utils"

https://abf.rosalinux.ru/build_lists/2423524
https://abf.rosalinux.ru/build_lists/2423525
Comment 2 FirstLevel 2015-02-09 20:14:00 MSK
Update goes well for 32 and 64 bit.
But I have not found any differences in /etc/login.defs

old--------------


[root@r5-64 ~]# cat /etc/login.defs  | grep tcb
# Whether to use tcb password shadowing scheme.  Use 'yes' if using
# tcb and 'no' if using /etc/shadow
# Whether newly created tcb-style shadow files should be readable by
# /etc/tcb for newly created accounts with UIDs over 1000.  See tcb(5)
[root@r5-64 ~]# cat /etc/login.defs  | grep TCB
USE_TCB                 no
TCB_AUTH_GROUP          yes
TCB_SYMLINKS            no
[root@r5-64 ~]# 


new--------------

[root@r5-32 ~]# cat /etc/login.defs | grep tcb
# Whether to use tcb password shadowing scheme.  Use 'yes' if using
# tcb and 'no' if using /etc/shadow
# Whether newly created tcb-style shadow files should be readable by
# /etc/tcb for newly created accounts with UIDs over 1000.  See tcb(5)
[root@r5-32 ~]# cat /etc/login.defs | grep TCB
USE_TCB                 no
TCB_AUTH_GROUP          yes
TCB_SYMLINKS            no
[root@r5-32 ~]#
Comment 3 Andrey Bondrov 2015-02-10 03:08:21 MSK
(In reply to comment #2)
> Update goes well for 32 and 64 bit.
> But I have not found any differences in /etc/login.defs

Sorry, new build lists:

https://abf.rosalinux.ru/build_lists/2423601
https://abf.rosalinux.ru/build_lists/2423602
Comment 4 FirstLevel 2015-02-10 19:04:49 MSK
 Sorry, new build lists:
> 
> https://abf.rosalinux.ru/build_lists/2423601
> https://abf.rosalinux.ru/build_lists/2423602

Update goes well for 32 and 64 bit.
NEW tcb options:
[root@r5-32 ~]# cat /etc/login.defs | grep tcb
# Whether to use tcb password shadowing scheme.  Use 'yes' if using
# tcb and 'no' if using /etc/shadow
# Whether newly created tcb-style shadow files should be readable by
# /etc/tcb for newly created accounts with UIDs over 1000.  See tcb(5)
[root@r5-32 ~]# cat /etc/login.defs | grep TCB
#USE_TCB                 no
#TCB_AUTH_GROUP          yes
#TCB_SYMLINKS            no
[root@r5-32 ~]#


Create new user and log in - ok
Comment 5 FirstLevel 2015-02-10 19:25:37 MSK
I see some issues after update from this container.

With original packages I see that package chrony  installed without any warnings. For example:
[root@r5-32 ~]# urpmi chrony
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/contrib/release/chrony-1.27-

0.pre1git1ca844a.2-rosa2014.1.i586.rpm
                                                                                                           

                                          

устанавливается chrony-1.27-0.pre1git1ca844a.2-rosa2014.1.i586.rpm из /var/cache/urpmi/rpms
Подготовка...                    

##########################################################################################################

#########
      1/1: chrony                

##########################################################################################################

#########
[root@r5-32 ~]#


But after update I see some warnings in the installation process. For example:
[root@r5-32 ~]# urpmi chrony
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/contrib/release/chrony-1.27-0.pre1git1ca844a.2-rosa2014.1.i586.rpm
                                                                                                                                                     

устанавливается chrony-1.27-0.pre1git1ca844a.2-rosa2014.1.i586.rpm из /var/cache/urpmi/rpms
Подготовка...                    ###################################################################################################################
useradd: existing lock file /etc/shadow.lock without a PID
useradd: не удалось заблокировать /etc/shadow; попробуйте ещё раз позже.
      1/1: chrony                ##################################################################################################################warning: пользователь chrony не существует - используется root
warning: пользователь chrony не существует - используется root
#
[root@r5-32 ~]# 


And same situation for pesign package.

Is it normal?
Comment 6 Andrey Bondrov 2015-02-10 19:35:57 MSK
(In reply to comment #5)
> And same situation for pesign package.
> 
> Is it normal?

No, it's a bug.
Comment 7 FirstLevel 2015-02-10 19:41:59 MSK
(In reply to comment #6)
> (In reply to comment #5)
> > And same situation for pesign package.
> > 
> > Is it normal?
> 
> No, it's a bug.

Ok. I am waiting for new containers.
Comment 8 Dmitry Fedorov 2015-02-11 15:47:27 MSK
Let's try this one:

http://abf-downloads.rosalinux.ru/rosa2014.1/container/2424231/i586/main/release/
http://abf-downloads.rosalinux.ru/rosa2014.1/container/2424232/x86_64/main/release/

It seems that the tcb-aware shadow-utils does not remove lock file.
Comment 9 Dmitry Fedorov 2015-02-11 17:02:59 MSK
In addition to the above comment, appropriate buildlists:
https://abf.io/build_lists/2424231
https://abf.io/build_lists/2424232
Comment 10 FirstLevel 2015-02-11 18:30:11 MSK
(In reply to comment #9)
> In addition to the above comment, appropriate buildlists:
> https://abf.io/build_lists/2424231
> https://abf.io/build_lists/2424232

Error is missing with new containers

[root@r5-32 ~]# urpmi chrony
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/contrib/release/chrony-1.27-0.pre1git1ca844a.2-rosa2014.1.i586.rpm
                                                                                                                                                     

устанавливается chrony-1.27-0.pre1git1ca844a.2-rosa2014.1.i586.rpm из /var/cache/urpmi/rpms
Подготовка...                    ###################################################################################################################
      1/1: chrony                ###################################################################################################################
[root@r5-32 ~]# urpmi pesign
Для удовлетворения зависимостей будут установлены следующие пакеты:
 Пакет                          Версия       Релиз         Dist  DEpoch Платформа 
(источник «main updates»)
 coolkey                        1.1.0        25            rosa  2014.1 i586 
 coolkey-devel                  1.1.0        25            rosa  2014.1 i586 
 pesign                         0.108        3             rosa  2014.1 i586 
Будет использовано 641КБ дополнительного дискового пространства.
Будет загружено 160КБ пакетов.
Установить 3 пакетов? (Y/n) y
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/main/updates/coolkey-1.1.0-25-rosa2014.1.i586.rpm
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/main/updates/coolkey-devel-1.1.0-25-rosa2014.1.i586.rpm                           
    http://mirror.rosalab.ru/rosa/rosa2014.1/repository/i586/media/main/updates/pesign-0.108-3-rosa2014.1.i586.rpm                                   
                                                                                                                                                     

устанавливается pesign-0.108-3-rosa2014.1.i586.rpm coolkey-devel-1.1.0-25-rosa2014.1.i586.rpm coolkey-1.1.0-25-rosa2014.1.i586.rpm из /var/cache/urpmi/rpms
warning: LOOP:
warning: not removing coolkey-1.1.0-25.i586 "Requires(auto): devel(libckyapplet)" from tsort relations.
warning: removing coolkey-devel-1.1.0-25.i586 "Requires: /usr/lib/libckyapplet.so.1.0.0" from tsort relations.
Подготовка...                    ###################################################################################################################
      1/3: pesign                ###################################################################################################################
      2/3: coolkey-devel         ###################################################################################################################
      3/3: coolkey               ###################################################################################################################
[root@r5-32 ~]#
Comment 11 FirstLevel 2015-02-11 21:10:40 MSK
shadow-utils-4.1.5.1-14
http://abf-downloads.rosalinux.ru/rosa2014.1/container/2424232/x86_64/main/release/
http://abf-downloads.rosalinux.ru/rosa2014.1/container/2424231/i586/main/release/


************************ Advisory **********************
 "Adjust TCB options in shadow-utils"
********************************************************
QA Verified