userfixer/wayblue-fix-89.sh

116 lines
4.5 KiB
Bash
Raw Normal View History

2024-12-01 22:08:27 -06:00
#! /bin/bash
#
# This script attempts to fix the following issue:
# https://github.com/wayblueorg/wayblue/issues/89
# More specifically, it does the following:
# * Iterates /etc/shadow and /etc/gshadow; and
# * For every entry that cannot be getent'd, delete it
#
# This script should be invoked before systemd-sysusers on system boot
#
# The reason for this is as follows:
# At time of writing, using rpm-ostree to build OCI container images fails to
# update /usr/lib/passwd and /usr/lib/group, instead dropping items in
# /usr/lib/sysusers.d for systemd-sysusers to process at boot time. This would
# fine under normal circumstances.
#
# HOWEVER. If you are coming from a distro that had entries in those /usr/lib
# files for that users/group, you will have entries in /etc/{,g}shadow for said
# users/groups.
#
# If an entry is present in /etc/shadow or /etc/gshadow that matches an object
2024-12-01 22:36:07 -06:00
# that systemd-sysusers is trying to add, it will fail and then abort further
# object processing. Thus, we remove objects that cannot be looked up, assuming
# that the cause is this disparity and that it will be smoothed out when
# systemd-sysusers next runs
#
set -e
set -o pipefail
2024-12-01 21:39:08 -06:00
# Iterate over each file we're interested in
for file in /etc/shadow /etc/gshadow; do
2024-12-01 21:39:08 -06:00
# Prelim check for zero-byte files (shouldn't proc)
if ! [ -s "$file" ]; then
echo "File is missing or empty: $file"
continue
fi
# Prelim check to ensure we can read the file
if ! [ -r "$file" ]; then
echo "Unable to read file: $file"
continue
fi
2024-12-01 21:39:08 -06:00
# Prelim checks succeeded, move forward
echo "Parsing $file for junk"
2024-12-01 22:08:27 -06:00
# Read each line in the file to iterate over it
while read line; do
# This should never happen, but if for some reason we get an empty line,
# continue
[ -z "$line" ] && continue
2024-12-01 22:08:27 -06:00
# Per shadow(5), we are guaranteed that all characters leading up to the
# first colon are the user's/group's name. To that end, we'll do a bash
# string substitution to extract that first column.
name="${line%%:*}"
# Swith case here for what ents we care about. I don't think the array is
# strictly required but it affords us flexibility for zero cost so whatever.
ents=()
case "$file" in
2024-12-01 22:08:53 -06:00
*/shadow)
2024-12-01 22:08:27 -06:00
ents=("passwd")
;;
2024-12-01 22:08:53 -06:00
*/gshadow)
2024-12-01 22:08:27 -06:00
ents=("group")
;;
*)
echo "Unknown file to parse for junk: $file"
exit
;;
esac
# Now, we use getent to find a match for the shadow entry. It's at this point
# that one might ask why we're doing this instead of using grpck or something
# The answer is that those aren't nss-aware, whereas getent is. /etc/shadow
# and /etc/gshadow can have entries for things like passwords and group
# membership for groups that live in /usr/lib/passwd and /usr/lib/group,
# but grpck isn't aware of those and will obliterate their data from the
# shadow files if we're not careful.
#
# Thus, we use getent to parse through nsswitch.conf intelligently and tell
# us whether this object we're operating on is found elsewhere in the OS
matched_ent=""
for ent in "${ents[@]}"; do
[ -n "$matched_ent" ] && break
# We have to do || true here because getent exits nonzero if it fails to
# find an entity. We need to store its output so we can analyze the status
# of this command outside the loop -- we can't just "if ! getent"
result="$(getent "$ent" "$name" || true)"
[ -n "$result" ] && matched_ent="$result"
done
if [ -n "$matched_ent" ]; then
# getent found a matching entity and we don't care about this entry
# Just continue down the line
continue
else
# If we're at this point in the code path, we now know that we for-sure are
# operating on an entry that will cause systemd-sysusers to bail out
2024-12-01 22:08:53 -06:00
# on invocation. We are thus going to remove it.
echo "Analyzing broken entity: $name"
# First, we're going to pattern match the username against the systemd
# common core username regex. If this fails to match, we bail. I was unable
# to find a Fedora username that didn't match this but it's best to have
# this type of safety -- you never know what might happen.
# https://systemd.io/USER_NAMES/
if ! [[ $name =~ ^[a-z][a-z0-9-]{0,30}$ ]]; then
echo "Not touching nonconformant name: $name"
continue
fi
# We've succeeded in all our checks and for sure have a username loaded
# that isn't going to cause our regex to explode in terrifying ways.
2024-12-01 22:33:43 -06:00
# We're now going to load sed up and fire it at the shadowfile, making
# a backup along the way
echo "Removing from $file: $name"
sed --in-place=- \
"/^$name:/d" \
"$file"
2024-12-01 22:08:27 -06:00
fi
done < "$file"
done