salt/userfixer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9971b7f33a
userfixer/wayblue-fix-89.sh
Jacob Babor 9971b7f33a Most of the logic
2024-12-01 22:08:27 -06:00

96 lines
3.6 KiB
Bash
Executable File
Raw Blame History

#! /bin/bash
#
# This script attempts to fix the following issue:
# https://github.com/wayblueorg/wayblue/issues/89
# More specifically, it does the following:
# * Iterates /etc/shadow and /etc/gshadow; and
# * For every entry that cannot be getent'd, delete it
#
# This script should be invoked before systemd-sysusers on system boot
#
# The reason for this is as follows:
# At time of writing, using rpm-ostree to build OCI container images fails to
# update /usr/lib/passwd and /usr/lib/group, instead dropping items in
# /usr/lib/sysusers.d for systemd-sysusers to process at boot time. This would
# fine under normal circumstances.
#
# HOWEVER. If you are coming from a distro that had entries in those /usr/lib
# files for that users/group, you will have entries in /etc/{,g}shadow for said
# users/groups.
#
# If an entry is present in /etc/shadow or /etc/gshadow that matches an object
# that systemd-sysusers is trying to add, it will fail and no abort further
# object processing. Thus, we remove objects that cannot be looked up, assuming
# that the cause is this disparity and that it will be smoothed out when
# systemd-sysusers next runs
#
set -e
set -o pipefail
# Iterate over each file we're interested in
for file in /etc/shadow /etc/gshadow; do
# Prelim check for zero-byte files (shouldn't proc)
if ! [ -s "$file" ]; then
echo "File is missing or empty: $file"
continue
fi
# Prelim check to ensure we can read the file
if ! [ -r "$file" ]; then
echo "Unable to read file: $file"
continue
fi
# Prelim checks succeeded, move forward
echo "Parsing $file for junk"
# Read each line in the file to iterate over it
while read line; do
# Per shadow(5), we are guaranteed that all characters leading up to the
# first colon are the user's/group's name. To that end, we'll do a bash
# string substitution to extract that first column.
name="${line%%:*}"
# Swith case here for what ents we care about. I don't think the array is
# strictly required but it affords us flexibility for zero cost so whatever.
ents=()
case "$file" in
/etc/shadow)
ents=("passwd")
;;
/etc/gshadow)
ents=("group")
;;
*)
echo "Unknown file to parse for junk: $file"
exit
;;
esac
# Now, we use getent to find a match for the shadow entry. It's at this point
# that one might ask why we're doing this instead of using grpck or something
# The answer is that those aren't nss-aware, whereas getent is. /etc/shadow
# and /etc/gshadow can have entries for things like passwords and group
# membership for groups that live in /usr/lib/passwd and /usr/lib/group,
# but grpck isn't aware of those and will obliterate their data from the
# shadow files if we're not careful.
#
# Thus, we use getent to parse through nsswitch.conf intelligently and tell
# us whether this object we're operating on is found elsewhere in the OS
matched_ent=""
for ent in "${ents[@]}"; do
[ -n "$matched_ent" ] && break
# We have to do || true here because getent exits nonzero if it fails to
# find an entity. We need to store its output so we can analyze the status
# of this command outside the loop -- we can't just "if ! getent"
result="$(getent "$ent" "$name" || true)"
[ -n "$result" ] && matched_ent="$result"
done
if [ -n "$matched_ent" ]; then
# getent found a matching entity and we don't care about this entry
# Just continue down the line
continue
else
# If we're at this point in the code path, we now know that we for-sure are
# operating on an entry that will cause systemd-sysusers to bail out
# on invocation
echo "Fixing broken entity: $name"
fi
done < "$file"
done
Reference in New Issue View Git Blame Copy Permalink