From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#35996: User account password got locked when booting old generation Date: Sun, 02 Jun 2019 18:00:14 +0200 Message-ID: <87o93g9dv5.fsf@gnu.org> References: <20190529204517.mqn5xrw23xib4i3u@pelzflorian.localdomain> <877ea6l1on.fsf@gnu.org> <20190601055238.jkhefpupavz7aipi@pelzflorian.localdomain> <20190601145834.f4wgm4oqmdyej7n5@pelzflorian.localdomain> <87r28dc7gw.fsf@gnu.org> <20190602070545.xp2pqlnzsthpjtbw@pelzflorian.localdomain> <87sgss9vj7.fsf@gnu.org> <20190602102122.bzapwt36vg32nmwq@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:37700) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hXSv0-0008D7-3x for bug-guix@gnu.org; Sun, 02 Jun 2019 12:01:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hXSuy-0004Da-1r for bug-guix@gnu.org; Sun, 02 Jun 2019 12:01:10 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55358) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hXSus-000497-5h for bug-guix@gnu.org; Sun, 02 Jun 2019 12:01:06 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hXSus-00036A-2A for bug-guix@gnu.org; Sun, 02 Jun 2019 12:01:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20190602102122.bzapwt36vg32nmwq@pelzflorian.localdomain> (pelzflorian@pelzflorian.de's message of "Sun, 2 Jun 2019 12:21:22 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: "pelzflorian (Florian Pelz)" Cc: 35996@debbugs.gnu.org "pelzflorian (Florian Pelz)" skribis: > On Sun, Jun 02, 2019 at 11:38:36AM +0200, Ludovic Court=C3=A8s wrote: [...] >> Actually, another thing that could happen is that Guix reads an >> incomplete /etc/shadow because some other program is writing to it. >>=20 >> In that case, suppose Guix reads a partial /etc/shadow where user >> =E2=80=9Cflorian=E2=80=9D is missing. It would then create a new /etc/s= hadow where the >> password for =E2=80=9Cflorian=E2=80=9D is uninitialized (or set to the i= nitial value >> that appears in config.scm.) >>=20 >> Could it be what happened to you? You=E2=80=99d have to be running =E2= =80=98passwd=E2=80=99 or >> =E2=80=98usermod=E2=80=99 or whatever at exactly the same time as =E2=80= =98guix system >> reconfigure=E2=80=99 (and you=E2=80=99d have to be =E2=80=9Clucky=E2=80= =9D). >> > > No, I did not change my password in a very long time. > > Is there no proper cross-application locking mechanism for > /etc/passwd? elogind uses > > struct flock flock =3D { > .l_type =3D F_WRLCK, > .l_whence =3D SEEK_SET, > .l_start =3D 0, > .l_len =3D 0, > }; > [=E2=80=A6] > fd =3D open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600); > [=E2=80=A6] > r =3D fcntl(fd, F_SETLKW, &flock; > > Should Guix adopt something similar for shadow/passwd/=E2=80=A6 database > reads? We could do that yes, that I=E2=80=99d lean towards using the same thing as= libc and Shadow. The whole scenario just sounds very unlikely though. Thanks, Ludo=E2=80=99.