From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id GPguGyXFdmBRQQAAgWs5BA (envelope-from ) for ; Wed, 14 Apr 2021 12:34:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OH4aFiXFdmDWUQAAB5/wlQ (envelope-from ) for ; Wed, 14 Apr 2021 10:34:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BB58F250C6 for ; Wed, 14 Apr 2021 12:34:12 +0200 (CEST) Received: from localhost ([::1]:42130 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWcqY-0005XB-Lc for larch@yhetil.org; Wed, 14 Apr 2021 06:34:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55788) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWcpS-00055x-Ub for bug-guix@gnu.org; Wed, 14 Apr 2021 06:33:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50356) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lWcpS-0007Ix-CL for bug-guix@gnu.org; Wed, 14 Apr 2021 06:33:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lWcpS-0000wK-7f for bug-guix@gnu.org; Wed, 14 Apr 2021 06:33:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#36508: GDM files have incorrect owner after temporarily removing service Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 14 Apr 2021 10:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36508 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Received: via spool by 36508-submit@debbugs.gnu.org id=B36508.16183963793603 (code B ref 36508); Wed, 14 Apr 2021 10:33:02 +0000 Received: (at 36508) by debbugs.gnu.org; 14 Apr 2021 10:32:59 +0000 Received: from localhost ([127.0.0.1]:33669 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWcpP-0000w2-EF for submit@debbugs.gnu.org; Wed, 14 Apr 2021 06:32:59 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43136) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWcpN-0000vp-F2 for 36508@debbugs.gnu.org; Wed, 14 Apr 2021 06:32:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40035) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWcpG-0007E9-Nq; Wed, 14 Apr 2021 06:32:51 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34782 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lWcpG-0000TX-9X; Wed, 14 Apr 2021 06:32:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190705083620.lbzu7a33awbymh3d@cf0> <1576552162.14721.1618320275616@office.mailbox.org> <87czuxsya5.fsf@netris.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 25 Germinal an 229 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 14 Apr 2021 12:32:48 +0200 In-Reply-To: <87czuxsya5.fsf@netris.org> (Mark H. Weaver's message of "Tue, 13 Apr 2021 16:51:35 -0400") Message-ID: <875z0pgnqn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Brendan Tildesley , 36508@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618396452; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=d7Xz7z6S1Hct2dKBvqYHOUwsWUMTrpVVmEUAGCDcpjg=; b=dAYnPxKAd3du9YBbFyNVMlc+4M9RXH9+8HLRINpi1S/Crag4qHn6bT95f++6PhQ0A9YAa3 JfXZ/YqtrJro7w7Uxe4goN8y93hOhRy1+gC4G+j2DiIIn0WIv2RXxeWSetfTmnBvUV//W4 ruVoMNdTrZsBBX+KwngyjijAo+vbnBczVS2GztJvWvamB2rWwRMO0EjykjPpywCvoZSaly 53NOKASPJd3f3MonZVgWWxljapXuAdpIJytLbO5MnSILjsGb1VQ885gSGFMe49ZyVsgLQ4 Feo4i/r16bb1OuQPZmeWKwMRHCrEblhj7uFOqXPFMCcP7IJwxHQN8+blUi6zSg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618396452; a=rsa-sha256; cv=none; b=AfKj3A3Q5AdGZnVvWEjWM6r7Hhq3Lo+u/mzHZvrJ09TE95XnugEwhQW9p1nbm+fdOEBoT/ 5MqpbCAaynSoyWFo7bJrQrRWmpZSm1N1jGyg6SI08muY5f4IdLbJ8BEelTRVE8TmF/JrJW TJPAV1xok/dk3MUuDo/rV9Qd7wz9dWVXJE7lcufpEAtG82mZ6M8CrE5g3ku9lY0w6+Kytq CN2X+Vw3J+KaXAOjRP84hm9jekd8O8R9jF6wwrwCFyj1amYz6rKD67yHzOjEE7Cx4Pym4r yGwr+kdV87Pk3VYDgyI8zbk8tzp8p+9q2iaWZCxutzZ69rnr95tIsIhjNT3mcg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.12 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: BB58F250C6 X-Spam-Score: -2.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: Mwm7gH6waPe5 Hi Mark, Mark H Weaver skribis: > Brendan Tildesley via Bug reports for GNU Guix > writes: > >> I recently encountered what is likely the same bug. The directory /var/l= ib/gdm >> had the correct permissions gdm:gdm, but all the files inside had someth= ing like >> 973:gdm > > The underlying problem here, which I've also experienced, is that if you > reconfigure your system with fewer users/groups, and then later add > those users/groups back, there is no guarantee that they will be > assigned the same UIDs and GIDs. Yes. The patch Brendan posted LGTM (though I=E2=80=99m surprised the directory i= tself can have the right UID/GID while files inside it don=E2=80=99t; perhaps thi= s was made possible by 2161820ebbbab62a5ce76c9101ebaec54dc61586, which chowns the home directory unconditionally.) Note that there are other places, in addition to GDM, where we forcefully reset the UID/GID of the home directory (e.g., for the =E2=80=98knot-resolver=E2=80=99 service.) My preferred solution to this would be to unconditionally chown -R home directories upon activation (for efficiency, it would be best if we could do that if and only if the home directory itself has wrong ownership). Thoughts? systemd-homed does something like that. The intuition here is that UIDs/GIDs are implementation details that should get out of the way. > There's some discussion of this issue at , > although I'm not sure that Danny's suggested solution is practical. > > Here's one idea: when activating a system, *never* delete users or > groups if files still exist that are owned by those users/groups. > Checking all filesystems would likely be too expensive, but perhaps it > would be sufficient to check certain directories such as /var, /etc, and > possibly the top directory of /home. How would you determine which directories to look at though? What if we miss an important one? Note that the ID allocation strategy in (gnu build accounts) ensures UIDs/GIDs aren=E2=80=99t reused right away (same strategy as implemented by Shadow, etc.). So if you remove =E2=80=9Cbob=E2=80=9D, then add =E2=80=9Ca= lice=E2=80=9D, =E2=80=9Calice=E2=80=9D won=E2=80=99t be able to access the left-behind /home/bob because it has a different UID. Ludo=E2=80=99.