For the record,
Uli has contacted me off-list and indicated this is a course of action he can live with.
In the meantime, I decided to dig through X2Go's git repo.
This is the commit that introduced the faulty nscd cache flushing code in x2goserver-ssh:
<https://code.x2go.org/gitweb?p=x2gobroker.git;a=commit;h=9e44861e4a29897228cb70a95d6853dbe85779b0>
author Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Wed, 1 Apr 2015 03:50:45 +0000 (05:50 +0200) committer Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Wed, 1 Apr 2015 03:50:45 +0000 (05:50 +0200) commit 9e44861e4a29897228cb70a95d6853dbe85779b0 tree 9bba4aeb6d2ffa2ac5bfe47a63e2f20fbb4c6a2a parent 2cd0cdc8b73967b87d53c615a5952a83309ba63f
The previous commit that touched this file is:
author Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 11 Sep 2014 23:29:14 +0000 (01:29 +0200) committer Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 11 Sep 2014 23:29:37 +0000 (01:29 +0200) commit 67d9cfd0ba235c919af84aa9b0d647d0e8a47968 tree 88ed368b14cb2e440f7eebedec9a342257317ff3 parent 806224f2caab8db9c7accb7fa4c5e587d34cd5ca
So some time between September 11, 2014, and April 1, 2015, Mike#1 noticed that groupadd did not behave as expected, and added this code. Which means Wheezy (7) and Jessie (8) are the most likely candidates where the issue might have cropped up, as there's a good chance Mike#1 was using testing instead of stable, being so close to the official release (which happened on April 25./26., 2015). Squeeze (6) was already out of support by September 11, 2014, which means it's unlikely that whatever happened, happened on Squeeze.
Anyone curious enough to go through the groupadd source code for the binaries that shipped in these two Debian releases in said time frame?
-Stefan
Am 19.04.20 um 15:30 schrieb Stefan Baur:
Am 17.04.20 um 21:59 schrieb Ulrich Sibiller:
On Fri, Apr 17, 2020 at 8:36 PM Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
Currently, all automated Debian installs for x2gobroker-ssh are failing due to this faulty piece of code.
So, let's make this clear: Code, which should not be there at all ist now breaking installation. That's exactly my point... It should not be there.
Code that has been put there to solve an actual issue, but which has a flaw in its detection routine as to when it should trigger.
I have just checked on my Debian 10. Here's a snipped from /usr/sbin/groupadd: ... printf (gtx("Adding group `%s' (GID %d) ...\n"),$new_name,$new_gid) if $verbose; &invalidate_nscd("group"); my $groupadd = &which('groupadd'); &systemcall($groupadd, '-g', $new_gid, $new_name); &invalidate_nscd("group"); print (gtx("Done.\n")) if $verbose; ...
So this is where this kind of code belongs to. Debian has everything in place.
And it seems to be broken, or this code in the postinst script wouldn't be needed. Or maybe it was only added to groupadd after the code in the postinst file had already been written. It would be interesting to know when those "invalidate_nscd" calls were added. Maybe an older Debian version is still affected by this, while Buster is safe?
So I agree that this should be fixed asap in x2gobroker-ssh, but it should be fixed by removing the nscd code altogether.
So if we remove it, we're likely to get another bug report tagged "severity: important", just coming from the other direction, begging us to add this code again.
No, those people begging for it can be instructed to check their distro. And to run the flush manually. Or even to simply reboot.
The proper way to handle this, IMO, is a two-step process.
- Apply my patch ASAP and release a fixed package, to un-break current preseeded installations.
- Turn the blind execution if the condition is triggered into an interactive, preseedable question, and check for sssd as well. This is what Debian does e.g. when updating libc - you get a popup asking you if it is okay to restart affected services, or if you would like to do it manually at a later date. So in addition to
x2gobroker-ssh x2gobroker-ssh/group-x2gobroker-users string x2gobroker-users x2gobroker-ssh x2gobroker-ssh/group-does-not-exist note x2gobroker-ssh x2gobroker-ssh/use-existing-group boolean true|false x2gobroker-ssh x2gobroker-ssh/create-group boolean true|false x2gobroker-ssh x2gobroker-ssh/manual-setup-required boolean true|false x2gobroker-ssh x2gobroker-ssh/del-last-group-x2gobroker-users boolean true|false x2gobroker-ssh x2gobroker-ssh/last-group-x2gobroker-users string x2gobroker-users
we'd have new preseedable entries like
x2gobroker-ssh x2gobroker-ssh/flush-nscd-groups boolean true|false x2gobroker-ssh x2gobroker-ssh/flush-sssd-groups boolean true|false
Whoever tries to run an unattended installation using preseeds can then choose whichever option suits them best. And if you're worried that the attempt to flush the cache has a negative impact, even with the triggering condition fixed, we can make those options default to "false" and add a notice like "this should not be neccessary unless your groupadd implementation is faulty" in the popup message.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243