cmd/initContainer: Simplify removing the user's password

It's one less invocation of an external command, which is good because
spawning a new process is generally expensive.

One positive side-effect of this is that on some Active Directory
set-ups, the entry point no longer fails with:
  Error: failed to remove password for user login@company.com: failed
      to invoke passwd(1)

... because of:
  # passwd --delete login@company.com
  passwd: Libuser error at line: 210 - name contains invalid char `@'.

This is purely an accident, and isn't meant to be an intential change to
support Active Directory.  Tools like useradd(8) and usermod(8) from
Shadow aren't meant to work with Active Directory users, and, hence, it
can still break in other ways.  For that, one option is to expose $USER
from the host operating system to the Toolbx container through a Varlink
interface that can be used by nss-systemd inside the container.

Based on an idea from Si.

https://github.com/containers/toolbox/issues/585
This commit is contained in:
Debarshi Ray 2023-08-22 23:29:43 +02:00
parent 983e07adf6
commit b1b1d459ed

View file

@ -393,6 +393,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe
"--groups", sudoGroup, "--groups", sudoGroup,
"--home-dir", targetUserHome, "--home-dir", targetUserHome,
"--no-create-home", "--no-create-home",
"--password", "",
"--shell", targetUserShell, "--shell", targetUserShell,
"--uid", fmt.Sprint(targetUserUid), "--uid", fmt.Sprint(targetUserUid),
targetUser, targetUser,
@ -413,6 +414,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe
"--append", "--append",
"--groups", sudoGroup, "--groups", sudoGroup,
"--home", targetUserHome, "--home", targetUserHome,
"--password", "",
"--shell", targetUserShell, "--shell", targetUserShell,
"--uid", fmt.Sprint(targetUserUid), "--uid", fmt.Sprint(targetUserUid),
targetUser, targetUser,
@ -428,12 +430,6 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe
} }
} }
logrus.Debugf("Removing password for user %s", targetUser)
if err := shell.Run("passwd", nil, nil, nil, "--delete", targetUser); err != nil {
return fmt.Errorf("failed to remove password for user %s: %w", targetUser, err)
}
logrus.Debug("Removing password for user root") logrus.Debug("Removing password for user root")
if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil { if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil {