You are not logged in.

#1 2021-06-27 13:42:58

Registered: 2021-06-27
Posts: 1

Fixing /etc/group to match static GID database

Hey hey,

Disclaimer: My system has a bit of history starting as a gentoo installation a few years ago and was at some point converted to an arch installation, carrying a few specific configurations from its old life. I know this is stupid (tm) and not supported but I did it anyways cause I'm a terrible sysadmin. Just wanted to get this out of the way.

Today I stumbled across an error message from polkit:

Error opening rules directory: Error opening directory “/usr/share/polkit-1/rules.d”: Permission denied (g-file-error-quark, 2)
$ la /etc/polkit-1
drwxr-x--- 2 root netdev 4.0K Jun  3 16:37 rules.d

Oh no... netdev is a group added by gentoo but even after removing and reinstalling polkit the permissions stay the same. So let's take a look at my UIDs/GIDs:

$ grep polkit /etc/group                                                                                                                                                                                          
$ grep polkit /etc/passwd
polkitd:x:109:239:added by portage for polkit:/var/lib/polkit-1:/sbin/nologin

So in a previous life polkit was installed by portage under UID: 239 and GID: 109, though according to the Arch Wiki UID/GID Database it's supposed to have UID: 102 and GID: 102

Now, taking a look at the polkit PKGBUILD reveals the issue:

  install -d -o root -g 102 -m 750 "$pkgdir"/{etc,usr/share}/polkit-1/rules.d

So the installer simply sets the group owner to GID 102, which should match the static entry for polkitd. But on my system 102 is already taken by netdev.

I kinda feared that my careless "I'll just copy 'em configs over there, no worries" was gonna bite me one day. But I have a two questions:

The whole static UID/GID thing seems to be quite loosely defined, the wiki database mentions it's only a first attempt at standardizing the whole mess.
Should an installer or PKGBUILD rely upon the GID matching this table? Why not simply use `-g polkitd` instead of `-g 102`?

I'm currently torn between re-installing the whole system (which would be a shame) and pulling the cart out of the mud. My current strategy is to find all mismatches between my /etc/group and the static GID database, changing the entries manually and then running something like this for every mismatch:

# find / -uid 239 -exec chown -v -h 102 '{}' \;
# find / -gid 109 -exec chgrp -v 102 '{}' \;

This should find all files and directories matching one ID and assign them a new one.
Now there's a chance I'll have to swap IDs. For example user A has ID 42 but should have 43 and user B has ID 43 but should have 42, in which case I'll have to assign all of As stuff to a temporary ID, move Bs stuff to 42 and then move everything from temp to 43. I guess this could get arbitrarily complex, requiring advanced graph theory and other magic words. A quick glance revealed a dozen or so mismatches, I have yet to go carefully through the whole list.

Now, knowing me I'll probably break more stuff than I'll fix so I wanted to know if someone knows a better way of approaching this? I'll probably do this after a full backup and from a live-system to avoid processes running with their old UID complaining.



#2 2021-06-28 11:38:33

From: Netherlands, Europe
Registered: 2005-10-04
Posts: 9,514

Re: Fixing /etc/group to match static GID database

Now, taking a look at the polkit PKGBUILD reveals the issue:

Wrong, you didn't get the whole picture .

  install -d -o root -g 102 -m 750 "$pkgdir"/{etc,usr/share}/polkit-1/rules.d

  install -Dm644 /dev/stdin "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" <<END
u polkitd 102 "PolicyKit daemon"
m polkitd proc

Polkit install uses sysusers to reserve 102 for itself .

Why not simply use `-g polkitd` instead of `-g 102`?

because the PKGBUILD has no idea if polkitd even exists at install time .

I suggest you remove netdev or make sure it uses systemd-sysusers to get a gid . wrote:

Warning: Arch Linux defaults of the files are created as .pacnew files by new releases of the filesystem package. Unless Pacman outputs related messages for action, these .pacnew files can, and should, be disregarded/removed. New required default users and groups are added or re-added as needed by systemd-sysusers(8) or the package install script.

emphasis by me.

Last edited by Lone_Wolf (2021-06-28 11:38:55)

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
Did you use the guided installer ? If yes, I can't help you.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)


Board footer

Powered by FluxBB