many: do not use nss when looking up for users/groups from snapd snap

[valentindavid]

Depends on #13370

When snapd runs as a snap, it has its own runtime. This may not have NSS plugins needed for the host. For example to get users from AD/LDAP/Kerberos, or systemd-homed, or custom user databses. In general we can use tag osusergo to make go not to use the local configuration (i.e. /etc/nsswitch.conf), however, even if it is fine for most databases, we really need users and groups to be resolved with the host configuration.

To be able to load correctly plugins, we expect the host system to provide getent. And we query passwd and group databases through this command.

In the future we should connect the systemd-userdb if it is running and use getent only as fallback.

[bboozzoo]

since we're doing what bufio.Scanner would do, but less efficiently, we should use scanner here (and in lookupExtraUser)

[bboozzoo]

bytes.TrimSpace() before?

[valentindavid]

I do not think this is allowed.

[bboozzoo]

this could probably be in a callback, eg func(line []byte) error, so that you can share the code reading the file between group/user since processing is identical for the both, eg.

var extrausersGroup = "/var/lib/extrausers/group"

func lookupExtraGroup(group string) (gr *Group, err error) {
	gb := []byte(group)
	err = processPasswdFile(extrausersGroup, func(line []byte) error {
		components := strings.SplitN(line, []byte(":"), 4)
		if bytes.Equal(components[0], gb) {
			gr = &Group{
				Name: string(components[0]),
				Gid: string(components[2]),
			}
			// we're done
			return io.EOF
		}
		return nil
	})
	if err != nil {
		return nil, err
	}
	return gr, nil
}

[valentindavid]

This branch depends on #13517 to be properly tested.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.74%. Comparing base (ea13a33) to head (b9df3a3).
Report is 37 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #13776      +/-   ##
==========================================
+ Coverage   78.73%   78.74%   +0.01%     
==========================================
  Files        1055     1061       +6     
  Lines      138275   139197     +922     
==========================================
+ Hits       108866   109609     +743     
- Misses      22588    22736     +148     
- Partials     6821     6852      +31     

Flag	Coverage Δ
unittests	78.74% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bboozzoo]

btw. perhaps we could prevent from os/user being imported by our code, there's a depguard linter we could configure in golangci-lint: https://golangci-lint.run/usage/linters/#depguard

[valentindavid]

I have not done this one...

[bboozzoo]

osuser ?

[valentindavid]

"orig" for "original"

[zyga]

Nitpick, I would also prefer osuser for simplicity.

[bboozzoo]

hm I'm slightly uneasy with the caller needing to know the index here, what if we had:

type matcher func() (index int, value string)

func lookupUserFromGetent(match matcher) (*User, error) {
	index, value := match()
	...
}

// and relevant matchers
func userMatch(name string) matcher { 
	return func() (int, string) { return 0, name }
}

func uidMatch(uid int) (int string) matcher {
	return func() (int, string) { return 2, strconv.Itoa(uid) }
}

func groupMatch (name string) matcher {
	return func() (int, string) { return 0, name }
}

and the the actual call:

u, err := lookupUserFromGetent(userMatch("foo"))
// or 
u, err := lookupUserFromGetent(uidMatch(os.Geteuid()))

[valentindavid]

Sure that sounds fine. I did not want to over engineer it because we are not really going to even add more stuff in there. But this does not seem to be a complex design. I will try it.

[valentindavid]

I will push a fix. I have made 2 different matcher types. Even though they do the same, in theory they do not make sense when used to the wrong function.

[bboozzoo]

github.com/godbus/dbus seems to call user.Current() a couple of times in some fallback paths:

vendor/github.com/godbus/dbus/conn_other.go
80:     if currentUser, err := user.Current(); err != nil {

vendor/github.com/godbus/dbus/homedir_dynamic.go
10:     u, err := user.Current()

which could be incorrect with osusergo. Perhaps we should still pack libnss-extrausers to handle this edge case but make sure our code is using the osutil wrapper?

[valentindavid]

For the cases where HOME environment variable is not defined? I wonder what weird cases exist without it.

[valentindavid]

Those cases should work. One is for the home dir, and if HOME defined it should work. Which should be 99.99% cases.

The other case is to get the uid, which should work correct in osusergo. It is just os.Getuid

[zyga]

Marking as requested changes since the numeric / digit code looks wrong.

Separately, I really wish Go had a way to do this globally without the developer being really careful not to import the other package. I wonder what else might be using os/user internally in Go? Do we know?

[zyga]

Do you think we should dispaly the error code here?

Alternatively if we don't capture stderr we could just return fmt.Errorf("... : %w", err) here:

type ExitError struct {
	*os.ProcessState

	// Stderr holds a subset of the standard error output from the
	// Cmd.Output method if standard error was not otherwise being
	// collected.
	//
	// If the error output is long, Stderr may contain only a prefix
	// and suffix of the output, with the middle replaced with
	// text about the number of omitted bytes.
	//
	// Stderr is provided for debugging, for inclusion in error messages.
	// Users with other needs should redirect Cmd.Stderr as needed.
	Stderr []byte
}

[zyga]

I don't think we want to use this. This will return true for roman numerals, fractions and other weird stuff: https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/unicode/digit.go

Separately this is a misnomer. Unicode has deifnitions for digits and number that are different. There's also unicode.IsNumber which we are not calling here.

[bboozzoo]

I don't think it's a big issue if we simply check that c >= '0' && c <= '9'?

[valentindavid]

This is what I have changed to.

[zyga]

Nitpick, I would also prefer osuser for simplicity.

[ernestl]

We might need this in coming release. Added milestone 2.66 to track it.
For detail discuss with @valentindavid.

[zyga]

LGTM with small nitpicks on pass-by-value and use of errors.As

[zyga]

Can you link to a spec number or this PR perhaps?

[zyga]

I think this should be errors.As technically.

[zyga]

You can drop the else and unindent the return

[zyga]

Nitpick, this can be passed by value

[zyga]

Same

[zyga]

By value

[zyga]

By value

[zyga]

Same

[zyga]

My value

[zyga]

Nitpick: type ( ... ) perhaps?

[bboozzoo]

LGTM

[bboozzoo]

thanks for this

[bboozzoo]

Suggested change

	exitError, isExitError := err.(*exec.ExitError)
	if isExitError {
	return nil, fmt.Errorf("getent returned an error: %q", exitError.Stderr)
	} else {
	return nil, fmt.Errorf("getent could not be executed: %w", err)
	}
	var exitError *exec.ExitError
	if errors.As(err, &exitError) {
	return nil, fmt.Errorf("getent returned an error: %q", exitError.Stderr)
	} else {
	return nil, fmt.Errorf("getent could not be executed: %w", err)
	}

[bboozzoo]

hm not sure about the build tag, maybe @pedronis has an opinion about it

I would try something more specific, eg snapdusergo ?

[valentindavid]

I have renamed it.