diff options
author | Pádraig Brady <P@draigBrady.com> | 2014-03-03 01:54:36 +0000 |
---|---|---|
committer | Pádraig Brady <P@draigBrady.com> | 2014-03-13 14:07:45 +0000 |
commit | e972be3c4b9ee5c00933e80e2756b4601baf66cc (patch) | |
tree | 5a2b00bd7b65c9d05192c71ed6bdfad84cedda77 /doc | |
parent | 08140ecd48de9a5970992ab284dd11dbd3a0b14d (diff) | |
download | coreutils-e972be3c4b9ee5c00933e80e2756b4601baf66cc.tar.xz |
chroot: improve --userspec and --groups look-up
- Support arbitrary numbers in --groups, consistent with
what is already done for --userspec
- Avoid look-ups entirely for --groups items with a leading '+'
- Support names that are actually numbers in --groups
- Ignore an empty --groups="" option for consistency with --userspec
- Look up both inside and outside the chroot with inside taking
precedence. The look-up outside may load required libraries
to complete the look-up inside the chroot. This can happen for
example with a 32 bit chroot on a 64 bit system, where the
32 bit NSS plugins within the chroot fail to load.
* src/chroot.c (parse_additional_groups): A new function refactored
from set_addition_groups(), to just do the parsing. The actual
setgroups() call is separated out for calling from the chroot later.
(main): Call parse_user_spec() and parse_additional_groups()
both outside and inside the chroot for the reasons outlined above.
* tests/misc/chroot-credentials.sh: Ensure arbitrary numeric IDs
can be specified without causing look-up errors.
* NEWS: Mention the improvements.
* THANKS.in: Add Norihiro Kamae who initially reported the issue
with a proposed patch.
Also thanks to Dmitry V. Levin for his diagnosis and sample patch.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/coreutils.texi | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/doc/coreutils.texi b/doc/coreutils.texi index 7ba8cd4d9..e5e27eb88 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -221,7 +221,7 @@ Common Options * Block size:: Block size * Floating point:: Floating point number representation * Signal specifications:: Specifying signals -* Disambiguating names and IDs:: chgrp and chown owner and group syntax +* Disambiguating names and IDs:: chgrp, chown, chroot, id: user and group syntax * Random sources:: Sources of random data * Target directory:: Target directory * Trailing slashes:: Trailing slashes @@ -736,7 +736,7 @@ name. * Block size:: BLOCK_SIZE and --block-size, in some programs. * Floating point:: Floating point number representation. * Signal specifications:: Specifying signals using the --signal option. -* Disambiguating names and IDs:: chgrp and chown owner and group syntax +* Disambiguating names and IDs:: chgrp, chown, chroot, id: user and group syntax * Random sources:: --random-source, in some programs. * Target directory:: Specifying a target directory, in some programs. * Trailing slashes:: --strip-trailing-slashes, in some programs. @@ -1135,20 +1135,20 @@ also support at least eight real-time signals called @samp{RTMIN}, @samp{RTMIN+1}, @dots{}, @samp{RTMAX-1}, @samp{RTMAX}. @node Disambiguating names and IDs -@section chown and chgrp: Disambiguating user names and IDs +@section chown, chgrp, chroot, id: Disambiguating user names and IDs @cindex user names, disambiguating @cindex user IDs, disambiguating @cindex group names, disambiguating @cindex group IDs, disambiguating @cindex disambiguating group names and IDs -Since the @var{owner} and @var{group} arguments to @command{chown} and -@command{chgrp} may be specified as names or numeric IDs, there is an +Since the @var{user} and @var{group} arguments to these commands +may be specified as names or numeric IDs, there is an apparent ambiguity. What if a user or group @emph{name} is a string of digits? @footnote{Using a number as a user name is common in some environments.} Should the command interpret it as a user name or as an ID@? -POSIX requires that @command{chown} and @command{chgrp} +POSIX requires that these commands first attempt to resolve the specified string as a name, and only once that fails, then try to interpret it as an ID@. This is troublesome when you want to specify a numeric ID, say 42, @@ -1157,9 +1157,9 @@ and it must work even in a pathological situation where Simply invoking @code{chown 42 F}, will set @file{F}s owner ID to 1000---not what you intended. -GNU @command{chown} and @command{chgrp} provide a way to work around this, -that at the same time may result in a significant performance improvement -by eliminating a database look-up. +GNU @command{chown}, @command{chgrp}, @command{chroot}, and @command{id} +provide a way to work around this, that at the same time may result in a +significant performance improvement by eliminating a database look-up. Simply precede each numeric user ID and/or group ID with a @samp{+}, in order to force its interpretation as an integer: @@ -1169,8 +1169,7 @@ chgrp +$numeric_group_id another-file chown +0:+0 / @end example -GNU @command{chown} and @command{chgrp} -skip the name look-up process for each @samp{+}-prefixed string, +The name look-up process is skipped for each @samp{+}-prefixed string, because a string containing @samp{+} is never a valid user or group name. This syntax is accepted on most common Unix systems, but not on Solaris 10. @@ -14538,8 +14537,9 @@ running it if no user is specified. Synopsis: id [@var{option}]@dots{} [@var{user}] @end example -@var{user} can be either a user ID or a name, with name lookup +@var{user} can be either a user ID or a name, with name look-up taking precedence unless the ID is specified with a leading @samp{+}. +@xref{Disambiguating names and IDs}. @vindex POSIXLY_CORRECT By default, it prints the real user ID, real group ID, effective user ID @@ -16109,6 +16109,13 @@ The items in the list (names or numeric IDs) must be separated by commas. @end table +The user and group name look-up performed by the @option{--userspec} +and @option{--groups} options, is done both outside and inside +the chroot, with successful look-ups inside the chroot taking precedence. +If the specified user or group items are intended to represent a numeric ID, +then a name to ID resolving step is avoided by specifying a leading @samp{+}. +@xref{Disambiguating names and IDs}. + Here are a few tips to help avoid common problems in using chroot. To start with a simple example, make @var{command} refer to a statically linked binary. If you were to use a dynamically linked executable, then |