This is basically a brain dump of my thoughts on managing system groups on Ubuntu Core systems, so it doesn’t get lost if I close the tabs.
Currently it is not possible to add users to system groups on Ubuntu Core systems. There are a number of use cases where it would be nice to change this:
- The default configuration of tools like
polkitduse membership of the
sudogroup to identify administrator users. Currently
snap create-userworks around this by adding configuration to
/etc/sudoers.d, but that only helps
- Non-root access to the docker daemon requires membership of the
dockergroup (core20 bug #72).
- Membership of the
dialoutgroup gives access to serial ports (ref).
- Membership of the
kvmgroup gives access to the
/dev/kvmdevice for hardware virtualisation access.
The Status Quo
Currently Ubuntu Core desktops configure the nameservice switch to consult two user/group databases:
passwd: files extrausers group: files extrausers shadow: files extrausers gshadow: files
The backends are consulted in the order listed in the configuration file. The
files NSS backend reads the databases stored in
/etc, which are read only on Ubuntu Core systems.
extrausers backend is similar but reads databases from
/var/lib/extrausers, which is writable on Ubuntu Core. The
extrausers backend includes a check to make sure IDs are >= 500, on the basis that it should not be used to define system users and groups
Some of the tools from
shadow-utils have been patched to allow managing users and groups in the
/var/lib/extrausers, but it is a bit spotty.
The membership of of a group is declared in its
group database entry. This means that membership of groups declared in
/etc/group is effectively fixed.
core20 PR #82 was an attempt to fix the docker group by moving it to the extrausers database, but was ineffective because the IDs are less than 500. Further more, removing users and groups from the
/etc databases is problematic if we want Ubuntu Core devices to be able to migrate forward to new UC releases: there might be files on disk using the removed uids/gids.
A Possible Solution
Glibc 2.24 introduced a new group merging feature:
Through the use of
[SUCCESS=merge] directive, this allows the results of two or more group backends to be merged to produce a
getgrgid result. The main use case for this was to allow extending system groups via LDAP, but it has also been used by
systemd-homed to include group memberships in a user record.
It looks like it would be fairly easy to integrate into an Ubuntu Core system:
- Update the
/etc/nsswitch.confconfiguration for the group database:
group: files [SUCCESS=merge] extrausers
- Patch nss-extrausers to not ignore low ID groups.
- Patch shadow-utils to allow modifying of system group membership by creating a new record in
/var/lib/extrausers/groupwith the same name and ID as found in
The main challenges are:
- Ubuntu 16.04 shipped with glibc 2.23. If we want this to work on Ubuntu Core 16 systems, then the
[SUCCESS=merge]feature would need to be back-ported.
libnss-extrauserswas orphaned upstream in September 2016. If this forms an important part of an Ubuntu Core system and we need to make changes, it would be worth addressing the maintenance question. It’s source code repo did not get migrated with Debian’s move to Gitlab, but an archive can be found here.