#1012622 crontab gid became unreproducible

Package:
base-passwd
Source:
base-passwd
Description:
Debian base system master password and group files
Submitter:
Johannes Schauer Marin Rodrigues
Date:
2022-06-13 11:33:02 UTC
Severity:
normal
Tags:
#1012622#5
Date:
2022-06-10 13:52:25 UTC
From:
To:
Hi,

with the introduction of the cron-daemon-common package, the group id of
the "crontab" group became unreproducible depending on how the chroot is
created, i.e. whether one uses debootstrap or mmdebstrap. Steps to
reproduce:

    $ cat > script.sh << END
    #!/bin/sh
    set -exu
    ssh -F "$1" qemu mmdebstrap --aptopt=Acquire::Check-Valid-Until\\\ \\\"false\\\" unstable --variant=- - $DEBIAN_BISECT_MIRROR \
    	| tar --to-stdout -x ./etc/group \
    	> group.mm
    ssh -F "$1" qemu debootstrap unstable /tmp/debian-unstable $DEBIAN_BISECT_MIRROR
    ssh -F "$1" qemu cat /tmp/debian-unstable/etc/group > group.debootstrap
    diff -u group.mm group.debootstrap
    END
    $ chmod +x script.sh
    $ debbisect --depends=mmdebstrap,debootstrap,cron --qemu=defaults \
      --cache=./cache --no-find-exact-package 20220608T153059Z 20220608T210836Z ./script.sh
    [...]
    bisection finished successfully
      last good timestamp: 2022-06-08 15:30:59+00:00
      first bad timestamp: 2022-06-08 21:08:36+00:00
    the following packages differ between the last good and first bad timestamp:
      cron 3.0pl1-139 -> 3.0pl1-142
      cron-daemon-common (n.a.) -> 3.0pl1-142
      iproute2 5.17.0-2 -> 5.18.0-1

The output of the failing diff command above with the new cron package
is:

#1012622#10
Date:
2022-06-10 15:58:36 UTC
From:
To:
Dear Josch,

as I am new to this kind of reasoning, please enlighten me.

So far, the package base-passwd is maintaining standard ids for:
 root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy,
 majordom, postgres, www-data, backup, operator, list, irc, gnats,
 nobody, nogroup, messagebus, postfix, gdm, saned, klog, syslog, adm,
 tty, disk, kmem, dialout, dip, fax, voice, cdrom, floppy, tape, sudo,
 audio, src, shadow, utmp, video, plugdev, staff, users, lpadmin, sasl,
 scanner, ssh, sshd, fetchmail, cupsys

The group id 101 for crontab used to be assessed as a consequence of
pseudo-aleatory processes which happen at boot time, so far in the same
order for most use cases.

Is there a rationale to reserve a global static id for crontab?
Is the value 101 precisely important for the the crontab group?

Here are some parts of the filesystem where the group crontab is in use:
--------------------8<------------------------------------------------- $ sudo find /var -group crontab | sudo xargs ls -ld drwx-wx--T 2 root crontab 4096 2 juin 18:33 /var/spool/cron/crontabs -rw------- 1 georgesk crontab 1199 27 avril 14:37 /var/spool/cron/crontabs/georgesk -rw------- 1 root crontab 1292 3 mars 17:31 /var/spool/cron/crontabs/root --------------------8<------------------------------------------------- With the standard settings, members of the crontab group can neither read nor write to individual crontabs. As a consequence, the arguments to add crontab to the list of reservations are rather weak; should the group crontab be considered as more "special" than the group systemd-journal? Should the group systemd-journal deserve also a reserved global gid? Thank you in advance for your feedback. Best regards, Georges. Johannes Schauer Marin Rodrigues a écrit :
#1012622#13
Date:
2022-06-10 18:31:27 UTC
From:
To:
Hi Georges,

Quoting Georges Khaznadar (2022-06-10 17:58:36)

at boot time? That's odd. Isn't the user created as part of a maintainer
script?
statically allocated to id X, then it would not matter which tool was used to
create a chroot nor would it matter in which order apt decided to install
packages. Reproducibly creating the bit-by-bit identical output might seem like
a weak argument to some, but knowing that some bits are always the same and are
not randomly different makes things like tracking down bugs and regressions
much easier and helps to make sure that the chroot I'm building is exactly what
I expect it to be. This again is also a security argument: distributions like
tails or distributors of system images will want to give the user the tools to
rebuild their stuff and let them see that the stuff the user builds is the same
stuff that they distribute -- this makes it harder for malicious third parties
to temper with system images as there can always be third parties that verify
that nothing was tempered with.

Then maybe I misunderstood something. /usr/bin/crontab has the suid bit set for
the group permissions and is owned by the crontab group:

$ ls -ld /usr/bin/crontab
-rwxr-sr-x 1 root crontab 43568 Feb 22  2021 /usr/bin/crontab

Does this not mean that members of the crontab group can run the crontab binary
and thus gain the privileges necessary to edit their crontabs?

Excellent question! So in general, it would be great if there was a declarative
way to allocate user and group ids at installation time, so that different
installation ordering by apt would not lead to different user and group ids.
Alas, we do not have such a mechanism and talking with developers of apt and
dpkg revealed no easy way to create it. If it existed, then yes, I would also
advocate for systemd using it just as apt and cron should to create their users
and groups. In that sense, no, I do not consider crontab to be of a different
importance compared to systemd. But we do not have such a mechanism and thus
I'm looking at the next best way to achieve reproducible uids and gids. That
mechanism is statically allocating a group-id by base-passwd. Why do I approach
you and not systemd? Two reasons:

 - cron was first released in 1975, it is ancient old software and thus well
   established, stable and enjoys wide usage on all platforms -- in contrast to
   systemd which is young
 - I think because cron literally survived nearly half a century it is fair to
   assume it will stay with us for quite a bit longer and adding it to the
   special group of gids will not be unnatural -- I'm not asking to add a tool
   that was written just last year
 - if we have a static gid for cron, then it will not matter anymore that
   systemd is not statically allocated in practice because it will just grab
   the next free gids which at that point will be deterministic and not depend
   on installation order

So yes, due to its age and prevalence I *do* consider cron to be more special
than systemd. I don't know what our next init system will be and maybe we will
stick around with systemd for a while but after 47 years of cron, I think would
not be strange to ask for special treatment.

Thanks!

cheers, josch

#1012622#16
Date:
2022-06-13 08:56:28 UTC
From:
To:
Hello,

Bug #1012622 in base-passwd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/base-passwd/-/commit/5ce77739fb387ba36f7bb75570af63aec038d963
------------------------------------------------------------------------
frozen the group id for crontab, closes: #1012622
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1012622

#1012622#27
Date:
2022-06-13 09:10:12 UTC
From:
To:
Hi Josch,

thank you, you sent me precisely the arguments I wished to read before
asking maintainers of base-passwd to make the next move. The benefits of
reproducible system builds is worth a change!

Best regards,			Georges.

Johannes Schauer Marin Rodrigues a écrit :

#1012622#30
Date:
2022-06-13 09:13:44 UTC
From:
To:
Hi Georges,

Quoting Georges Khaznadar (2022-06-13 10:56:28)

I don't think this is a good solution:

https://salsa.debian.org/debian/base-passwd/-/commit/e1a186baa5cec0ee1ffed6a06344bc2a492c3e3d

I'm putting Colin as the base-passwd maintainer into CC.

Firstly, I don't think you should statically allocate group 101 like this
because that's inside the 100-999 range which is dynamically allocated:

https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes

Secondly, each new group should be documented. Introducing a new group probably
needs documentation in doc/users-and-groups.sgml as it is for example done
here:

https://salsa.debian.org/debian/base-passwd/-/commit/af62feef458e3787bd460a2822d402d5a970b237

Did you discuss this change with Colin? Otherwise, maybe you first want to
revert your changes to not cause any accidental damage. I think Colin needs to
have a say in to whether or not a statically allocated crontab group maintained
by base-passwd is a good idea or not.

Thanks!

cheers, josch

#1012622#35
Date:
2022-06-13 09:27:07 UTC
From:
To:
Hi,
I reassigned bug #1012622 to base-passwd, in order to make constant the
group id for crontab. I believe that the arguments provided by Johannes
Schauer Marin Rodrigues are strong enough to propose a change.

What led to that situation:
I discussed with Christian Kastner about the package cron, which is now
a distant fork of the upstream package known as "vixie cron". The gap is
so wide currently that it becomes difficult to try synchronizing
debian's cron with the last version of "vixie cron", which appears as
dead nowadays. In order to prepare the future, I agreed with Christian
that we should rebase debian's cron on the upstream package cronie,
which is actively maintained by the Fedora community. Such a transition
must be done very carefully, as cron is a package very close to the
trunk of every debian system. The first step is to split the former
package cron into two distinct packages: "cron-daemon-common" and
"cron", the first one providing commons data files, the second one
providing programs. So we will be able to have the package cronie depend
on cron-daemon-common, and provide the feature "cron".

As a side effet, the split of former cron into cron-daemon-common and
cron packages reorders the package configuration, and the gid for the
group crontab is no longer reproducible.

Please find attached the patch which provides a constant id (= 101)
for crontab.
Johannes Schauer Marin Rodrigues a écrit :

#1012622#42
Date:
2022-06-13 09:40:30 UTC
From:
To:
Hello Josch,

thank you for your very fast feedback.

You are right, I shall revert my changes, and put proposed changes
in a separate branch of the git tree, so it will be easier to
cherry-pick them.

Best regards,			Georges.

Johannes Schauer Marin Rodrigues a écrit :

#1012622#47
Date:
2022-06-13 10:15:21 UTC
From:
To:
Correct, I will not accept any new static allocation in that range.
#1012622#52
Date:
2022-06-13 10:27:59 UTC
From:
To:
I'm afraid I am not very convinced by this line of argument; it seems
very weak and circumstantial.  It leaves us in a position where every
package with a user or group that might conceivably end up owning files
in a system image will want to have a static ID, and there will be no
particularly good way to draw distinctions between which ones should and
which ones shouldn't.  The space of available static IDs is large
(60000-64999), but not infinite; I would much rather push back on this
proposal since otherwise there will be no incentive to come up with a
more reasonably-scalable approach.

The cases where I allocate static IDs at present are typically those
where it's important for interoperability that they be the same on all
systems, often situations involving networked filesystems and such.

Why would this be a matter for apt/dpkg, rather than for adduser?  Yes,
there have been various conversations about doing declarative user/group
creation in dpkg, but at present dynamic system users/groups are created
by adduser.

Couldn't we fairly easily add a configuration file that adduser would
read with preseeded user/group IDs for various names, and have it
preferentially use those IDs if available rather than picking
arbitrarily from the relevant ID namespace?  This certainly seems a lot
easier than adding declarative user/group creation to dpkg.

#1012622#57
Date:
2022-06-13 10:30:51 UTC
From:
To:
Hello,

Bug #1012622 in base-passwd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/base-passwd/-/commit/0145e8a72643a0cabec9689973ae10bf21111028
This reverts commit 5ce77739fb387ba36f7bb75570af63aec038d963.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1012622

#1012622#64
Date:
2022-06-13 10:33:13 UTC
From:
To:
I'm quite unhappy by the mess that you've left in base-passwd git
master, with repeated revert-of-revert type commits *after* this message
from you; I can't really undo those properly because it would involve
rewriting history of a published branch.  Please fix your git config and
don't push to base-passwd master again!

#1012622#67
Date:
2022-06-13 10:58:55 UTC
From:
To:
Hi Colin,

thank you for your quick reply!

Quoting Colin Watson (2022-06-13 12:27:59)

I did not consider this way of solving this problem yet. Partly, because I'd
like to remove the adduser dependency from the apt maintainer script to create
the _apt user -- see #969631.

So you propose to introduce another registry of uid/gid <-> user/group mappings
but not maintained by the base-passwd package but by the adduser package? I
guess this should use the range 100-999, right?

Adding support for default uid/gid numbers to adduser would probably a "quick
fix" but I wonder whether this is the approach we want to use in the long term.
Since there is also https://wiki.debian.org/Teams/Dpkg/Spec/SysUser I'm adding
debian-dpkg@lists.debian.org to the CC.

Thanks!

cheers, josch

#1012622#72
Date:
2022-06-13 11:26:17 UTC
From:
To:
I wasn't suggesting a centrally-maintained registry; that would just
move the limited-namespace problem somewhere else.  My suggestion was
more that adduser could read a file of ID preferences, ignored if the ID
is already taken, which could be used when testing reproducibility of
images.  There should be no need for those preferences to be otherwise
consistent across systems.

#1012622#77
Date:
2022-06-13 11:29:53 UTC
From:
To:
Hi Colin, Josch,

just in case: I pushed my modifications again, but in a separate branch
(branch "crontab") which was forked off from master today, after
previous changes in master were reverted.

The new modifications are :
- reserved gid 47 for group crontab
- added a few lines to the documentation file.

Please feel free to tackle out the new branch if it is useless, and to
close the bug report if it is not relevant now.

Best regards,			Georges.


Johannes Schauer Marin Rodrigues a écrit :