lint: Add a sysusers lint

[cgwalters]

tmpfiles: Drop an unused file

This was a copy-pasteo.

Signed-off-by: Colin Walters walters@verbum.org

---

hack: Add missing sysusers.d entry for sudo

TODO add this to the base image

Signed-off-by: Colin Walters walters@verbum.org

---

sysusers: New stub crate

Signed-off-by: Colin Walters walters@verbum.org

---

sysusers: Import nameservice code from rpm-ostree

This imports the code from
https://github.com/coreos/rpm-ostree/tree/main/rust/src/nameservice
as of commit
coreos/rpm-ostree@e1d43ae

Signed-off-by: Colin Walters walters@verbum.org

---

sysusers: Add analysis support

Signed-off-by: Colin Walters walters@verbum.org

---

lint: Add a sysusers lint

This is not exhaustive yet, but catches things that invoke
useradd (whether a dpkg/rpm %post or just a plain RUN useradd in a container)
that don't have a sysusers.d entry.

Signed-off-by: Colin Walters walters@verbum.org

---

[cgwalters]

OK here's an initial pass at a sysusers analysis. And of course it turns out our default c9s base image has a missing one:

[2/2] STEP 10/10: RUN bootc container lint --fatal-warnings
Lint warning: sysusers: Found /etc/group entry without corresponding systemd sysusers.d:
  "sudo"

I need to dig in to that one...

But here's a better demo showing both tmpfiles.d and sysusers.d lints working together:

$ cat Dockerfile
FROM localhost/bootc
RUN <<EORUN
set -xeuo pipefail
useradd someuser
groupadd someothergroup
bootc container lint
EORUN
$ podman build -t localhost/test .
STEP 1/2: FROM localhost/bootc
STEP 2/2: RUN <<EORUN (set -xeuo pipefail...)
+ useradd someuser
Creating mailbox file: No such file or directory
+ groupadd someothergroup
+ bootc container lint
Lint warning: sysusers: Found /etc/passwd entry without corresponding systemd sysusers.d:
  someuser
Found /etc/group entry without corresponding systemd sysusers.d:
  "someothergroup"
  "someuser"

Lint warning: var-tmpfiles: Found content in /var missing systemd tmpfiles.d entries:
  d /var/home/someuser 0700 someuser someuser - -
Found non-directory/non-symlink files in /var:
  "var/home/someuser/.bash_profile"
  "var/home/someuser/.bash_logout"
  "var/home/someuser/.bashrc"

Checks passed: 8
Checks skipped: 1
Warnings: 2
COMMIT localhost/test
--> 7f5dbb635478
Successfully tagged localhost/test:latest

[cgwalters]

There's quite a bit more here; a big thing we need to lint against is the case of floating users that own files in the image.

[cgwalters]

Lint warning: sysusers: Found /etc/group entry without corresponding systemd sysusers.d:
"sudo"

Wow. Some archaeology with git log -S sudo in fedora-coreos-config quickly turns up this commit:

coreos/fedora-coreos-config@685f213

So yeah we've just been cargo culting this thing forward because Container Linux had it, it doesn't exist by default in other Fedora derivatives AFAICS...

Edit: Filed https://gitlab.com/fedora/bootc/base-images/-/issues/41

[cgwalters]

I think we can merge this one but the downside here is it will emit a warning on the current base image until we merge https://gitlab.com/fedora/bootc/base-images/-/merge_requests/94

[jmarrero]

lgtm