Open qiaoleiatms opened 5 months ago
The options that Debian uses to build shadow are different from yours. That might have an effect on the results.
$ git checkout debian/1%4.8.1-2
Previous HEAD position was d906ecd3 New upstream version 4.8.1
HEAD is now at be18f1bb Update changelog
$ grepc -h -xmk -tv DEB_CONFIGURE_EXTRA_FLAGS debian/rules
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
--without-libcrack \
--mandir=/usr/share/man \
--with-libpam \
--enable-shadowgrp \
--enable-man \
--disable-account-tools-setuid \
--with-group-name-max-length=32 \
--without-acl \
--without-attr \
--without-su \
--without-tcb \
SHELL=/bin/sh
BTW,
RUN git pull && git checkout $SHADOW_VERSION
That line doesn't make much sense, IMO. You probably want to git fetch
instead of git pull
.
And also see the warning it produces:
hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
Problem statement We're using rootlesskit with Debian bullseye and bookworm right now, and found:
rootlesskit bash
How to reproduce
ARG ROOTLESSKIT_VERSION=v1.0.1 ARG SHADOW_VERSION=4.8.1
USER root
download and install file package
RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ curl \ ca-certificates \ gzip \ git \ libltdl-dev \ pkg-config \ libcap2-bin \ uidmap \ autoconf \ autopoint \ libtool \ automake \ make \ bison \ gettext \ gcc \ libcap-dev \ libbsd-dev \ ; \ rm -rf /var/lib/apt/lists/*
RUN git clone https://github.com/shadow-maint/shadow.git /shadow
WORKDIR /shadow
RUN git pull && git checkout $SHADOW_VERSION
RUN ./autogen.sh \
--disable-man \
--disable-account-tools-setuid \
--disable-nls \
--enable-lastlog \
--without-audit \
--with-libpam \
--without-selinux \
--without-acl \
--without-attr \
--without-tcb \
--with-yescrypt \
--without-nscd \
--without-group-name-max-length \
--with-fcaps && \
make && \
cp src/newuidmap src/newgidmap /usr/bin
RUN chmod u+s /usr/bin/newuidmap
RUN chmod u+s /usr/bin/newgidmap
RUN curl -SsLf "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz" | tar Cxzv /usr/bin
RUN useradd cnb
USER 1000:1000 ENTRYPOINT ["rootlesskit", "bash"]