The modes of mail spool directories change depending on if acct-group/mail was installed at the time of user creation. This is due to an intentional runtime check to support the mail group: https://github.com/shadow-maint/shadow/blob/master/src/useradd.c#L2311-L2320 Since not much depends on acct-group/mail, early users on a minimal system will have 0600 mail spools, while users created after installing something that depends on it (e.g. Emacs) will have 0660. I'm opening this as a feature request to suggest an unconditional RDEPEND="acct-group/mail" on sys-apps/shadow to fix this inconsistency, since the mail group is considered a base system group included by default in other distros (Fedora, Arch, etc.). Reproducible: Always
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f065b54fc2420c72d1d248b6a96c52c81f00d141 commit f065b54fc2420c72d1d248b6a96c52c81f00d141 Author: David Michael <fedora.dm0@gmail.com> AuthorDate: 2020-09-03 12:28:25 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-09-07 20:43:57 +0000 sys-apps/shadow: require the mail group at runtime Closes: https://bugs.gentoo.org/720948 Package-Manager: Portage-3.0.4, Repoman-2.3.23 Signed-off-by: David Michael <fedora.dm0@gmail.com> Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/shadow/shadow-4.8-r5.ebuild | 1 + sys-apps/shadow/shadow-4.8.1-r3.ebuild | 1 + 2 files changed, 2 insertions(+)
Hekki
Hello, there is a problem with this commit. "sys-apps/shadow" provides /usr/sbin/groupadd which is required for "acct-group/mail". This dependency is circular. System without "sys-apps/shadow" is not able to install "acct-group/mail": >>> Merging acct-group/mail-0 to / * Adding group 'mail' to your system ... * - Groupid: 12 /var/tmp/portage/acct-group/mail-0/temp/environment: line 625: groupadd: command not found * ERROR: acct-group/mail-0::gentoo failed (preinst phase): * (no error message) * * Call stack: * ebuild.sh, line 125: Called pkg_preinst * environment, line 971: Called acct-group_pkg_preinst * environment, line 273: Called enewgroup 'mail' '12' * environment, line 625: Called die * The specific snippet of code: * groupadd -r ${opts} "${egroup}" || die Please add condition that will allow to resolve circular dependency. I think the right solution will be to add something like "shadow" use that will force "acct-group" not to try creating user and group.
Solution for now: cross compile shadow before using portage.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eee1262e647de4719dfadb1ff93ca0b4c6476feb commit eee1262e647de4719dfadb1ff93ca0b4c6476feb Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-09-08 15:12:02 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-09-08 15:12:02 +0000 Revert "sys-apps/shadow: require the mail group at runtime" The acct-{user,group} eclasses call useradd and groupadd to create users and groups. This is esentually a circular dependency that needs to be resolved somehow. Bug: https://bugs.gentoo.org/720948 Reverts: f065b54fc2420c72d1d248b6a96c52c81f00d141 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/shadow/shadow-4.8-r5.ebuild | 1 - sys-apps/shadow/shadow-4.8.1-r3.ebuild | 1 - 2 files changed, 2 deletions(-)
This solutions looks fine, thank you.
This does not sound correct to me at all. If we only care about users' spools (do I understand you correctly?), why are we in need of creating a depepndency resolution mess if we can modify /etc/default/useradd?
The issue is mail spools being created inconsistently because acct-group/mail is only installed by unexpected packages. The mail group won't have access to spool files for users created before something like Emacs is installed which depends on acct-group/mail (for some configurations). The useradd command is what looks for the mail group when creating spool files, so having sys-apps/shadow PDEPEND on it sounds reasonably correct to me. What setting in /etc/default/useradd affects this?
(In reply to David Michael from comment #8) > The issue is mail spools being created inconsistently because > acct-group/mail is only installed by unexpected packages. The mail group > won't have access to spool files for users created before something like > Emacs is installed which depends on acct-group/mail (for some > configurations). > > The useradd command is what looks for the mail group when creating spool > files, so having sys-apps/shadow PDEPEND on it sounds reasonably correct to > me. What setting in /etc/default/useradd affects this? No, your logic is incorrect, let me explain: 1.) we have the default mail spool path shadow respects ~ % grep "/var/spool/mail" /etc/login.defs MAIL_DIR /var/spool/mai 2.) In the meantime, the directory itself belongs to: ~ % equery b /var/spool/mail * Searching for /var/spool/mail ... acct-user/mail-0 (/var/spool/mail) acct-user/postmaster-0 (/var/spool/mail) 3.) useradd will create a mail spool file if only: a.) the /var/spool/mail directory existed before an useradd call (useradd itslef does not create the directory) b.) the option CREATE_MAIL_SPOOL in the /etc/default/useradd is explicitly set to yes. In gentoo we are shipping our own useradd config with this option being disabled (simply not being enabled). As a result useradd does not create spool files at all. All above said that change you are proposing is incorrect.
If your point boils down to that you think /var/spool/mail can only exist from installing acct-group/mail, then that explains our difference. My systems first boot after provisioning with a blank /var, and I have tmpfiles create the FHS layout (and whatever else Gentoo needs but doesn't create like /var/empty). So I do have the /var/spool/mail directory while nothing installs acct-group/mail.
(In reply to David Michael from comment #10) > If your point boils down to that you think /var/spool/mail can only exist > from installing acct-group/mail, then that explains our difference. My > systems first boot after provisioning with a blank /var, and I have tmpfiles > create the FHS layout (and whatever else Gentoo needs but doesn't create > like /var/empty). So I do have the /var/spool/mail directory while nothing > installs acct-group/mail. Nobody prevents you from having pretty custom installation, that is ok, the point is it has nothing to do with shadow.
I wouldn't really call this "invalid"; we do have some automagic behavior here. It seems like there really should be a config option to allow the sysadmin to control the group assigned to new spool directories. Changing to WONTFIX instead.