CentOS - Sep 2018 - Change password and add user on RO filesystem

Hi everyone

I'm trying to create system with RO root filesystem, so i'm using
/etc/sysconfig/readonly-root along wih /etc/rwtab and /etc/statetab.

Apart of numerous problems with services running on RO filesystem (which
i'm constantly resolving adding entries to /etc/statetab) one thing
popped up. I'm unable to add user or change his password. Error is
'cannot lock /etc/passwd; try again later.'.

After research it turns up (at least on Fedora, but i assume same on
CentOS) some files being created in /etc. For example /etc/shadow.<pid>,
and some others with PID in name. Obviously it's impossible on RO
filesystem...

Is there any workaround (apart of remounting whole filesystem RW)?

-- 
Over And Out
MoonWolf

Hello Marcin,

On 2018-09-04, Marcin Trendota <moonwolf.rh at gmail.com>
wrote:
>
> I'm trying to create system with RO root filesystem, so i'm using
> /etc/sysconfig/readonly-root along wih /etc/rwtab and /etc/statetab.
>
> Apart of numerous problems with services running on RO filesystem (which
> i'm constantly resolving adding entries to /etc/statetab) one thing
> popped up. I'm unable to add user or change his password. Error is
> 'cannot lock /etc/passwd; try again later.'.
>
> After research it turns up (at least on Fedora, but i assume same on
> CentOS) some files being created in /etc. For example
/etc/shadow.<pid>,
> and some others with PID in name. Obviously it's impossible on RO
> filesystem...
>
> Is there any workaround (apart of remounting whole filesystem RW)?
Have you looked at this article?

https://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fedora-box/

Unfortunately it doesn't really provide a local workaround, but if you
have something like LDAP available already that might be a way to go.

If not (and assuming you've added /etc/passwd and friends to
/etc/statetab*), one very crude option might be to manipulate the files
by hand.  For /etc/passwd and /etc/group (if necessary) this is easy,
since it's just a plain text file with human-readable text.  For
/etc/shadow this is slightly more complicated, since you need to
generate the password hash.  For that you can use mkpasswd:

https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

Obviously doing this makes adding a user a nonatomic operation, so you
need to take care manipulating passwd and shadow in this way.  (I don't
know if mkpasswd is available from a yum repo, but the included python
should be there.)

--keith


-- 
kkeller at wombat.san-francisco.ca.us

W dniu 05.09.2018 o?07:34, Keith Keller pisze:
>> Is there any workaround (apart of remounting whole filesystem RW)?
> Have you looked at this article?
>
https://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fedora-box/
> Unfortunately it doesn't really provide a local workaround, but if you
> have something like LDAP available already that might be a way to go.
I'm trying to keep it as simple as i can, so LDAP is last resort. But
i'll consider it.
> If not (and assuming you've added /etc/passwd and friends to
> /etc/statetab*), one very crude option might be to manipulate the files
> by hand.  For /etc/passwd and /etc/group (if necessary) this is easy,
> since it's just a plain text file with human-readable text.  For
> /etc/shadow this is slightly more complicated, since you need to
> generate the password hash.  For that you can use mkpasswd:
> https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
> Obviously doing this makes adding a user a nonatomic operation, so you
> need to take care manipulating passwd and shadow in this way.  (I don't
> know if mkpasswd is available from a yum repo, but the included python
> should be there.)
Thanks for suggestion, i'll give it a try.
> --keith
-- 
Over And Out
MoonWolf