base-files: add gshadow entry in nsswitch.conf

We encountered a newgrp regression in shadow 4.17.3:
  root@qemux86-64:~# groupadd g1
  root@qemux86-64:~# useradd t1
  root@qemux86-64:~# gpasswd g1
  Changing the password for group g1
  New Password:
  Re-enter new password:
  root@qemux86-64:~# sudo -u t1 newgrp g1
  Password:
  Invalid password.
  root@qemux86-64:~#

In versions prior to shadow 4.17.3, shadow used an internal
implementation to support shadow group because it could not correctly
detect whether glibc supports shadow group in a cross-compilation
environment. In 4.17.3, it can correctly check whether glibc supports
shadow group even in a cross-compilation environment[1]. If supported,
shadow will use it instead of its own internal implementation.
Shadow group support in glibc requires adding a gshadow entry in
nsswitch.conf.

After the patch:
  root@qemux86-64:~# groupadd g1
  root@qemux86-64:~# useradd t1
  root@qemux86-64:~# gpasswd g1
  Changing the password for group g1
  New Password:
  Re-enter new password:
  root@qemux86-64:~# sudo -u t1 newgrp g1
  Password:
  t1@qemux86-64:/home/root$

[1] https://github.com/shadow-maint/shadow/commit/da6b9cff02d583ef169a0bc0c1014b19b5fad2fb

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-core/base-files/base-files/nsswitch.conf b/meta/recipes-core/base-files/base-files/nsswitch.conf
index 06f03d22a6bf3c927dd961624cc8fadfcde7a95b..53279c12b7a9ca5c137018e2ddad4b13c1c27212 100644 (file)
--- a/meta/recipes-core/base-files/base-files/nsswitch.conf
+++ b/meta/recipes-core/base-files/base-files/nsswitch.conf
@@ -7,6 +7,7 @@
 passwd:         compat
 group:          compat
 shadow:         compat
+gshadow:        files
 
 hosts:          files dns
 networks:       files