coreos · cgwalters · Mar 17, 2017
diff --git a/src/libpriv/rpmostree-passwd-util.c b/src/libpriv/rpmostree-passwd-util.c
@@ -1191,23 +1191,13 @@ rootfs_has_usrlib_passwd (int rootfs_dfd,
   return TRUE;
 }
 
-/* We actually want RPM to inject to /usr/lib/passwd - we
- * accomplish this by temporarily renaming /usr/lib/passwd -> /usr/etc/passwd
- * (Which appears as /etc/passwd via our compatibility symlink in the bubblewrap
- *  script runner). We also copy the merge deployment's /etc/passwd to
- *  /usr/lib/passwd, so that %pre scripts are aware of newly added system users
- *  not in the tree's /usr/lib/passwd (through nss-altfiles in the container).
+/* This may be leftover in the tree from an older version of rpm-ostree that
+ * didn't clean them up at compose time, and having them exist will mean
+ * rofiles-fuse will prevent useradd from opening it for write.
  */
 gboolean
-rpmostree_passwd_prepare_rpm_layering (int                rootfs_dfd,
-                                       const char        *merge_passwd_dir,
-                                       gboolean          *out_have_passwd,
-                                       GCancellable      *cancellable,
-                                       GError           **error)
+rpmostree_passwd_cleanup (int rootfs_dfd, GCancellable *cancellable, GError **error)
 {
-  /* This may be leftover in the tree, and having it exist will mean
-   * rofiles-fuse will prevent useradd from opening it for write.
-   */
   for (guint i = 0; i < G_N_ELEMENTS (pwgrp_lock_and_backup_files); i++)
     {
       const char *file = pwgrp_lock_and_backup_files[i];
@@ -1223,6 +1213,26 @@ rpmostree_passwd_prepare_rpm_layering (int                rootfs_dfd,
         }
     }
 
+  return TRUE;
+}
+
+/* We actually want RPM to inject to /usr/lib/passwd - we
+ * accomplish this by temporarily renaming /usr/lib/passwd -> /usr/etc/passwd
+ * (Which appears as /etc/passwd via our compatibility symlink in the bubblewrap
+ *  script runner). We also copy the merge deployment's /etc/passwd to
+ *  /usr/lib/passwd, so that %pre scripts are aware of newly added system users
+ *  not in the tree's /usr/lib/passwd (through nss-altfiles in the container).
+ */
+gboolean
+rpmostree_passwd_prepare_rpm_layering (int                rootfs_dfd,
+                                       const char        *merge_passwd_dir,
+                                       gboolean          *out_have_passwd,
+                                       GCancellable      *cancellable,
+                                       GError           **error)
+{
+  if (!rpmostree_passwd_cleanup (rootfs_dfd, cancellable, error))
+    return FALSE;
+
   if (!rootfs_has_usrlib_passwd (rootfs_dfd, out_have_passwd, error))
     return FALSE;
   if (!*out_have_passwd)

diff --git a/src/libpriv/rpmostree-passwd-util.h b/src/libpriv/rpmostree-passwd-util.h
@@ -63,6 +63,10 @@ rpmostree_generate_passwd_from_previous (OstreeRepo      *repo,
                                          GCancellable    *cancellable,
                                          GError         **error);
 
+
+gboolean
+rpmostree_passwd_cleanup (int rootfs_dfd, GCancellable *cancellable, GError **error);
+
 gboolean
 rpmostree_passwd_prepare_rpm_layering (int       rootfs_dfd,
                                        const char        *merge_passwd_dir,

diff --git a/src/libpriv/rpmostree-postprocess.c b/src/libpriv/rpmostree-postprocess.c
@@ -1190,6 +1190,7 @@ rpmostree_rootfs_prepare_links (int           rootfs_fd,
  *
  *  - Move /etc to /usr/etc
  *  - Clean up RPM db leftovers
+ *  - Clean /usr/etc/passwd- backup files and such
  */
 gboolean
 rpmostree_rootfs_postprocess_common (int           rootfs_fd,
@@ -1236,6 +1237,9 @@ rpmostree_rootfs_postprocess_common (int           rootfs_fd,
         }
     }
 
+  if (!rpmostree_passwd_cleanup (rootfs_fd, cancellable, error))
+    goto out;
+
   ret = TRUE;
  out:
   return ret;

diff --git a/tests/compose-tests/test-basic.sh b/tests/compose-tests/test-basic.sh
@@ -18,6 +18,9 @@ cat > metadata.json <<EOF
 EOF
 runcompose --add-metadata-from-json metadata.json
 ostree --repo=${repobuild} ls -R ${treeref} /usr/lib/ostree-boot > bootls.txt
+if ostree --repo=${repobuild} ls -R ${treeref} /usr/etc/passwd-; then
+    assert_not_reached "Found /usr/etc/passwd- backup file in tree"
+fi
 echo "ok compose"
 
 ostree --repo=${repobuild} show --print-metadata-key exampleos.gitrepo ${treeref} > meta.txt