many: do not use nss when looking up for users/groups from snapd snap (…

…#13776)

* many: do not use runtime nss when looking up for users/groups from snapd snap

When snapd runs as a snap, it has its own runtime. This may not have
NSS plugins needed for the host. For example to get users from
AD/LDAP/Kerberos, or systemd-homed, or custom user databses.  In
general we can use tag `osusergo` to make go not to use the local
configuration (i.e. `/etc/nsswitch.conf`), however, even if it is fine
for most databases, we really need users and groups to be resolved
with the host configuration.

To be able to load correctly plugins, we expect the host system to
provide `getent`. And we query `passwd` and `group` databases through
this command.

In the future we should connect the systemd-userdb if it is
running and use `getent` only as fallback.

* .golangci.yml: verify for forbidden use of os/user

.golangci.yml

@@ -121,11 +121,15 @@ linters-settings:
     min-len: 3
     # minimal occurrences count to trigger, 3 by default
     min-occurrences: 3
-  # depguard:
-  #   list-type: blacklist
-  #   include-go-root: false
-  #   packages:
-  #     - github.com/davecgh/go-spew/spew
+  depguard:
+    rules:
+      osuser:
+        files:
+          - "!**/osutil/user/*.go"
+        deny:
+          - pkg: "os/user"
+            desc: "Please use osutil/user instead. See https://github.com/canonical/snapd/pull/13776"
+
   misspell:
     # Correct spellings using locale preferences for US or UK.
     # Default is to use a neutral variety of English.

build-aux/snap/snapcraft.yaml

@@ -112,9 +112,6 @@ parts:
       - squashfs-tools
       - xdelta3
       - zlib1g
-      # This is needed for using os/user on Ubuntu Core
-      # TODO: do not use os/user, but io.systemd.NameServiceSwitch through dbus
-      - libnss-extrausers
     stage:
       - -usr/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR/ld*.so*
       - -lib32
@@ -125,9 +122,9 @@ parts:
       - -usr/share/man
       - -usr/share/lintian
       - -usr/share/lintian/**
+      - -usr/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR/libnss_*.so.2
     override-build: |
       craftctl default
-      mv "${CRAFT_PART_INSTALL}/usr/lib/libnss_extrausers.so.2" "${CRAFT_PART_INSTALL}/usr/lib/${CRAFT_ARCH_TRIPLET_BUILD_FOR}/"
       cp -rT "${CRAFT_PART_INSTALL}/lib/${CRAFT_ARCH_TRIPLET_BUILD_FOR}" "${CRAFT_PART_INSTALL}/usr/lib/${CRAFT_ARCH_TRIPLET_BUILD_FOR}"
       rm -rf "${CRAFT_PART_INSTALL}/lib/${CRAFT_ARCH_TRIPLET_BUILD_FOR}"
       rm -f "${CRAFT_PART_INSTALL}/lib/${DYNAMIC_LINKER}"
@@ -370,6 +367,7 @@ parts:
             esac
             ;;
         esac
+        TAGS+=(snapdusergo osusergo)
 
         # FIPS specific build tags
         if [ -f fips-build ]; then

client/apps.go

@@ -27,11 +27,11 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
-	"os/user"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/snap"
 )
 

client/apps_test.go

@@ -22,13 +22,13 @@ package client_test
 import (
 	"encoding/json"
 	"fmt"
-	"os/user"
 	"strconv"
 	"strings"
 
 	"gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 func mksvc(snap, app string) *client.AppInfo {

client/login.go

@@ -24,11 +24,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"os/user"
 	"path/filepath"
 
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 // User holds logged in user information.

cmd/snap/cmd_routine_file_access_test.go

@@ -23,14 +23,14 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"os/user"
 	"path/filepath"
 	"strings"
 
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/client"
 	snap "github.com/snapcore/snapd/cmd/snap"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 type SnapRoutineFileAccessSuite struct {

cmd/snap/cmd_run.go

@@ -28,7 +28,6 @@ import (
 	"net"
 	"os"
 	"os/exec"
-	"os/user"
 	"path/filepath"
 	"regexp"
 	"strconv"
@@ -49,6 +48,7 @@ import (
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/osutil/strace"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/sandbox/cgroup"
 	"github.com/snapcore/snapd/sandbox/selinux"
 	"github.com/snapcore/snapd/snap"

cmd/snap/cmd_run_test.go

@@ -26,7 +26,6 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"os/user"
 	"path/filepath"
 	"strings"
 	"time"
@@ -40,6 +39,7 @@ import (
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/osutil/strace"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/sandbox/cgroup"
 	"github.com/snapcore/snapd/sandbox/selinux"
 	"github.com/snapcore/snapd/snap"

cmd/snap/cmd_services.go

@@ -22,14 +22,14 @@ package main
 import (
 	"errors"
 	"fmt"
-	"os/user"
 	"strconv"
 
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/client/clientutil"
 	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 type svcStatus struct {

cmd/snap/cmd_services_test.go

@@ -23,7 +23,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"os/user"
 	"sort"
 	"strings"
 	"time"
@@ -32,6 +31,7 @@ import (
 
 	"github.com/snapcore/snapd/client"
 	snap "github.com/snapcore/snapd/cmd/snap"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/strutil"
 )
 

cmd/snap/cmd_userd_test.go

@@ -25,7 +25,6 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"os/user"
 	"path"
 	"path/filepath"
 	"strings"
@@ -38,6 +37,7 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/testutil"
 	"github.com/snapcore/snapd/usersession/autostart"
 )

cmd/snap/error.go

@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"go/doc"
 	"os"
-	"os/user"
 	"strings"
 	"text/tabwriter"
 
@@ -35,6 +34,7 @@ import (
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/snap/channel"
 	"github.com/snapcore/snapd/strutil"
 )

cmd/snap/export_test.go

@@ -22,7 +22,6 @@ package main
 import (
 	"context"
 	"os"
-	"os/user"
 	"time"
 
 	"github.com/jessevdk/go-flags"
@@ -31,6 +30,7 @@ import (
 	"github.com/snapcore/snapd/cmd/snaplock/runinhibit"
 	"github.com/snapcore/snapd/image"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/sandbox/cgroup"
 	"github.com/snapcore/snapd/sandbox/selinux"
 	"github.com/snapcore/snapd/seed/seedwriter"

daemon/api_apps.go

@@ -26,12 +26,12 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"os/user"
 	"sort"
 	"strconv"
 	"strings"
 
 	"github.com/snapcore/snapd/client/clientutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/servicestate"
 	"github.com/snapcore/snapd/overlord/state"

daemon/api_apps_test.go

@@ -29,7 +29,6 @@ import (
 	"math"
 	"net/http"
 	"net/http/httptest"
-	"os/user"
 	"sort"
 	"strconv"
 	"strings"
@@ -39,6 +38,7 @@ import (
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/client/clientutil"
 	"github.com/snapcore/snapd/daemon"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/servicestate"
 	"github.com/snapcore/snapd/overlord/snapstate"

daemon/api_base_test.go

@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"os/user"
 	"path/filepath"
 	"time"
 
@@ -41,6 +40,7 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/assertstate/assertstatetest"

daemon/api_users_test.go

@@ -23,7 +23,6 @@ import (
 	"bytes"
 	"fmt"
 	"net/http"
-	"os/user"
 	"time"
 
 	"gopkg.in/check.v1"
@@ -32,6 +31,7 @@ import (
 	"github.com/snapcore/snapd/asserts/assertstest"
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/daemon"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord/assertstate/assertstatetest"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"

daemon/export_api_apps_test.go

@@ -20,8 +20,7 @@
 package daemon
 
 import (
-	"os/user"
-
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/servicestate"
 	"github.com/snapcore/snapd/overlord/state"

daemon/export_test.go

@@ -22,14 +22,14 @@ package daemon
 import (
 	"context"
 	"net/http"
-	"os/user"
 	"time"
 
 	"github.com/gorilla/mux"
 
 	"github.com/snapcore/snapd/asserts/snapasserts"
 	"github.com/snapcore/snapd/boot"
 	"github.com/snapcore/snapd/client/clientutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/restart"

desktop/portal/document.go

@@ -21,13 +21,13 @@ package portal
 
 import (
 	"fmt"
-	"os/user"
 	"path/filepath"
 	"strings"
 
 	"github.com/snapcore/snapd/dbusutil"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 const (

desktop/portal/document_test.go

@@ -22,14 +22,14 @@ package portal_test
 import (
 	"errors"
 	"os"
-	"os/user"
 	"path/filepath"
 	"sync"
 
 	"github.com/godbus/dbus"
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/desktop/portal"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/testutil"
 )
 

desktop/portal/export_test.go

@@ -20,10 +20,10 @@
 package portal
 
 import (
-	"os/user"
 	"time"
 
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 const (

osutil/export_test.go

@@ -24,11 +24,11 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"os/user"
 	"syscall"
 	"time"
 
 	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/strutil"
 	"github.com/snapcore/snapd/testutil"
 )

osutil/group.go

@@ -22,8 +22,9 @@ package osutil
 import (
 	"bytes"
 	"fmt"
-	"os/user"
 	"strconv"
+
+	"github.com/snapcore/snapd/osutil/user"
 )
 
 // FindUid returns the identifier of the given UNIX user name. It will

osutil/group_test.go

@@ -21,11 +21,11 @@ package osutil_test
 
 import (
 	"fmt"
-	"os/user"
 
 	"gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/user"
 	"github.com/snapcore/snapd/testutil"
 )