From 8d8547f65fc0474fa335d04201ee9c2ccb9aa773 Mon Sep 17 00:00:00 2001
From: Johannes Schauer Marin Rodrigues <josch@debian.org>
Date: Tue, 26 Jul 2022 17:25:42 +0200
Subject: debian/shadowconfig: Support DPKG_ROOT without using chroot()

Closes: #1007758
---
 debian/shadowconfig | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/debian/shadowconfig b/debian/shadowconfig
index 28df7512..b462597a 100644
--- a/debian/shadowconfig
+++ b/debian/shadowconfig
@@ -5,14 +5,35 @@ set -e
 
 shadowon () {
     set -e
-    pwck -q -r
-    grpck -r
-    pwconv
-    grpconv
-    chown root:root /etc/passwd /etc/group
-    chmod 644 /etc/passwd /etc/group
-    chown root:shadow /etc/shadow /etc/gshadow
-    chmod 640 /etc/shadow /etc/gshadow
+
+    if [ -n "$DPKG_ROOT" ] \
+        && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
+        && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
+        # If dpkg is run with --force-script-chrootless and if /etc/passwd
+        # and /etc/group are unchanged, we avoid the chroot() call by manually
+        # processing the files. This produces bit-by-bit identical results
+        # compared to the normal case as shown by the CI setup at
+        # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
+        for f in passwd group; do
+            cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
+        done
+        chmod 600 "${DPKG_ROOT}/etc/passwd-"
+        sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
+        [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
+        sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
+        sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
+        touch "${DPKG_ROOT}/etc/.pwd.lock"
+        chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
+    else
+        pwck -q -r
+        grpck -r
+        pwconv
+        grpconv
+    fi
+    chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+    chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
 }
 
 shadowoff () {
-- 
cgit v1.2.1