Skip to content

feat: add ALT Linux compatibility improvements#1989

Open
liannnix wants to merge 3 commits into89luca89:mainfrom
liannnix:altlinux_compatibility
Open

feat: add ALT Linux compatibility improvements#1989
liannnix wants to merge 3 commits into89luca89:mainfrom
liannnix:altlinux_compatibility

Conversation

@liannnix
Copy link

@liannnix liannnix commented Jan 29, 2026
edited
Loading

This PR fixes ALT Linux container compatibility issues, specifically addressing problems with --init containers.

Problem

ALT Linux ships its own su implementation that is incompatible with util-linux su flags. When distrobox-enter runs with unshare_groups enabled (i.e., --init containers), it passes flags like -m, --pty, and -c that ALT's su rejects, causing immediate failure:

/bin/su: invalid option -- 'm'
usage: su [-|-l] [-c "command"] [-s "shell"] [username]

Changes Made

  1. ALT Linux-specific su wrapper in distrobox-init:

    • Inside the existing ALT Linux detection block (if command -v control), creates /usr/local/bin/su/usr/sbin/runuser wrapper
    • runuser (from util-linux, always present in ALT) accepts the same flags as util-linux su
    • Wrapper is placed in /usr/local/bin to survive apt-get upgrades (no package owns it)

  2. Guarded the generic --pty wrapper:

    • Added [ ! -e /usr/local/bin/su ] check to prevent overwriting ALT-specific wrapper
    • Maintains compatibility with old util-linux versions and non-util-linux su implementations

  3. PATH ordering fix in distrobox-enter:

    • Ensures /usr/local/bin precedes /usr/bin when host PATH is passed through
    • Follows FHS conventions (/usr/local should override /usr)
    • Guarantees wrapper is found first regardless of host PATH ordering

  4. Additional ALT Linux fixes:

    • control pam_mktemp disabled – PAM stack compatibility fix
    • mkdir -p for TCB directory – prevents errors when directory exists

Why a Separate Wrapper?

The existing generic wrapper only strips --pty flag for old util-linux versions. ALT Linux su has broader incompatibilities – it rejects -m, -c flags entirely. A simple --pty-stripping wrapper won't help; we need a complete replacement that understands all util-linux su flags.

Solution Characteristics

  • Transparent: No new flags, env vars, or user options
  • Upgrade-safe: Wrapper in /usr/local/bin survives package updates
  • Distro-specific: Only affects ALT Linux containers (detected via control)
  • Aligned with precedent: Follows same pattern as Alpine/Chimera (su-exec/doas replacements)

The fix ensures ALT Linux containers work seamlessly with --init, maintaining distrobox's POSIX compliance while handling distro-specific incompatibilities internally.

@89luca89
Copy link
Owner

89luca89 commented Feb 4, 2026

Hi @liannnix is runuser a replacement for su or an addition in ALTLinux?
If it's a replacement, so it's mutually exclusive, we could just symlink it?

@liannnix
Copy link
Author

liannnix commented Feb 5, 2026
edited
Loading

Hi @liannnix is runuser a replacement for su or an addition in ALTLinux? If it's a replacement, so it's mutually exclusive, we could just symlink it?

Hi,

In ALT Linux runuser is an addition, not a drop-in replacement for su. ALT ships its own su implementation with different options/behaviour, and a bunch of tools rely on this exact su. Replacing it with a symlink to runuser would break those expectations inside ALT containers.

The actual problem is that distrobox-enter calls su with util-linux style options, but inside an ALT container /bin/su is this custom one, so it blows up. At the same time distrobox cannot reliably know which distro is inside the target container, so it cannot decide on its own when su is safe to use and when it is not.

That’s why the opt-in --container-runuser toggle in this PR is preferable: it fixes ALT containers without touching their su and without relying on symlinks or image modifications.

@89luca89
Copy link
Owner

89luca89 commented Feb 5, 2026

Got it now it's more clear
I'll be honest, I don't like adding a flag in create only for a very specific distro acting in a non posix-y way.
Distrobox's su usage is posix compliant and distrobox is a targets a posix compliant userland, if that doesn't work it's just an incompatibility on ALT Linux side, more than Distrobox itself.

I'm open to find a way to make it work that does not involve additional options, env variables, or flags.

ALT Linux has a dedicated setup section in the init (about line 967) you can use that to put in some logic in order to make it compliant. Had this problem before with Alpine and Chimera where sudo was replaced by su-exec and doas. We can work in that direction, but as explained, adding a per-distro flag for a very specific use-case is not ok for me.

cc @dottorblaster

@liannnix
Copy link
Author

liannnix commented Feb 5, 2026

Got it now it's more clear I'll be honest, I don't like adding a flag in create only for a very specific distro acting in a non posix-y way. Distrobox's su usage is posix compliant and distrobox is a targets a posix compliant userland, if that doesn't work it's just an incompatibility on ALT Linux side, more than Distrobox itself.

I'm open to find a way to make it work that does not involve additional options, env variables, or flags.

ALT Linux has a dedicated setup section in the init (about line 967) you can use that to put in some logic in order to make it compliant. Had this problem before with Alpine and Chimera where sudo was replaced by su-exec and doas. We can work in that direction, but as explained, adding a per-distro flag for a very specific use-case is not ok for me.

cc @dottorblaster

Thanks for the detailed explanation, that makes your concerns much clearer. I agree that a per-distro flag is not ideal, and it’s better to handle ALT Linux specifics in its dedicated init section instead. I’ll rework the PR to move the su/runuser handling there, following the approach you used for Alpine/Chimera, and drop the --container-runuser flag. Thanks again for the review and guidance!

@liannnix liannnix force-pushed the altlinux_compatibility branch from 0a45c12 to 681d314 Compare February 12, 2026 14:06
@liannnix
Copy link
Author

liannnix commented Feb 12, 2026

Got it now it's more clear I'll be honest, I don't like adding a flag in create only for a very specific distro acting in a non posix-y way. Distrobox's su usage is posix compliant and distrobox is a targets a posix compliant userland, if that doesn't work it's just an incompatibility on ALT Linux side, more than Distrobox itself.

I'm open to find a way to make it work that does not involve additional options, env variables, or flags.

ALT Linux has a dedicated setup section in the init (about line 967) you can use that to put in some logic in order to make it compliant. Had this problem before with Alpine and Chimera where sudo was replaced by su-exec and doas. We can work in that direction, but as explained, adding a per-distro flag for a very specific use-case is not ok for me.

cc @dottorblaster

Following your feedback, I've reworked the PR to handle ALT Linux compatibility inside distrobox-init without any new flags or options.

Changes Made

1. ALT Linux-specific su wrapper in distrobox-init

  • Inside the existing ALT detection block, creates /usr/local/bin/su/usr/sbin/runuser wrapper
  • runuser (from util-linux) accepts the same flags as util-linux su (-m, --pty, -c)
  • Placed in /usr/local/bin to survive apt-get upgrades (no package owns it)

2. Guarded the generic --pty wrapper

  • Added [ ! -e /usr/local/bin/su ] check to prevent overwriting ALT wrapper

3. PATH ordering fix in distrobox-enter

  • Ensures /usr/local/bin precedes /usr/bin when host PATH is passed through
  • Follows FHS conventions, guarantees wrapper is found first

Why a Separate Wrapper?

The existing wrapper only removes --pty for old util-linux versions. ALT Linux su has broader incompatibilities: it rejects -m, -c flags that distrobox-enter passes. A simple --pty-stripping wrapper won't help—we need a complete replacement.

runuser provides that replacement while being readily available in ALT Linux. The solution is transparent (no flags), upgrade-safe, and distro-specific—aligning with the Alpine/Chimera precedent.

@liannnix
fix: use mkdir -p to prevent error on existing user tcb directory
7d610b4 
Use mkdir -p in setup_aptrpm() to prevent command failure if
/etc/tcb/$user already exists.

Signed-off-by: Andrey Limachko <liannnix@altlinux.org>
@liannnix
fix: disable pam_mktemp for PAM stack compatibility
31ddbd4 
Private tmp directory is not needed as /tmp is mounted from host system.
Using pam_mktemp would break the PAM stack.

Signed-off-by: Andrey Limachko <liannnix@altlinux.org>
@liannnix liannnix force-pushed the altlinux_compatibility branch from 681d314 to efad878 Compare February 12, 2026 15:52
@liannnix
fix: ALT Linux --init compatibility via runuser wrapper
d0e9406 
ALT Linux ships its own su(1) implementation incompatible with util-linux
su flags. distrobox-enter passes -m, --pty, -s, -c when unshare_groups is
enabled (--init containers). These flags are rejected by ALT's su, causing
instant failure.

Add /usr/local/bin/su wrapper that delegates to /usr/sbin/runuser (from
util-linux, always present in ALT). The wrapper is placed in /usr/local/bin
to survive package updates, and the existing generic --pty-stripping wrapper
is guarded to not overwrite it.

Fix PATH ordering in distrobox-enter to ensure /usr/local/bin precedes
/usr/bin when host PATH is passed through. This follows FHS conventions
and guarantees the wrapper is found first.

Signed-off-by: Andrey Limachko <liannnix@altlinux.org>
@liannnix liannnix force-pushed the altlinux_compatibility branch from efad878 to d0e9406 Compare February 16, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liannnix @89luca89

Comments