Skip to content

Can't overlay packages defining their own groups #5530

New issue
New issue
Open
Open
Can't overlay packages defining their own groups#5530
@hadmut

Description

@hadmut
hadmut
opened on Nov 6, 2025

Describe the bug

Hi,

since Kinoite 42 I can't use ecryptfs-utils anymore. Since then, /usr/bin/mount.ecryptfs_private is not publicly executable anymore, and restricted to group ecryptfs.

Since /usr/bin/ is not writable and I can't simply change permissions, I need to put myself into group ecryptfs, which usermod -aG .. silently ignores, since ecryptfs is in /lib/group, but not /etc/group.

Once I do copy the line with ecryptfs from /lib/group to /etc/group, I can properly run mount.ecryptfs_private, but then I can't update the system image anymore, rpm-ostree complains that it can't find the group ecrypfts in the group file and denies upgrading.

As far as I know, this problem occurs with just any rpm package that does define it's own group and is not listed in the standard /lib/group , and even the groups listed in /lib/group don't work properly since one can't add someone to the group unless copying it from /lib/group to /etc/group manually.

I've submitted bug reports to RedHat/Fedora, but nobody seems to deal with it, nobody to really care about, and nobody knows what to do.

I wonder, if this problem is known to rpm-ostree, where exactly this /lib/group and /etc/group method is defined, and how this is intended to work.

It's a bit strange to break elementary Unix/Linux functionality, and I didn't find a comment about, and no one at Fedora seems to know how to workaround/deal with it.

Isn't there even a simple comment about it?

How are groups supposed to work with rpm-ostree?

Or, better to say, the other way round, how is rpm-ostree supposed to work with groups?

regards

Reproduction steps

  1. Use Kinoite or silverblue
  2. rpm-ostree install ecryptfs-utils (or any other package installing their own groups)
  3. try to use mount.ecryptfs_private and put yourself in group ecryptfs in order to get permission
  4. Now try to update system image with rpm-ostree

Expected behavior

I would expect it to work like any other linux system.

Actual behavior

Depending on what you do with /etc/group it

  • either does not work or
  • works, but system image cannot be updated anymore.

System details

Kinoite 43

rpm-ostree 2025.12

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions