summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2015-04-21 17:30:46 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-24 11:06:56 +0100
commitd477da6618660c38dcae3635feb97ee2dd2f6502 (patch)
tree16127c81d5eb7bb53b168b4af7c7c5b5c4901d73
parentda1a2888f64f71da12d6fc9e562a9842b50814b5 (diff)
downloadpoky-d477da6618660c38dcae3635feb97ee2dd2f6502.tar.gz
shadow: fix `su' behaviour
0001-su.c-fix-to-exec-command-correctly.patch is removed. Below is the reason. This patch is introduced to solve the 'su: applet not found' problem when executing `su -l xxx -c env'. The patch references codes of previous release of shadow. However, this patch introduces bug#5359. So it's not correct. Let's first look at the root cause of 'su: applet not found' problem. This problem appears when /bin/sh is provided by busybox. When executing `su -l xxx -c env' command, the following function is invoked. execve("/bin/sh", ["-su", "-c", "env"], [/* 6 vars */]) Note that the argv[0] provided to new executable file (/bin/sh) is "-su". As /bin/sh is a symlink to /bin/busybox. It's /bin/busybox that is executed. In busybox's appletlib.c, it would examine argv[0], try to find an applet that has the same name, and then try to execute the main function of the applet. This logic results in `su' applet from busybox to be executed. However, we default to set 'BUSYBOX_SPLIT_SUID' to "1", so 'su' is not found. Further more, even if we set 'BUSYBOX_SPLIT_SUID' to "0", so that 'su' applet is found. The whole behaviour is still not correct. Because 'su' from shadow takes higher priority than that from busybox, so 'su' from busybox should never be executed on such system unless it's specified clearly by the end user. The logic of busybox's appletlib.c is totally correct from the point of busybox itself. It's an integration problem. To solve the above problem, this patch comment out SU_NAME in /etc/login.defs so that the final function executed in shadow's su is as below. execve("/bin/sh", ["-sh", "-c", "env"], [/* 6 vars */]) [YOCTO #5359] [YOCTO #7137] (From OE-Core rev: 6820f05dad0b4f9b9bbcf7c2a0af8c34f66199ae) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch25
-rw-r--r--meta/recipes-extended/shadow/shadow.inc5
2 files changed, 4 insertions, 26 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
deleted file mode 100644
index 31337de362..0000000000
--- a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1Upstream-Status: Pending
2
3Subject: su.c: fix to exec command correctly
4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6---
7 src/su.c | 2 +-
8 1 file changed, 1 insertion(+), 1 deletion(-)
9
10diff --git a/src/su.c b/src/su.c
11index 3704217..bc4f2ac 100644
12--- a/src/su.c
13+++ b/src/su.c
14@@ -1156,7 +1156,7 @@ int main (int argc, char **argv)
15 * Use the shell and create an argv
16 * with the rest of the command line included.
17 */
18- argv[-1] = cp;
19+ argv[-1] = shellstr;
20 execve_shell (shellstr, &argv[-1], environ);
21 err = errno;
22 (void) fprintf (stderr,
23--
241.7.9.5
25
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 7c63d88c70..5451718cce 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -14,7 +14,6 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
14 file://shadow-4.1.3-dots-in-usernames.patch \ 14 file://shadow-4.1.3-dots-in-usernames.patch \
15 file://usermod-fix-compilation-failure-with-subids-disabled.patch \ 15 file://usermod-fix-compilation-failure-with-subids-disabled.patch \
16 file://fix-installation-failure-with-subids-disabled.patch \ 16 file://fix-installation-failure-with-subids-disabled.patch \
17 file://0001-su.c-fix-to-exec-command-correctly.patch \
18 file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ 17 file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
19 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ 18 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
20 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 19 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
@@ -108,6 +107,10 @@ do_install() {
108 # Disable checking emails. 107 # Disable checking emails.
109 sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs 108 sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs
110 109
110 # Comment out SU_NAME to work correctly with busybox
111 # See Bug#5359 and Bug#7173
112 sed -i 's:^SU_NAME:#SU_NAME:g' ${D}${sysconfdir}/login.defs
113
111 # Use proper encryption for passwords 114 # Use proper encryption for passwords
112 sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs 115 sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs
113 116