summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Garman <scott.a.garman@intel.com>2011-06-20 17:11:34 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2011-06-28 13:55:40 +0100
commitc82a1b111dfb988a2a64a263ddd7fb482f67c80f (patch)
tree5fe8c513867e8b12569fe00af6ac8cc49fe39de9
parent1d640c9436ecc65d8864e8a742926fbeb5d7826e (diff)
downloadpoky-c82a1b111dfb988a2a64a263ddd7fb482f67c80f.tar.gz
shadow-sysroot: new recipe for useradd.bbclass support
Packaging login.defs with base-passwd causes problems due to the file being included in target package installs. Instead, this shadow-sysroot recipe can be used by useradd.bbclass to put login.defs into the target sysroot without disturbing packages intended for target devices. (From OE-Core rev: 6cbf741d73070759ecb9a284e6511c63d945f7c1) Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/shadow/files/login.defs_shadow-sysroot386
-rw-r--r--meta/recipes-extended/shadow/shadow-sysroot_4.1.4.3.bb41
2 files changed, 427 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot
new file mode 100644
index 0000000000..8a68dd341a
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot
@@ -0,0 +1,386 @@
1#
2# /etc/login.defs - Configuration control definitions for the shadow package.
3#
4# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
5#
6
7#
8# Delay in seconds before being allowed another attempt after a login failure
9# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
10# pam_unix enforces a 2s delay)
11#
12FAIL_DELAY 3
13
14#
15# Enable logging and display of /var/log/faillog login failure info.
16#
17#FAILLOG_ENAB yes
18
19#
20# Enable display of unknown usernames when login failures are recorded.
21#
22LOG_UNKFAIL_ENAB no
23
24#
25# Enable logging of successful logins
26#
27LOG_OK_LOGINS no
28
29#
30# Enable logging and display of /var/log/lastlog login time info.
31#
32#LASTLOG_ENAB yes
33
34#
35# Enable checking and display of mailbox status upon login.
36#
37# Disable if the shell startup files already check for mail
38# ("mailx -e" or equivalent).
39#
40##MAIL_CHECK_ENAB yes
41
42#
43# Enable additional checks upon password changes.
44#
45#OBSCURE_CHECKS_ENAB yes
46
47#
48# Enable checking of time restrictions specified in /etc/porttime.
49#
50#PORTTIME_CHECKS_ENAB yes
51
52#
53# Enable setting of ulimit, umask, and niceness from passwd gecos field.
54#
55#QUOTAS_ENAB yes
56
57#
58# Enable "syslog" logging of su activity - in addition to sulog file logging.
59# SYSLOG_SG_ENAB does the same for newgrp and sg.
60#
61SYSLOG_SU_ENAB yes
62SYSLOG_SG_ENAB yes
63
64#
65# If defined, either full pathname of a file containing device names or
66# a ":" delimited list of device names. Root logins will be allowed only
67# upon these devices.
68#
69CONSOLE /etc/securetty
70#CONSOLE console:tty01:tty02:tty03:tty04
71
72#
73# If defined, all su activity is logged to this file.
74#
75#SULOG_FILE /var/log/sulog
76
77#
78# If defined, ":" delimited list of "message of the day" files to
79# be displayed upon login.
80#
81#MOTD_FILE /etc/motd
82#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
83
84#
85# If defined, this file will be output before each login prompt.
86#
87#ISSUE_FILE /etc/issue
88
89#
90# If defined, file which maps tty line to TERM environment parameter.
91# Each line of the file is in a format something like "vt100 tty01".
92#
93#TTYTYPE_FILE /etc/ttytype
94
95#
96# If defined, login failures will be logged here in a utmp format.
97# last, when invoked as lastb, will read /var/log/btmp, so...
98#
99#FTMP_FILE /var/log/btmp
100
101#
102# If defined, name of file whose presence which will inhibit non-root
103# logins. The contents of this file should be a message indicating
104# why logins are inhibited.
105#
106#NOLOGINS_FILE /etc/nologin
107
108#
109# If defined, the command name to display when running "su -". For
110# example, if this is defined as "su" then a "ps" will display the
111# command is "-su". If not defined, then "ps" would display the
112# name of the shell actually being run, e.g. something like "-sh".
113#
114SU_NAME su
115
116#
117# *REQUIRED*
118# Directory where mailboxes reside, _or_ name of file, relative to the
119# home directory. If you _do_ define both, #MAIL_DIR takes precedence.
120#
121#MAIL_DIR /var/spool/mail
122MAIL_FILE .mail
123
124#
125# If defined, file which inhibits all the usual chatter during the login
126# sequence. If a full pathname, then hushed mode will be enabled if the
127# user's name or shell are found in the file. If not a full pathname, then
128# hushed mode will be enabled if the file exists in the user's home directory.
129#
130HUSHLOGIN_FILE .hushlogin
131#HUSHLOGIN_FILE /etc/hushlogins
132
133#
134# If defined, either a TZ environment parameter spec or the
135# fully-rooted pathname of a file containing such a spec.
136#
137#ENV_TZ TZ=CST6CDT
138#ENV_TZ /etc/tzname
139
140#
141# If defined, an HZ environment parameter spec.
142#
143# for Linux/x86
144#ENV_HZ HZ=100
145# For Linux/Alpha...
146#ENV_HZ HZ=1024
147
148#
149# *REQUIRED* The default PATH settings, for superuser and normal users.
150#
151# (they are minimal, add the rest in the shell startup files)
152ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
153ENV_PATH PATH=/bin:/usr/bin
154
155#
156# Terminal permissions
157#
158# TTYGROUP Login tty will be assigned this group ownership.
159# TTYPERM Login tty will be set to this permission.
160#
161# If you have a "write" program which is "setgid" to a special group
162# which owns the terminals, define TTYGROUP to the group number and
163# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
164# TTYPERM to either 622 or 600.
165#
166TTYGROUP tty
167TTYPERM 0600
168
169#
170# Login configuration initializations:
171#
172# ERASECHAR Terminal ERASE character ('\010' = backspace).
173# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
174# ULIMIT Default "ulimit" value.
175#
176# The ERASECHAR and KILLCHAR are used only on System V machines.
177# The ULIMIT is used only if the system supports it.
178# (now it works with setrlimit too; ulimit is in 512-byte units)
179#
180# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
181#
182ERASECHAR 0177
183KILLCHAR 025
184#ULIMIT 2097152
185
186# Default initial "umask" value for non-PAM enabled systems.
187# UMASK is also used by useradd and newusers to set the mode of new home
188# directories.
189# 022 is the default value, but 027, or even 077, could be considered
190# better for privacy. There is no One True Answer here: each sysadmin
191# must make up her mind.
192UMASK 022
193
194#
195# Password aging controls:
196#
197# PASS_MAX_DAYS Maximum number of days a password may be used.
198# PASS_MIN_DAYS Minimum number of days allowed between password changes.
199# PASS_MIN_LEN Minimum acceptable password length.
200# PASS_WARN_AGE Number of days warning given before a password expires.
201#
202PASS_MAX_DAYS 99999
203PASS_MIN_DAYS 0
204#PASS_MIN_LEN 5
205PASS_WARN_AGE 7
206
207#
208# If "yes", the user must be listed as a member of the first gid 0 group
209# in /etc/group (called "root" on most Linux systems) to be able to "su"
210# to uid 0 accounts. If the group doesn't exist or is empty, no one
211# will be able to "su" to uid 0.
212#
213#SU_WHEEL_ONLY no
214
215#
216# If compiled with cracklib support, where are the dictionaries
217#
218#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
219
220#
221# Min/max values for automatic uid selection in useradd
222#
223UID_MIN 1000
224UID_MAX 60000
225# System accounts
226SYS_UID_MIN 101
227SYS_UID_MAX 999
228
229#
230# Min/max values for automatic gid selection in groupadd
231#
232GID_MIN 1000
233GID_MAX 60000
234# System accounts
235SYS_GID_MIN 101
236SYS_GID_MAX 999
237
238#
239# Max number of login retries if password is bad
240#
241LOGIN_RETRIES 5
242
243#
244# Max time in seconds for login
245#
246LOGIN_TIMEOUT 60
247
248#
249# Maximum number of attempts to change password if rejected (too easy)
250#
251#PASS_CHANGE_TRIES 5
252
253#
254# Warn about weak passwords (but still allow them) if you are root.
255#
256#PASS_ALWAYS_WARN yes
257
258#
259# Number of significant characters in the password for crypt().
260# Default is 8, don't change unless your crypt() is better.
261# Ignored if MD5_CRYPT_ENAB set to "yes".
262#
263#PASS_MAX_LEN 8
264
265#
266# Require password before chfn/chsh can make any changes.
267#
268#CHFN_AUTH yes
269
270#
271# Which fields may be changed by regular users using chfn - use
272# any combination of letters "frwh" (full name, room number, work
273# phone, home phone). If not defined, no changes are allowed.
274# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
275#
276CHFN_RESTRICT rwh
277
278#
279# Password prompt (%s will be replaced by user name).
280#
281# XXX - it doesn't work correctly yet, for now leave it commented out
282# to use the default which is just "Password: ".
283#LOGIN_STRING "%s's Password: "
284
285#
286# Only works if compiled with MD5_CRYPT defined:
287# If set to "yes", new passwords will be encrypted using the MD5-based
288# algorithm compatible with the one used by recent releases of FreeBSD.
289# It supports passwords of unlimited length and longer salt strings.
290# Set to "no" if you need to copy encrypted passwords to other systems
291# which don't understand the new algorithm. Default is "no".
292#
293# Note: If you use PAM, it is recommended to use a value consistent with
294# the PAM modules configuration.
295#
296# This variable is deprecated. You should use ENCRYPT_METHOD.
297#
298#MD5_CRYPT_ENAB no
299
300#
301# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
302# If set to MD5 , MD5-based algorithm will be used for encrypting password
303# If set to SHA256, SHA256-based algorithm will be used for encrypting password
304# If set to SHA512, SHA512-based algorithm will be used for encrypting password
305# If set to DES, DES-based algorithm will be used for encrypting password (default)
306# Overrides the MD5_CRYPT_ENAB option
307#
308# Note: If you use PAM, it is recommended to use a value consistent with
309# the PAM modules configuration.
310#
311#ENCRYPT_METHOD DES
312
313#
314# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
315#
316# Define the number of SHA rounds.
317# With a lot of rounds, it is more difficult to brute forcing the password.
318# But note also that it more CPU resources will be needed to authenticate
319# users.
320#
321# If not specified, the libc will choose the default number of rounds (5000).
322# The values must be inside the 1000-999999999 range.
323# If only one of the MIN or MAX values is set, then this value will be used.
324# If MIN > MAX, the highest value will be used.
325#
326# SHA_CRYPT_MIN_ROUNDS 5000
327# SHA_CRYPT_MAX_ROUNDS 5000
328
329#
330# List of groups to add to the user's supplementary group set
331# when logging in on the console (as determined by the CONSOLE
332# setting). Default is none.
333#
334# Use with caution - it is possible for users to gain permanent
335# access to these groups, even when not logged in on the console.
336# How to do it is left as an exercise for the reader...
337#
338#CONSOLE_GROUPS floppy:audio:cdrom
339
340#
341# Should login be allowed if we can't cd to the home directory?
342# Default in no.
343#
344DEFAULT_HOME yes
345
346#
347# If this file exists and is readable, login environment will be
348# read from it. Every line should be in the form name=value.
349#
350#ENVIRON_FILE /etc/environment
351
352#
353# If defined, this command is run when removing a user.
354# It should remove any at/cron/print jobs etc. owned by
355# the user to be removed (passed as the first argument).
356#
357#USERDEL_CMD /usr/sbin/userdel_local
358
359#
360# Enable setting of the umask group bits to be the same as owner bits
361# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
362# the same as gid, and username is the same as the primary group name.
363#
364# This also enables userdel to remove user groups if no members exist.
365#
366USERGROUPS_ENAB yes
367
368#
369# If set to a non-nul number, the shadow utilities will make sure that
370# groups never have more than this number of users on one line.
371# This permit to support split groups (groups split into multiple lines,
372# with the same group ID, to avoid limitation of the line length in the
373# group file).
374#
375# 0 is the default value and disables this feature.
376#
377#MAX_MEMBERS_PER_GROUP 0
378
379#
380# If useradd should create home directories for users by default (non
381# system users only)
382# This option is overridden with the -M or -m flags on the useradd command
383# line.
384#
385CREATE_HOME yes
386
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.1.4.3.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.1.4.3.bb
new file mode 100644
index 0000000000..3fd5da99c5
--- /dev/null
+++ b/meta/recipes-extended/shadow/shadow-sysroot_4.1.4.3.bb
@@ -0,0 +1,41 @@
1SUMMARY = "Shadow utils requirements for useradd.bbclass"
2DESCRIPTION = "Shadow utils requirements for useradd.bbclass"
3HOMEPAGE = "http://pkg-shadow.alioth.debian.org"
4BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580"
5SECTION = "base utils"
6PRIORITY = "optional"
7LICENSE = "BSD | Artistic"
8LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5"
9
10DEPENDS = "base-passwd"
11
12PR = "r0"
13
14# The sole purpose of this recipe is to provide the /etc/login.defs
15# file for the target sysroot - needed so the shadow-native utilities
16# can add custom users/groups for recipes that use inherit useradd.
17SRC_URI = "file://login.defs_shadow-sysroot"
18
19SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79"
20SRC_URI[sha256sum] = "633f5bb4ea0c88c55f3642c97f9d25cbef74f82e0b4cf8d54e7ad6f9f9caa778"
21
22S = "${WORKDIR}"
23SSTATEPOSTINSTFUNCS += "shadow_sysroot_sstate_postinst"
24
25do_install() {
26 install -d ${D}${sysconfdir}
27 install -p -m 755 ${S}/login.defs_shadow-sysroot ${D}${sysconfdir}/login.defs
28}
29
30shadow_sysroot_sstate_postinst() {
31 if [ "${BB_CURRENTTASK}" = "populate_sysroot" -o "${BB_CURRENTTASK}" = "populate_sysroot_setscene" ]
32 then
33 # Staging does not copy ${sysconfdir} files into the
34 # target sysroot, so we need to do so manually. We
35 # put this file in the target sysroot so it can be
36 # used by recipes which use custom user/group
37 # permissions.
38 install -d -m 755 ${STAGING_DIR_TARGET}${sysconfdir}
39 install -p -m 644 ${D}${sysconfdir}/login.defs ${STAGING_DIR_TARGET}/${sysconfdir}/login.defs
40 fi
41}