diff options
author | José Bollo <jose.bollo@iot.bzh> | 2017-03-13 10:57:23 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-03-17 16:53:05 +0000 |
commit | 39858da23037b377604c2770c659505a12f90e30 (patch) | |
tree | 0ba7dc44bebb3705669fa7590bcbe893c929b753 | |
parent | 36f3c889709c492c6a451cc0326e1f760903aa8c (diff) | |
download | poky-39858da23037b377604c2770c659505a12f90e30.tar.gz |
shadow: 'useradd' copies root's extended attributes
The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
copy the extended attributes of the root. This can make
use of homes impossible! This patch corrects the issue
by copying the extended attributes of the root directory:
/home/user will get the extended attributes of /etc/skel.
The patch is submitted upstream (see
http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)
The existing patch specific to open-embedded is updated:
0001-useradd.c-create-parent-directories-when-necessary.patch
Also, attr are activated for native tools.
This is needed when users are created during image creation.
(From OE-Core rev: eed66e85af5ca6bbdd80cc3d5cf8453e8d8880bc)
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 61 insertions, 7 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch new file mode 100644 index 0000000000..60a46e1257 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> | ||
3 | Date: Tue, 7 Mar 2017 16:03:03 +0100 | ||
4 | Subject: [PATCH] useradd: copy extended attributes of home | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The Home directory wasn't getting the extended attributes | ||
10 | of /etc/skel. This patch fixes that issue and adds the copy | ||
11 | of the extended attributes of the root of the home directory. | ||
12 | |||
13 | Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html] | ||
14 | |||
15 | Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b | ||
16 | Signed-off-by: José Bollo <jose.bollo@iot.bzh> | ||
17 | --- | ||
18 | src/useradd.c | 6 ++++++ | ||
19 | 1 file changed, 6 insertions(+) | ||
20 | |||
21 | diff --git a/src/useradd.c b/src/useradd.c | ||
22 | index a8a1f76..8aefb9c 100644 | ||
23 | --- a/src/useradd.c | ||
24 | +++ b/src/useradd.c | ||
25 | @@ -52,6 +52,9 @@ | ||
26 | #include <sys/stat.h> | ||
27 | #include <sys/types.h> | ||
28 | #include <time.h> | ||
29 | +#ifdef WITH_ATTR | ||
30 | +#include <attr/libattr.h> | ||
31 | +#endif | ||
32 | #include "chkname.h" | ||
33 | #include "defines.h" | ||
34 | #include "faillog.h" | ||
35 | @@ -1915,6 +1918,9 @@ static void create_home (void) | ||
36 | chown (user_home, user_id, user_gid); | ||
37 | chmod (user_home, | ||
38 | 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | ||
39 | +#ifdef WITH_ATTR | ||
40 | + attr_copy_file (def_template, user_home, NULL, NULL); | ||
41 | +#endif | ||
42 | home_added = true; | ||
43 | #ifdef WITH_AUDIT | ||
44 | audit_logger (AUDIT_ADD_USER, Prog, | ||
45 | -- | ||
46 | 2.9.3 | ||
47 | |||
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch index 85dde8e1bb..2f084b4e9b 100644 --- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch +++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch | |||
@@ -11,7 +11,7 @@ diff --git a/src/useradd.c b/src/useradd.c | |||
11 | index 4bd969d..cb5dd6c 100644 | 11 | index 4bd969d..cb5dd6c 100644 |
12 | --- a/src/useradd.c | 12 | --- a/src/useradd.c |
13 | +++ b/src/useradd.c | 13 | +++ b/src/useradd.c |
14 | @@ -1893,6 +1893,35 @@ static void usr_update (void) | 14 | @@ -1896,6 +1896,35 @@ static void usr_update (void) |
15 | } | 15 | } |
16 | 16 | ||
17 | /* | 17 | /* |
@@ -47,7 +47,7 @@ index 4bd969d..cb5dd6c 100644 | |||
47 | * create_home - create the user's home directory | 47 | * create_home - create the user's home directory |
48 | * | 48 | * |
49 | * create_home() creates the user's home directory if it does not | 49 | * create_home() creates the user's home directory if it does not |
50 | @@ -1907,36 +1936,33 @@ static void create_home (void) | 50 | @@ -1910,39 +1939,36 @@ static void create_home (void) |
51 | fail_exit (E_HOMEDIR); | 51 | fail_exit (E_HOMEDIR); |
52 | } | 52 | } |
53 | #endif | 53 | #endif |
@@ -67,6 +67,9 @@ index 4bd969d..cb5dd6c 100644 | |||
67 | - chown (user_home, user_id, user_gid); | 67 | - chown (user_home, user_id, user_gid); |
68 | - chmod (user_home, | 68 | - chmod (user_home, |
69 | - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | 69 | - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); |
70 | -#ifdef WITH_ATTR | ||
71 | - attr_copy_file (def_template, user_home, NULL, NULL); | ||
72 | -#endif | ||
70 | - home_added = true; | 73 | - home_added = true; |
71 | + mkdir_p(user_home); | 74 | + mkdir_p(user_home); |
72 | + } | 75 | + } |
@@ -88,6 +91,9 @@ index 4bd969d..cb5dd6c 100644 | |||
88 | + chown (user_home, user_id, user_gid); | 91 | + chown (user_home, user_id, user_gid); |
89 | + chmod (user_home, | 92 | + chmod (user_home, |
90 | + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | 93 | + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); |
94 | +#ifdef WITH_ATTR | ||
95 | + attr_copy_file (def_template, user_home, NULL, NULL); | ||
96 | +#endif | ||
91 | + home_added = true; | 97 | + home_added = true; |
92 | +#ifdef WITH_AUDIT | 98 | +#ifdef WITH_AUDIT |
93 | + audit_logger (AUDIT_ADD_USER, Prog, | 99 | + audit_logger (AUDIT_ADD_USER, Prog, |
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch index 68da25f406..615c6e002d 100644 --- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch +++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch | |||
@@ -118,7 +118,7 @@ diff --git a/src/useradd.c b/src/useradd.c | |||
118 | index b3bd451..4416f90 100644 | 118 | index b3bd451..4416f90 100644 |
119 | --- a/src/useradd.c | 119 | --- a/src/useradd.c |
120 | +++ b/src/useradd.c | 120 | +++ b/src/useradd.c |
121 | @@ -773,6 +773,7 @@ static void usage (int status) | 121 | @@ -776,6 +776,7 @@ static void usage (int status) |
122 | (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" | 122 | (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" |
123 | " (non-unique) UID\n"), usageout); | 123 | " (non-unique) UID\n"), usageout); |
124 | (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); | 124 | (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); |
@@ -126,7 +126,7 @@ index b3bd451..4416f90 100644 | |||
126 | (void) fputs (_(" -r, --system create a system account\n"), usageout); | 126 | (void) fputs (_(" -r, --system create a system account\n"), usageout); |
127 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | 127 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); |
128 | (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); | 128 | (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); |
129 | @@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv) | 129 | @@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv) |
130 | {"no-user-group", no_argument, NULL, 'N'}, | 130 | {"no-user-group", no_argument, NULL, 'N'}, |
131 | {"non-unique", no_argument, NULL, 'o'}, | 131 | {"non-unique", no_argument, NULL, 'o'}, |
132 | {"password", required_argument, NULL, 'p'}, | 132 | {"password", required_argument, NULL, 'p'}, |
@@ -134,7 +134,7 @@ index b3bd451..4416f90 100644 | |||
134 | {"system", no_argument, NULL, 'r'}, | 134 | {"system", no_argument, NULL, 'r'}, |
135 | {"root", required_argument, NULL, 'R'}, | 135 | {"root", required_argument, NULL, 'R'}, |
136 | {"shell", required_argument, NULL, 's'}, | 136 | {"shell", required_argument, NULL, 's'}, |
137 | @@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv) | 137 | @@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv) |
138 | }; | 138 | }; |
139 | while ((c = getopt_long (argc, argv, | 139 | while ((c = getopt_long (argc, argv, |
140 | #ifdef WITH_SELINUX | 140 | #ifdef WITH_SELINUX |
@@ -146,7 +146,7 @@ index b3bd451..4416f90 100644 | |||
146 | #endif /* !WITH_SELINUX */ | 146 | #endif /* !WITH_SELINUX */ |
147 | long_options, NULL)) != -1) { | 147 | long_options, NULL)) != -1) { |
148 | switch (c) { | 148 | switch (c) { |
149 | @@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv) | 149 | @@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv) |
150 | } | 150 | } |
151 | user_pass = optarg; | 151 | user_pass = optarg; |
152 | break; | 152 | break; |
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index e59ff640e3..25283a9741 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -15,6 +15,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ | |||
15 | file://fix-installation-failure-with-subids-disabled.patch \ | 15 | file://fix-installation-failure-with-subids-disabled.patch \ |
16 | file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ | 16 | file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ |
17 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ | 17 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ |
18 | file://0001-useradd-copy-extended-attributes-of-home.patch \ | ||
18 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 19 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
19 | " | 20 | " |
20 | 21 | ||
@@ -76,7 +77,7 @@ PAM_PLUGINS = "libpam-runtime \ | |||
76 | 77 | ||
77 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ | 78 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ |
78 | ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" | 79 | ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" |
79 | PACKAGECONFIG_class-native = "" | 80 | PACKAGECONFIG_class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" |
80 | PACKAGECONFIG_class-nativesdk = "" | 81 | PACKAGECONFIG_class-nativesdk = "" |
81 | PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" | 82 | PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" |
82 | PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" | 83 | PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" |