summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2017-03-13 10:57:23 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-03-17 16:53:05 +0000
commit39858da23037b377604c2770c659505a12f90e30 (patch)
tree0ba7dc44bebb3705669fa7590bcbe893c929b753
parent36f3c889709c492c6a451cc0326e1f760903aa8c (diff)
downloadpoky-39858da23037b377604c2770c659505a12f90e30.tar.gz
shadow: 'useradd' copies root's extended attributes
The copy of extended attributes is interesting for Smack systems because it allows to set the security template of the user's home directories without modifying the tools (useradd here). But the version of useradd that copies the extended attributes doesn't copy the extended attributes of the root. This can make use of homes impossible! This patch corrects the issue by copying the extended attributes of the root directory: /home/user will get the extended attributes of /etc/skel. The patch is submitted upstream (see http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html) The existing patch specific to open-embedded is updated: 0001-useradd.c-create-parent-directories-when-necessary.patch Also, attr are activated for native tools. This is needed when users are created during image creation. (From OE-Core rev: eed66e85af5ca6bbdd80cc3d5cf8453e8d8880bc) Signed-off-by: José Bollo <jose.bollo@iot.bzh> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch47
-rw-r--r--meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch10
-rw-r--r--meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch8
-rw-r--r--meta/recipes-extended/shadow/shadow.inc3
4 files changed, 61 insertions, 7 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
new file mode 100644
index 0000000000..60a46e1257
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
@@ -0,0 +1,47 @@
1From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
3Date: Tue, 7 Mar 2017 16:03:03 +0100
4Subject: [PATCH] useradd: copy extended attributes of home
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The Home directory wasn't getting the extended attributes
10of /etc/skel. This patch fixes that issue and adds the copy
11of the extended attributes of the root of the home directory.
12
13Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html]
14
15Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
16Signed-off-by: José Bollo <jose.bollo@iot.bzh>
17---
18 src/useradd.c | 6 ++++++
19 1 file changed, 6 insertions(+)
20
21diff --git a/src/useradd.c b/src/useradd.c
22index a8a1f76..8aefb9c 100644
23--- a/src/useradd.c
24+++ b/src/useradd.c
25@@ -52,6 +52,9 @@
26 #include <sys/stat.h>
27 #include <sys/types.h>
28 #include <time.h>
29+#ifdef WITH_ATTR
30+#include <attr/libattr.h>
31+#endif
32 #include "chkname.h"
33 #include "defines.h"
34 #include "faillog.h"
35@@ -1915,6 +1918,9 @@ static void create_home (void)
36 chown (user_home, user_id, user_gid);
37 chmod (user_home,
38 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
39+#ifdef WITH_ATTR
40+ attr_copy_file (def_template, user_home, NULL, NULL);
41+#endif
42 home_added = true;
43 #ifdef WITH_AUDIT
44 audit_logger (AUDIT_ADD_USER, Prog,
45--
462.9.3
47
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
index 85dde8e1bb..2f084b4e9b 100644
--- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
+++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
@@ -11,7 +11,7 @@ diff --git a/src/useradd.c b/src/useradd.c
11index 4bd969d..cb5dd6c 100644 11index 4bd969d..cb5dd6c 100644
12--- a/src/useradd.c 12--- a/src/useradd.c
13+++ b/src/useradd.c 13+++ b/src/useradd.c
14@@ -1893,6 +1893,35 @@ static void usr_update (void) 14@@ -1896,6 +1896,35 @@ static void usr_update (void)
15 } 15 }
16 16
17 /* 17 /*
@@ -47,7 +47,7 @@ index 4bd969d..cb5dd6c 100644
47 * create_home - create the user's home directory 47 * create_home - create the user's home directory
48 * 48 *
49 * create_home() creates the user's home directory if it does not 49 * create_home() creates the user's home directory if it does not
50@@ -1907,36 +1936,33 @@ static void create_home (void) 50@@ -1910,39 +1939,36 @@ static void create_home (void)
51 fail_exit (E_HOMEDIR); 51 fail_exit (E_HOMEDIR);
52 } 52 }
53 #endif 53 #endif
@@ -67,6 +67,9 @@ index 4bd969d..cb5dd6c 100644
67- chown (user_home, user_id, user_gid); 67- chown (user_home, user_id, user_gid);
68- chmod (user_home, 68- chmod (user_home,
69- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 69- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
70-#ifdef WITH_ATTR
71- attr_copy_file (def_template, user_home, NULL, NULL);
72-#endif
70- home_added = true; 73- home_added = true;
71+ mkdir_p(user_home); 74+ mkdir_p(user_home);
72+ } 75+ }
@@ -88,6 +91,9 @@ index 4bd969d..cb5dd6c 100644
88+ chown (user_home, user_id, user_gid); 91+ chown (user_home, user_id, user_gid);
89+ chmod (user_home, 92+ chmod (user_home,
90+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 93+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
94+#ifdef WITH_ATTR
95+ attr_copy_file (def_template, user_home, NULL, NULL);
96+#endif
91+ home_added = true; 97+ home_added = true;
92+#ifdef WITH_AUDIT 98+#ifdef WITH_AUDIT
93+ audit_logger (AUDIT_ADD_USER, Prog, 99+ audit_logger (AUDIT_ADD_USER, Prog,
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
index 68da25f406..615c6e002d 100644
--- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
+++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
@@ -118,7 +118,7 @@ diff --git a/src/useradd.c b/src/useradd.c
118index b3bd451..4416f90 100644 118index b3bd451..4416f90 100644
119--- a/src/useradd.c 119--- a/src/useradd.c
120+++ b/src/useradd.c 120+++ b/src/useradd.c
121@@ -773,6 +773,7 @@ static void usage (int status) 121@@ -776,6 +776,7 @@ static void usage (int status)
122 (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" 122 (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
123 " (non-unique) UID\n"), usageout); 123 " (non-unique) UID\n"), usageout);
124 (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); 124 (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout);
@@ -126,7 +126,7 @@ index b3bd451..4416f90 100644
126 (void) fputs (_(" -r, --system create a system account\n"), usageout); 126 (void) fputs (_(" -r, --system create a system account\n"), usageout);
127 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); 127 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
128 (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); 128 (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout);
129@@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv) 129@@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv)
130 {"no-user-group", no_argument, NULL, 'N'}, 130 {"no-user-group", no_argument, NULL, 'N'},
131 {"non-unique", no_argument, NULL, 'o'}, 131 {"non-unique", no_argument, NULL, 'o'},
132 {"password", required_argument, NULL, 'p'}, 132 {"password", required_argument, NULL, 'p'},
@@ -134,7 +134,7 @@ index b3bd451..4416f90 100644
134 {"system", no_argument, NULL, 'r'}, 134 {"system", no_argument, NULL, 'r'},
135 {"root", required_argument, NULL, 'R'}, 135 {"root", required_argument, NULL, 'R'},
136 {"shell", required_argument, NULL, 's'}, 136 {"shell", required_argument, NULL, 's'},
137@@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv) 137@@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv)
138 }; 138 };
139 while ((c = getopt_long (argc, argv, 139 while ((c = getopt_long (argc, argv,
140 #ifdef WITH_SELINUX 140 #ifdef WITH_SELINUX
@@ -146,7 +146,7 @@ index b3bd451..4416f90 100644
146 #endif /* !WITH_SELINUX */ 146 #endif /* !WITH_SELINUX */
147 long_options, NULL)) != -1) { 147 long_options, NULL)) != -1) {
148 switch (c) { 148 switch (c) {
149@@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv) 149@@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv)
150 } 150 }
151 user_pass = optarg; 151 user_pass = optarg;
152 break; 152 break;
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index e59ff640e3..25283a9741 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -15,6 +15,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
15 file://fix-installation-failure-with-subids-disabled.patch \ 15 file://fix-installation-failure-with-subids-disabled.patch \
16 file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ 16 file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
17 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ 17 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
18 file://0001-useradd-copy-extended-attributes-of-home.patch \
18 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 19 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
19 " 20 "
20 21
@@ -76,7 +77,7 @@ PAM_PLUGINS = "libpam-runtime \
76 77
77PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ 78PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
78 ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" 79 ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
79PACKAGECONFIG_class-native = "" 80PACKAGECONFIG_class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
80PACKAGECONFIG_class-nativesdk = "" 81PACKAGECONFIG_class-nativesdk = ""
81PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" 82PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
82PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" 83PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"