summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Garman <scott.a.garman@intel.com>2011-05-11 20:04:33 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2011-06-06 15:58:41 +0100
commit133691ce920e7ff39dbebe80227e58a7aac9e3d1 (patch)
tree07d078ae285e62c273eefe9ea110ce14973cb991
parent20ef3425b2788407ac53dff5403c6c10a58bab7f (diff)
downloadpoky-133691ce920e7ff39dbebe80227e58a7aac9e3d1.tar.gz
base-passwd: populate the target sysroot with passwd/group/login.defs
The passwd, group, and login.defs files in the target sysroot will be used when recipes create custom user and group permissions in their packages. (From OE-Core rev: 4450b73e57bcd73b8d09d8cd898a97bad04ae27b) Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs386
-rw-r--r--meta/recipes-core/base-passwd/base-passwd_3.5.22.bb27
2 files changed, 411 insertions, 2 deletions
diff --git a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
new file mode 100644
index 0000000000..1d392acf2b
--- /dev/null
+++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
@@ -0,0 +1,386 @@
1#
2# /etc/login.defs - Configuration control definitions for the shadow package.
3#
4# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
5#
6
7#
8# Delay in seconds before being allowed another attempt after a login failure
9# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
10# pam_unix enforces a 2s delay)
11#
12FAIL_DELAY 3
13
14#
15# Enable logging and display of /var/log/faillog login failure info.
16#
17FAILLOG_ENAB yes
18
19#
20# Enable display of unknown usernames when login failures are recorded.
21#
22LOG_UNKFAIL_ENAB no
23
24#
25# Enable logging of successful logins
26#
27LOG_OK_LOGINS no
28
29#
30# Enable logging and display of /var/log/lastlog login time info.
31#
32LASTLOG_ENAB yes
33
34#
35# Enable checking and display of mailbox status upon login.
36#
37# Disable if the shell startup files already check for mail
38# ("mailx -e" or equivalent).
39#
40#MAIL_CHECK_ENAB yes
41
42#
43# Enable additional checks upon password changes.
44#
45OBSCURE_CHECKS_ENAB yes
46
47#
48# Enable checking of time restrictions specified in /etc/porttime.
49#
50PORTTIME_CHECKS_ENAB yes
51
52#
53# Enable setting of ulimit, umask, and niceness from passwd gecos field.
54#
55QUOTAS_ENAB yes
56
57#
58# Enable "syslog" logging of su activity - in addition to sulog file logging.
59# SYSLOG_SG_ENAB does the same for newgrp and sg.
60#
61SYSLOG_SU_ENAB yes
62SYSLOG_SG_ENAB yes
63
64#
65# If defined, either full pathname of a file containing device names or
66# a ":" delimited list of device names. Root logins will be allowed only
67# upon these devices.
68#
69CONSOLE /etc/securetty
70#CONSOLE console:tty01:tty02:tty03:tty04
71
72#
73# If defined, all su activity is logged to this file.
74#
75#SULOG_FILE /var/log/sulog
76
77#
78# If defined, ":" delimited list of "message of the day" files to
79# be displayed upon login.
80#
81MOTD_FILE /etc/motd
82#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
83
84#
85# If defined, this file will be output before each login prompt.
86#
87#ISSUE_FILE /etc/issue
88
89#
90# If defined, file which maps tty line to TERM environment parameter.
91# Each line of the file is in a format something like "vt100 tty01".
92#
93#TTYTYPE_FILE /etc/ttytype
94
95#
96# If defined, login failures will be logged here in a utmp format.
97# last, when invoked as lastb, will read /var/log/btmp, so...
98#
99FTMP_FILE /var/log/btmp
100
101#
102# If defined, name of file whose presence which will inhibit non-root
103# logins. The contents of this file should be a message indicating
104# why logins are inhibited.
105#
106NOLOGINS_FILE /etc/nologin
107
108#
109# If defined, the command name to display when running "su -". For
110# example, if this is defined as "su" then a "ps" will display the
111# command is "-su". If not defined, then "ps" would display the
112# name of the shell actually being run, e.g. something like "-sh".
113#
114SU_NAME su
115
116#
117# *REQUIRED*
118# Directory where mailboxes reside, _or_ name of file, relative to the
119# home directory. If you _do_ define both, #MAIL_DIR takes precedence.
120#
121#MAIL_DIR /var/spool/mail
122MAIL_FILE .mail
123
124#
125# If defined, file which inhibits all the usual chatter during the login
126# sequence. If a full pathname, then hushed mode will be enabled if the
127# user's name or shell are found in the file. If not a full pathname, then
128# hushed mode will be enabled if the file exists in the user's home directory.
129#
130HUSHLOGIN_FILE .hushlogin
131#HUSHLOGIN_FILE /etc/hushlogins
132
133#
134# If defined, either a TZ environment parameter spec or the
135# fully-rooted pathname of a file containing such a spec.
136#
137#ENV_TZ TZ=CST6CDT
138#ENV_TZ /etc/tzname
139
140#
141# If defined, an HZ environment parameter spec.
142#
143# for Linux/x86
144ENV_HZ HZ=100
145# For Linux/Alpha...
146#ENV_HZ HZ=1024
147
148#
149# *REQUIRED* The default PATH settings, for superuser and normal users.
150#
151# (they are minimal, add the rest in the shell startup files)
152ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
153ENV_PATH PATH=/bin:/usr/bin
154
155#
156# Terminal permissions
157#
158# TTYGROUP Login tty will be assigned this group ownership.
159# TTYPERM Login tty will be set to this permission.
160#
161# If you have a "write" program which is "setgid" to a special group
162# which owns the terminals, define TTYGROUP to the group number and
163# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
164# TTYPERM to either 622 or 600.
165#
166TTYGROUP tty
167TTYPERM 0600
168
169#
170# Login configuration initializations:
171#
172# ERASECHAR Terminal ERASE character ('\010' = backspace).
173# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
174# ULIMIT Default "ulimit" value.
175#
176# The ERASECHAR and KILLCHAR are used only on System V machines.
177# The ULIMIT is used only if the system supports it.
178# (now it works with setrlimit too; ulimit is in 512-byte units)
179#
180# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
181#
182ERASECHAR 0177
183KILLCHAR 025
184#ULIMIT 2097152
185
186# Default initial "umask" value for non-PAM enabled systems.
187# UMASK is also used by useradd and newusers to set the mode of new home
188# directories.
189# 022 is the default value, but 027, or even 077, could be considered
190# better for privacy. There is no One True Answer here: each sysadmin
191# must make up her mind.
192UMASK 022
193
194#
195# Password aging controls:
196#
197# PASS_MAX_DAYS Maximum number of days a password may be used.
198# PASS_MIN_DAYS Minimum number of days allowed between password changes.
199# PASS_MIN_LEN Minimum acceptable password length.
200# PASS_WARN_AGE Number of days warning given before a password expires.
201#
202PASS_MAX_DAYS 99999
203PASS_MIN_DAYS 0
204PASS_MIN_LEN 5
205PASS_WARN_AGE 7
206
207#
208# If "yes", the user must be listed as a member of the first gid 0 group
209# in /etc/group (called "root" on most Linux systems) to be able to "su"
210# to uid 0 accounts. If the group doesn't exist or is empty, no one
211# will be able to "su" to uid 0.
212#
213SU_WHEEL_ONLY no
214
215#
216# If compiled with cracklib support, where are the dictionaries
217#
218CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
219
220#
221# Min/max values for automatic uid selection in useradd
222#
223UID_MIN 1000
224UID_MAX 60000
225# System accounts
226SYS_UID_MIN 101
227SYS_UID_MAX 999
228
229#
230# Min/max values for automatic gid selection in groupadd
231#
232GID_MIN 1000
233GID_MAX 60000
234# System accounts
235SYS_GID_MIN 101
236SYS_GID_MAX 999
237
238#
239# Max number of login retries if password is bad
240#
241LOGIN_RETRIES 5
242
243#
244# Max time in seconds for login
245#
246LOGIN_TIMEOUT 60
247
248#
249# Maximum number of attempts to change password if rejected (too easy)
250#
251PASS_CHANGE_TRIES 5
252
253#
254# Warn about weak passwords (but still allow them) if you are root.
255#
256PASS_ALWAYS_WARN yes
257
258#
259# Number of significant characters in the password for crypt().
260# Default is 8, don't change unless your crypt() is better.
261# Ignored if MD5_CRYPT_ENAB set to "yes".
262#
263#PASS_MAX_LEN 8
264
265#
266# Require password before chfn/chsh can make any changes.
267#
268CHFN_AUTH yes
269
270#
271# Which fields may be changed by regular users using chfn - use
272# any combination of letters "frwh" (full name, room number, work
273# phone, home phone). If not defined, no changes are allowed.
274# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
275#
276CHFN_RESTRICT rwh
277
278#
279# Password prompt (%s will be replaced by user name).
280#
281# XXX - it doesn't work correctly yet, for now leave it commented out
282# to use the default which is just "Password: ".
283#LOGIN_STRING "%s's Password: "
284
285#
286# Only works if compiled with MD5_CRYPT defined:
287# If set to "yes", new passwords will be encrypted using the MD5-based
288# algorithm compatible with the one used by recent releases of FreeBSD.
289# It supports passwords of unlimited length and longer salt strings.
290# Set to "no" if you need to copy encrypted passwords to other systems
291# which don't understand the new algorithm. Default is "no".
292#
293# Note: If you use PAM, it is recommended to use a value consistent with
294# the PAM modules configuration.
295#
296# This variable is deprecated. You should use ENCRYPT_METHOD.
297#
298#MD5_CRYPT_ENAB no
299
300#
301# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
302# If set to MD5 , MD5-based algorithm will be used for encrypting password
303# If set to SHA256, SHA256-based algorithm will be used for encrypting password
304# If set to SHA512, SHA512-based algorithm will be used for encrypting password
305# If set to DES, DES-based algorithm will be used for encrypting password (default)
306# Overrides the MD5_CRYPT_ENAB option
307#
308# Note: If you use PAM, it is recommended to use a value consistent with
309# the PAM modules configuration.
310#
311#ENCRYPT_METHOD DES
312
313#
314# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
315#
316# Define the number of SHA rounds.
317# With a lot of rounds, it is more difficult to brute forcing the password.
318# But note also that it more CPU resources will be needed to authenticate
319# users.
320#
321# If not specified, the libc will choose the default number of rounds (5000).
322# The values must be inside the 1000-999999999 range.
323# If only one of the MIN or MAX values is set, then this value will be used.
324# If MIN > MAX, the highest value will be used.
325#
326# SHA_CRYPT_MIN_ROUNDS 5000
327# SHA_CRYPT_MAX_ROUNDS 5000
328
329#
330# List of groups to add to the user's supplementary group set
331# when logging in on the console (as determined by the CONSOLE
332# setting). Default is none.
333#
334# Use with caution - it is possible for users to gain permanent
335# access to these groups, even when not logged in on the console.
336# How to do it is left as an exercise for the reader...
337#
338#CONSOLE_GROUPS floppy:audio:cdrom
339
340#
341# Should login be allowed if we can't cd to the home directory?
342# Default in no.
343#
344DEFAULT_HOME yes
345
346#
347# If this file exists and is readable, login environment will be
348# read from it. Every line should be in the form name=value.
349#
350ENVIRON_FILE /etc/environment
351
352#
353# If defined, this command is run when removing a user.
354# It should remove any at/cron/print jobs etc. owned by
355# the user to be removed (passed as the first argument).
356#
357#USERDEL_CMD /usr/sbin/userdel_local
358
359#
360# Enable setting of the umask group bits to be the same as owner bits
361# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
362# the same as gid, and username is the same as the primary group name.
363#
364# This also enables userdel to remove user groups if no members exist.
365#
366USERGROUPS_ENAB yes
367
368#
369# If set to a non-nul number, the shadow utilities will make sure that
370# groups never have more than this number of users on one line.
371# This permit to support split groups (groups split into multiple lines,
372# with the same group ID, to avoid limitation of the line length in the
373# group file).
374#
375# 0 is the default value and disables this feature.
376#
377#MAX_MEMBERS_PER_GROUP 0
378
379#
380# If useradd should create home directories for users by default (non
381# system users only)
382# This option is overridden with the -M or -m flags on the useradd command
383# line.
384#
385CREATE_HOME yes
386
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
index 6f768ca972..3315c68196 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
@@ -1,13 +1,14 @@
1SUMMARY = "Base system master password/group files." 1SUMMARY = "Base system master password/group files."
2DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group). The update-passwd tool is also provided to keep the system databases synchronized with these master files." 2DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group). The update-passwd tool is also provided to keep the system databases synchronized with these master files."
3SECTION = "base" 3SECTION = "base"
4PR = "r1" 4PR = "r2"
5LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
6LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" 6LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
7 7
8SRC_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/base-passwd_${PV}.tar.gz \ 8SRC_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/base-passwd_${PV}.tar.gz \
9 file://nobash.patch \ 9 file://nobash.patch \
10 file://root-home.patch" 10 file://root-home.patch \
11 file://login.defs"
11 12
12SRC_URI[md5sum] = "47f22ab6b572d0133409ff6ad1fab402" 13SRC_URI[md5sum] = "47f22ab6b572d0133409ff6ad1fab402"
13SRC_URI[sha256sum] = "d34acb35a9f9f221e7e4f642b9ef4b22083dd77bb2fc7216756f445316d842fc" 14SRC_URI[sha256sum] = "d34acb35a9f9f221e7e4f642b9ef4b22083dd77bb2fc7216756f445316d842fc"
@@ -16,6 +17,8 @@ S = "${WORKDIR}/base-passwd"
16 17
17inherit autotools 18inherit autotools
18 19
20SSTATEPOSTINSTFUNCS += "base_passwd_sstate_postinst"
21
19do_install () { 22do_install () {
20 install -d -m 755 ${D}${sbindir} 23 install -d -m 755 ${D}${sbindir}
21 install -p -m 755 update-passwd ${D}${sbindir}/ 24 install -p -m 755 update-passwd ${D}${sbindir}/
@@ -27,6 +30,7 @@ do_install () {
27 install -d -m 755 ${D}${datadir}/base-passwd 30 install -d -m 755 ${D}${datadir}/base-passwd
28 install -p -m 644 passwd.master ${D}${datadir}/base-passwd/ 31 install -p -m 644 passwd.master ${D}${datadir}/base-passwd/
29 install -p -m 644 group.master ${D}${datadir}/base-passwd/ 32 install -p -m 644 group.master ${D}${datadir}/base-passwd/
33 install -p -m 644 ${S}/../login.defs ${D}${datadir}/base-passwd/login.defs
30 34
31 install -d -m 755 ${D}${docdir}/${PN} 35 install -d -m 755 ${D}${docdir}/${PN}
32 install -p -m 644 debian/changelog ${D}${docdir}/${PN}/ 36 install -p -m 644 debian/changelog ${D}${docdir}/${PN}/
@@ -45,5 +49,24 @@ pkg_postinst_${PN} () {
45 if [ ! -e $D${sysconfdir}/group ] ; then 49 if [ ! -e $D${sysconfdir}/group ] ; then
46 cp $D${datadir}/base-passwd/group.master $D${sysconfdir}/group 50 cp $D${datadir}/base-passwd/group.master $D${sysconfdir}/group
47 fi 51 fi
52
53 if [ ! -e $D{sysconfdir}/login.defs ] ; then
54 cp $D${datadir}/base-passwd/login.defs $D${sysconfdir}/login.defs
55 fi
48 exit 0 56 exit 0
49} 57}
58
59base_passwd_sstate_postinst() {
60 if [ "${BB_CURRENTTASK}" = "populate_sysroot" -o "${BB_CURRENTTASK}" = "populate_sysroot_setscene" ]
61 then
62 # Staging does not copy ${sysconfdir} files into the
63 # target sysroot, so we need to do so manually. We
64 # put these files in the target sysroot so they can
65 # be used by recipes which use custom user/group
66 # permissions.
67 install -d -m 755 ${STAGING_DIR_TARGET}${sysconfdir}
68 install -p -m 644 ${STAGING_DIR_TARGET}${datadir}/base-passwd/passwd.master ${STAGING_DIR_TARGET}${sysconfdir}/passwd
69 install -p -m 644 ${STAGING_DIR_TARGET}${datadir}/base-passwd/group.master ${STAGING_DIR_TARGET}${sysconfdir}/group
70 install -p -m 644 ${STAGING_DIR_TARGET}${datadir}/base-passwd/login.defs ${STAGING_DIR_TARGET}/${sysconfdir}/login.defs
71 fi
72}