Patchwork [1/4] sysvinit: allow users in shutdown group to perform halt/reboot

login
register
mail settings
Submitter Laurentiu Palcu
Date July 3, 2013, 2:34 p.m.
Message ID <9b803f18c25bc5b0bcab26f6bea6caacb6784d47.1372861799.git.laurentiu.palcu@intel.com>
Download mbox | patch
Permalink /patch/52903/
State Accepted
Commit f638364eff3b7a2de7953d154fb2451c51729911
Headers show

Comments

Laurentiu Palcu - July 3, 2013, 2:34 p.m.
For this to happen:
 * 'shutdown' group has been created;
 * changed ownership group for /sbin/halt and /sbin/shutdown to 'shutdown';
 * deny execution rights to other users except 'root' and those belonging
   to 'shutdown' group;
 * set setuid bit to both apps;

So, basically, in order for a normal user to be able to shutdown/reboot
the machine, it must be a member of 'shutdown' group.

Other changes:
 * fixed identetion for 2 lines that used spaces instead of tabs;

[YOCTO #4345]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Patch

diff --git a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
index e64b67a..784d538 100644
--- a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
+++ b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
@@ -25,7 +25,7 @@  SRC_URI[sha256sum] = "60bbc8c1e1792056e23761d22960b30bb13eccc2cabff8c7310a01f4d5
 S = "${WORKDIR}/sysvinit-${PV}"
 B = "${S}/src"
 
-inherit update-alternatives
+inherit update-alternatives useradd
 DEPENDS_append = " update-rc.d-native"
 
 ALTERNATIVE_${PN} = "init mountpoint halt reboot runlevel shutdown poweroff last mesg utmpdump wall"
@@ -54,6 +54,9 @@  ALTERNATIVE_LINK_NAME[sulogin.8] = "${mandir}/man8/sulogin.8"
 ALTERNATIVE_LINK_NAME[utmpdump.1] = "${mandir}/man1/utmpdump.1"
 ALTERNATIVE_LINK_NAME[wall.1] = "${mandir}/man1/wall.1"
 
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system shutdown"
+
 PACKAGES =+ "sysvinit-pidof sysvinit-sulogin"
 FILES_${PN} += "${base_sbindir}/* ${base_bindir}/*"
 FILES_sysvinit-pidof = "${base_bindir}/pidof.sysvinit ${base_sbindir}/killall5"
@@ -87,6 +90,9 @@  do_install () {
 	install -m 0755    ${WORKDIR}/bootlogd.init     ${D}${sysconfdir}/init.d/bootlogd
 	ln -sf bootlogd ${D}${sysconfdir}/init.d/stop-bootlogd
 
-        update-rc.d -r ${D} bootlogd start 07 S .
-        update-rc.d -r ${D} stop-bootlogd start 99 2 3 4 5 .
+	update-rc.d -r ${D} bootlogd start 07 S .
+	update-rc.d -r ${D} stop-bootlogd start 99 2 3 4 5 .
+
+	chown root.shutdown ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
+	chmod o-x,u+s ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
 }