Patchwork [V3,3/3] bash: add pkg_postrm to remove the entry in /etc/shells

login
register
mail settings
Submitter Ming Liu
Date Oct. 18, 2013, 11:11 a.m.
Message ID <1382094700-17805-3-git-send-email-ming.liu@windriver.com>
Download mbox | patch
Permalink /patch/60235/
State New
Headers show

Comments

Ming Liu - Oct. 18, 2013, 11:11 a.m.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
---
 meta/recipes-extended/bash/bash.inc |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)
Phil Blundell - Oct. 18, 2013, 2:59 p.m.
On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>  pkg_postinst_${PN} () {
> -	touch $D${sysconfdir}/shells
> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
> +	if [ ! -f $D${sysconfdir}/shells ]; then
> +		touch $D${sysconfdir}/shells
> +	fi
> +
> +	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
> +}

This patch contains significant changes to the postinst script which
aren't described in the commit message.

p.

> +
> +pkg_postrm_${PN} () {
> +	if [ -f $D${sysconfdir}/shells ]; then
> +		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
> +
> +		if [ ! -s $D${sysconfdir}/shells ]; then
> +			rm $D${sysconfdir}/shells
> +		fi
> +	fi
>  }
Mark Hatle - Oct. 18, 2013, 3:12 p.m.
On 10/18/13 9:59 AM, Phil Blundell wrote:
> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>   pkg_postinst_${PN} () {
>> -	touch $D${sysconfdir}/shells
>> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
>> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
>> +	if [ ! -f $D${sysconfdir}/shells ]; then

One note with the above check.  Whichever package is responsible for providing 
the 'shells' file needs to be installed -first-.  So anything that manipulates 
the 'shells' file will need an RDEPENDS on that package.

--Mark

>> +		touch $D${sysconfdir}/shells
>> +	fi
>> +
>> +	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
>> +}
>
> This patch contains significant changes to the postinst script which
> aren't described in the commit message.
>
> p.
>
>> +
>> +pkg_postrm_${PN} () {
>> +	if [ -f $D${sysconfdir}/shells ]; then
>> +		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
>> +
>> +		if [ ! -s $D${sysconfdir}/shells ]; then
>> +			rm $D${sysconfdir}/shells
>> +		fi
>> +	fi
>>   }
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
Phil Blundell - Oct. 18, 2013, 3:18 p.m.
On Fri, 2013-10-18 at 10:12 -0500, Mark Hatle wrote:
> On 10/18/13 9:59 AM, Phil Blundell wrote:
> > On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
> >>   pkg_postinst_${PN} () {
> >> -	touch $D${sysconfdir}/shells
> >> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
> >> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
> >> +	if [ ! -f $D${sysconfdir}/shells ]; then
> 
> One note with the above check.  Whichever package is responsible for providing 
> the 'shells' file needs to be installed -first-.  So anything that manipulates 
> the 'shells' file will need an RDEPENDS on that package.

Isn't the whole point of the check above that it now creates /etc/shells
if it didn't exist already?

That said, though, I'm still not entirely convinced that having
semi-random packages create a file that isn't mentioned in either FILES
or CONFFILES is a very good thing.  I'm also not totally clear on what
exactly the problem is that this set of patches is trying to solve: the
original commit message says that having nonexistent files named
in /etc/shells is "unreasonable" but doesn't provide any supporting
evidence for that assertion.

p.
Mark Hatle - Oct. 18, 2013, 5 p.m.
On 10/18/13 10:18 AM, Phil Blundell wrote:
> On Fri, 2013-10-18 at 10:12 -0500, Mark Hatle wrote:
>> On 10/18/13 9:59 AM, Phil Blundell wrote:
>>> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>>>    pkg_postinst_${PN} () {
>>>> -	touch $D${sysconfdir}/shells
>>>> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
>>>> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
>>>> +	if [ ! -f $D${sysconfdir}/shells ]; then
>>
>> One note with the above check.  Whichever package is responsible for providing
>> the 'shells' file needs to be installed -first-.  So anything that manipulates
>> the 'shells' file will need an RDEPENDS on that package.
>
> Isn't the whole point of the check above that it now creates /etc/shells
> if it didn't exist already?

Situation  bash has dep on base-files:

base-files package gets install (creates basic /etc/shells)
bash gets installed (checks for /etc/shells, adds /bin/bash)

Alternative situation:

bash has no dep on base-files:

bash gets installed (checks for /etc/shells, doesn't exist)
base-files gets installed (creates basic /etc/shells)

> That said, though, I'm still not entirely convinced that having
> semi-random packages create a file that isn't mentioned in either FILES

I don't want it to create the file, that is the wrong behavior.  The -package- 
needs to depend on the package that provides the base configuration for the 
system.  -something- has to create the file, or be installed first.

> or CONFFILES is a very good thing.  I'm also not totally clear on what
> exactly the problem is that this set of patches is trying to solve: the
> original commit message says that having nonexistent files named
> in /etc/shells is "unreasonable" but doesn't provide any supporting
> evidence for that assertion.

The original problem is that /etc/shells contains too much "crap", and we've got 
customers saying "hey you are opening up potential security holes by having 
things in there that are not valid."  (Beyond the file being sloppy)

So we would prefer that a minimal file exist, and then entries for valid shells 
be added dynamically to the system, only if the packages that provide them are 
supported.

--Mark

> p.
>
>
Ming Liu - Oct. 20, 2013, 5:50 a.m.
On 10/18/2013 11:12 PM, Mark Hatle wrote:
> On 10/18/13 9:59 AM, Phil Blundell wrote:
>> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>>   pkg_postinst_${PN} () {
>>> -    touch $D${sysconfdir}/shells
>>> -    grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> 
>>> $D${sysconfdir}/shells
>>> -    grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> 
>>> $D${sysconfdir}/shells
>>> +    if [ ! -f $D${sysconfdir}/shells ]; then
>
> One note with the above check.  Whichever package is responsible for 
> providing the 'shells' file needs to be installed -first-.  So 
> anything that manipulates the 'shells' file will need an RDEPENDS on 
> that package.
Yes, that is a good idea, I will change it as you suggest.

the best,
thank you

>
> --Mark
>
>>> +        touch $D${sysconfdir}/shells
>>> +    fi
>>> +
>>> +    grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo 
>>> ${base_bindir}/bash >> $D${sysconfdir}/shells
>>> +}
>>
>> This patch contains significant changes to the postinst script which
>> aren't described in the commit message.
>>
>> p.
>>
>>> +
>>> +pkg_postrm_${PN} () {
>>> +    if [ -f $D${sysconfdir}/shells ]; then
>>> +        printf "$(grep -v "^${base_bindir}/bash$" 
>>> $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
>>> +
>>> +        if [ ! -s $D${sysconfdir}/shells ]; then
>>> +            rm $D${sysconfdir}/shells
>>> +        fi
>>> +    fi
>>>   }
>>
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>

Patch

diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index 64b476f..7c18f37 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -44,7 +44,19 @@  do_install_ptest () {
 }
 
 pkg_postinst_${PN} () {
-	touch $D${sysconfdir}/shells
-	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
-	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
+	if [ ! -f $D${sysconfdir}/shells ]; then
+		touch $D${sysconfdir}/shells
+	fi
+
+	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
+}
+
+pkg_postrm_${PN} () {
+	if [ -f $D${sysconfdir}/shells ]; then
+		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
+
+		if [ ! -s $D${sysconfdir}/shells ]; then
+			rm $D${sysconfdir}/shells
+		fi
+	fi
 }