Message ID | 20220428094932.1411461-1-jiaqing.zhao@linux.intel.com |
---|---|
State | Accepted, archived |
Commit | ba3bc4d7a0a39a96f6e8d340e1b2654d47475f07 |
Headers | show |
Series | [v2] base-passwd: Disable shell for default users | expand |
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Jiaqing Zhao > Sent: den 28 april 2022 11:50 > To: openembedded-core@lists.openembedded.org > Cc: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > Subject: [OE-core] [PATCH v2] base-passwd: Disable shell for default users > > Change the shell of all global static users other than root (which > retains /bin/sh) and sync (as /bin/sync is rather harmless) to > /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) > > Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] Since Kirkstone is out the door, is there any reason to not update the version of base-passwd instead? //Peter > Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > --- > v2: > Fix indentation in bbfile. > --- > .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ > .../base-passwd/base-passwd_3.5.29.bb | 1 + > 2 files changed, 58 insertions(+) > create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable- > shell.patch > > diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > new file mode 100644 > index 0000000000..dddc93ca35 > --- /dev/null > +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > @@ -0,0 +1,57 @@ > +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 > +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > +Date: Mon, 18 Apr 2022 11:22:43 +0800 > +Subject: [PATCH] Disable shell for default users > + > +Change the shell of all global static users other than root (which > +retains /bin/sh) and sync (as /bin/sync is rather harmless) to > +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) > + > +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base- > passwd/3.5.30] > +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > +--- > + passwd.master | 32 ++++++++++++++++---------------- > + 1 file changed, 16 insertions(+), 16 deletions(-) > + > +diff --git a/passwd.master b/passwd.master > +index e1c32ff..0cd5ffd 100644 > +--- a/passwd.master > ++++ b/passwd.master > +@@ -1,18 +1,18 @@ > + root::0:0:root:/root:/bin/sh > +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh > +-bin:*:2:2:bin:/bin:/bin/sh > +-sys:*:3:3:sys:/dev:/bin/sh > ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin > ++bin:*:2:2:bin:/bin:/sbin/nologin > ++sys:*:3:3:sys:/dev:/sbin/nologin > + sync:*:4:65534:sync:/bin:/bin/sync > +-games:*:5:60:games:/usr/games:/bin/sh > +-man:*:6:12:man:/var/cache/man:/bin/sh > +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh > +-mail:*:8:8:mail:/var/mail:/bin/sh > +-news:*:9:9:news:/var/spool/news:/bin/sh > +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh > +-proxy:*:13:13:proxy:/bin:/bin/sh > +-www-data:*:33:33:www-data:/var/www:/bin/sh > +-backup:*:34:34:backup:/var/backups:/bin/sh > +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh > +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh > +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh > +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh > ++games:*:5:60:games:/usr/games:/sbin/nologin > ++man:*:6:12:man:/var/cache/man:/sbin/nologin > ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin > ++mail:*:8:8:mail:/var/mail:/sbin/nologin > ++news:*:9:9:news:/var/spool/news:/sbin/nologin > ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin > ++proxy:*:13:13:proxy:/bin:/sbin/nologin > ++www-data:*:33:33:www-data:/var/www:/sbin/nologin > ++backup:*:34:34:backup:/var/backups:/sbin/nologin > ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin > ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin > ++gnats:*:41:41:Gnats Bug-Reporting System > (admin):/var/lib/gnats:/sbin/nologin > ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin > +-- > +2.32.0 > + > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > index 9a27ad3ab5..ef7792ae49 100644 > --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > @@ -14,6 +14,7 @@ SRC_URI = > "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar > file://input.patch \ > file://disable-docs.patch \ > file://kvm.patch \ > + file://disable-shell.patch \ > " > > SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421" > -- > 2.34.1
On 2022-04-28 21:34, Peter Kjellerstedt wrote: >> -----Original Message----- >> From: openembedded-core@lists.openembedded.org <openembedded- >> core@lists.openembedded.org> On Behalf Of Jiaqing Zhao >> Sent: den 28 april 2022 11:50 >> To: openembedded-core@lists.openembedded.org >> Cc: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> Subject: [OE-core] [PATCH v2] base-passwd: Disable shell for default users >> >> Change the shell of all global static users other than root (which >> retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> >> Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] > > Since Kirkstone is out the door, is there any reason to not update > the version of base-passwd instead? > > //Peter The reason is that since base-passwd 3.5.30, it switches to dh-autoreconf instead of autoconf to configure Changelog: https://launchpad.net/ubuntu/+source/base-passwd/3.5.30 > [ Colin Watson ] > * Remove config.h.in and configure, now autogenerated by dh-autoreconf. Since openembedded does not have the Debian toolchain, this recipe is marked NO UPDATE with reason "Version 3.5.38 requires cdebconf for update-passwd utility". https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb#L8 Jiaqing > >> Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> --- >> v2: >> Fix indentation in bbfile. >> --- >> .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ >> .../base-passwd/base-passwd_3.5.29.bb | 1 + >> 2 files changed, 58 insertions(+) >> create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable- >> shell.patch >> >> diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> new file mode 100644 >> index 0000000000..dddc93ca35 >> --- /dev/null >> +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> @@ -0,0 +1,57 @@ >> +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 >> +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> +Date: Mon, 18 Apr 2022 11:22:43 +0800 >> +Subject: [PATCH] Disable shell for default users >> + >> +Change the shell of all global static users other than root (which >> +retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> + >> +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base- >> passwd/3.5.30] >> +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> +--- >> + passwd.master | 32 ++++++++++++++++---------------- >> + 1 file changed, 16 insertions(+), 16 deletions(-) >> + >> +diff --git a/passwd.master b/passwd.master >> +index e1c32ff..0cd5ffd 100644 >> +--- a/passwd.master >> ++++ b/passwd.master >> +@@ -1,18 +1,18 @@ >> + root::0:0:root:/root:/bin/sh >> +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh >> +-bin:*:2:2:bin:/bin:/bin/sh >> +-sys:*:3:3:sys:/dev:/bin/sh >> ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin >> ++bin:*:2:2:bin:/bin:/sbin/nologin >> ++sys:*:3:3:sys:/dev:/sbin/nologin >> + sync:*:4:65534:sync:/bin:/bin/sync >> +-games:*:5:60:games:/usr/games:/bin/sh >> +-man:*:6:12:man:/var/cache/man:/bin/sh >> +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh >> +-mail:*:8:8:mail:/var/mail:/bin/sh >> +-news:*:9:9:news:/var/spool/news:/bin/sh >> +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh >> +-proxy:*:13:13:proxy:/bin:/bin/sh >> +-www-data:*:33:33:www-data:/var/www:/bin/sh >> +-backup:*:34:34:backup:/var/backups:/bin/sh >> +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh >> +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh >> +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh >> +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh >> ++games:*:5:60:games:/usr/games:/sbin/nologin >> ++man:*:6:12:man:/var/cache/man:/sbin/nologin >> ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin >> ++mail:*:8:8:mail:/var/mail:/sbin/nologin >> ++news:*:9:9:news:/var/spool/news:/sbin/nologin >> ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin >> ++proxy:*:13:13:proxy:/bin:/sbin/nologin >> ++www-data:*:33:33:www-data:/var/www:/sbin/nologin >> ++backup:*:34:34:backup:/var/backups:/sbin/nologin >> ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin >> ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin >> ++gnats:*:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/sbin/nologin >> ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin >> +-- >> +2.32.0 >> + >> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> index 9a27ad3ab5..ef7792ae49 100644 >> --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> @@ -14,6 +14,7 @@ SRC_URI = >> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar >> file://input.patch \ >> file://disable-docs.patch \ >> file://kvm.patch \ >> + file://disable-shell.patch \ >> " >> >> SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421" >> -- >> 2.34.1 > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164947): https://lists.openembedded.org/g/openembedded-core/message/164947 > Mute This Topic: https://lists.openembedded.org/mt/90749534/6787970 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jiaqing.zhao@linux.intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Thu, 2022-04-28 at 17:49 +0800, Jiaqing Zhao wrote: > Change the shell of all global static users other than root (which > retains /bin/sh) and sync (as /bin/sync is rather harmless) to > /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) > > Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] > Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > --- > v2: > Fix indentation in bbfile. > --- > .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ > .../base-passwd/base-passwd_3.5.29.bb | 1 + > 2 files changed, 58 insertions(+) > create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > > diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > new file mode 100644 > index 0000000000..dddc93ca35 > --- /dev/null > +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch > @@ -0,0 +1,57 @@ > +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 > +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > +Date: Mon, 18 Apr 2022 11:22:43 +0800 > +Subject: [PATCH] Disable shell for default users > + > +Change the shell of all global static users other than root (which > +retains /bin/sh) and sync (as /bin/sync is rather harmless) to > +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) > + > +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] > +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> > +--- > + passwd.master | 32 ++++++++++++++++---------------- > + 1 file changed, 16 insertions(+), 16 deletions(-) > + > +diff --git a/passwd.master b/passwd.master > +index e1c32ff..0cd5ffd 100644 > +--- a/passwd.master > ++++ b/passwd.master > +@@ -1,18 +1,18 @@ > + root::0:0:root:/root:/bin/sh > +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh > +-bin:*:2:2:bin:/bin:/bin/sh > +-sys:*:3:3:sys:/dev:/bin/sh > ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin > ++bin:*:2:2:bin:/bin:/sbin/nologin > ++sys:*:3:3:sys:/dev:/sbin/nologin > + sync:*:4:65534:sync:/bin:/bin/sync > +-games:*:5:60:games:/usr/games:/bin/sh > +-man:*:6:12:man:/var/cache/man:/bin/sh > +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh > +-mail:*:8:8:mail:/var/mail:/bin/sh > +-news:*:9:9:news:/var/spool/news:/bin/sh > +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh > +-proxy:*:13:13:proxy:/bin:/bin/sh > +-www-data:*:33:33:www-data:/var/www:/bin/sh > +-backup:*:34:34:backup:/var/backups:/bin/sh > +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh > +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh > +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh > +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh > ++games:*:5:60:games:/usr/games:/sbin/nologin > ++man:*:6:12:man:/var/cache/man:/sbin/nologin > ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin > ++mail:*:8:8:mail:/var/mail:/sbin/nologin > ++news:*:9:9:news:/var/spool/news:/sbin/nologin > ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin > ++proxy:*:13:13:proxy:/bin:/sbin/nologin > ++www-data:*:33:33:www-data:/var/www:/sbin/nologin > ++backup:*:34:34:backup:/var/backups:/sbin/nologin > ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin > ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin > ++gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/sbin/nologin > ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin > +-- > +2.32.0 > + > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > index 9a27ad3ab5..ef7792ae49 100644 > --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb > @@ -14,6 +14,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar > file://input.patch \ > file://disable-docs.patch \ > file://kvm.patch \ > + file://disable-shell.patch \ > " > > SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421" This change causes a couple of ptest regressions in sed and strace: https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/3185/steps/12/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3432/steps/13/logs/stdio Cheers, Richard
On 2022-04-29 20:22, Richard Purdie wrote: > On Thu, 2022-04-28 at 17:49 +0800, Jiaqing Zhao wrote: >> Change the shell of all global static users other than root (which >> retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> >> Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] >> Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> --- >> v2: >> Fix indentation in bbfile. >> --- >> .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ >> .../base-passwd/base-passwd_3.5.29.bb | 1 + >> 2 files changed, 58 insertions(+) >> create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> >> diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> new file mode 100644 >> index 0000000000..dddc93ca35 >> --- /dev/null >> +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> @@ -0,0 +1,57 @@ >> +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 >> +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> +Date: Mon, 18 Apr 2022 11:22:43 +0800 >> +Subject: [PATCH] Disable shell for default users >> + >> +Change the shell of all global static users other than root (which >> +retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> + >> +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] >> +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> >> +--- >> + passwd.master | 32 ++++++++++++++++---------------- >> + 1 file changed, 16 insertions(+), 16 deletions(-) >> + >> +diff --git a/passwd.master b/passwd.master >> +index e1c32ff..0cd5ffd 100644 >> +--- a/passwd.master >> ++++ b/passwd.master >> +@@ -1,18 +1,18 @@ >> + root::0:0:root:/root:/bin/sh >> +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh >> +-bin:*:2:2:bin:/bin:/bin/sh >> +-sys:*:3:3:sys:/dev:/bin/sh >> ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin >> ++bin:*:2:2:bin:/bin:/sbin/nologin >> ++sys:*:3:3:sys:/dev:/sbin/nologin >> + sync:*:4:65534:sync:/bin:/bin/sync >> +-games:*:5:60:games:/usr/games:/bin/sh >> +-man:*:6:12:man:/var/cache/man:/bin/sh >> +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh >> +-mail:*:8:8:mail:/var/mail:/bin/sh >> +-news:*:9:9:news:/var/spool/news:/bin/sh >> +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh >> +-proxy:*:13:13:proxy:/bin:/bin/sh >> +-www-data:*:33:33:www-data:/var/www:/bin/sh >> +-backup:*:34:34:backup:/var/backups:/bin/sh >> +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh >> +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh >> +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh >> +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh >> ++games:*:5:60:games:/usr/games:/sbin/nologin >> ++man:*:6:12:man:/var/cache/man:/sbin/nologin >> ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin >> ++mail:*:8:8:mail:/var/mail:/sbin/nologin >> ++news:*:9:9:news:/var/spool/news:/sbin/nologin >> ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin >> ++proxy:*:13:13:proxy:/bin:/sbin/nologin >> ++www-data:*:33:33:www-data:/var/www:/sbin/nologin >> ++backup:*:34:34:backup:/var/backups:/sbin/nologin >> ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin >> ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin >> ++gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/sbin/nologin >> ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin >> +-- >> +2.32.0 >> + >> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> index 9a27ad3ab5..ef7792ae49 100644 >> --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> @@ -14,6 +14,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar >> file://input.patch \ >> file://disable-docs.patch \ >> file://kvm.patch \ >> + file://disable-shell.patch \ >> " >> >> SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421" > > This change causes a couple of ptest regressions in sed and strace: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/3185/steps/12/logs/stdio > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3432/steps/13/logs/stdio > > Cheers, > > Richard The sed and sedtrace failed ptest as the script switches to user `nobody` and run the test, they cannot be performed after shell is disabled by default for user `nobody`. The patchset v3 fixes that issue. I've verified sed and strace ptests are passed in my local build. Please help run it in the yocto autobuilder as I don't have the permission. Thanks, Jiaqing
diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch new file mode 100644 index 0000000000..dddc93ca35 --- /dev/null +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch @@ -0,0 +1,57 @@ +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> +Date: Mon, 18 Apr 2022 11:22:43 +0800 +Subject: [PATCH] Disable shell for default users + +Change the shell of all global static users other than root (which +retains /bin/sh) and sync (as /bin/sync is rather harmless) to +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> +--- + passwd.master | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/passwd.master b/passwd.master +index e1c32ff..0cd5ffd 100644 +--- a/passwd.master ++++ b/passwd.master +@@ -1,18 +1,18 @@ + root::0:0:root:/root:/bin/sh +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh +-bin:*:2:2:bin:/bin:/bin/sh +-sys:*:3:3:sys:/dev:/bin/sh ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin ++bin:*:2:2:bin:/bin:/sbin/nologin ++sys:*:3:3:sys:/dev:/sbin/nologin + sync:*:4:65534:sync:/bin:/bin/sync +-games:*:5:60:games:/usr/games:/bin/sh +-man:*:6:12:man:/var/cache/man:/bin/sh +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh +-mail:*:8:8:mail:/var/mail:/bin/sh +-news:*:9:9:news:/var/spool/news:/bin/sh +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh +-proxy:*:13:13:proxy:/bin:/bin/sh +-www-data:*:33:33:www-data:/var/www:/bin/sh +-backup:*:34:34:backup:/var/backups:/bin/sh +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh ++games:*:5:60:games:/usr/games:/sbin/nologin ++man:*:6:12:man:/var/cache/man:/sbin/nologin ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin ++mail:*:8:8:mail:/var/mail:/sbin/nologin ++news:*:9:9:news:/var/spool/news:/sbin/nologin ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin ++proxy:*:13:13:proxy:/bin:/sbin/nologin ++www-data:*:33:33:www-data:/var/www:/sbin/nologin ++backup:*:34:34:backup:/var/backups:/sbin/nologin ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin ++gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/sbin/nologin ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin +-- +2.32.0 + diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb index 9a27ad3ab5..ef7792ae49 100644 --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb @@ -14,6 +14,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar file://input.patch \ file://disable-docs.patch \ file://kvm.patch \ + file://disable-shell.patch \ " SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
Change the shell of all global static users other than root (which retains /bin/sh) and sync (as /bin/sync is rather harmless) to /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com> --- v2: Fix indentation in bbfile. --- .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ .../base-passwd/base-passwd_3.5.29.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch