From patchwork Thu Jun 15 11:43:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 25674 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF24AC0015E for ; Thu, 15 Jun 2023 11:44:20 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.web11.15965.1686829456977208882 for ; Thu, 15 Jun 2023 04:44:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@baylibre-com.20221208.gappssmtp.com header.s=20221208 header.b=dFThjLP8; spf=pass (domain: baylibre.com, ip: 209.85.128.47, mailfrom: lrannou@baylibre.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-3f8c65020dfso19129925e9.2 for ; Thu, 15 Jun 2023 04:44:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20221208.gappssmtp.com; s=20221208; t=1686829455; x=1689421455; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=RkyB1q3oemdoRhfPq33taB4GxAmDmAqUh+hV72+zXFs=; b=dFThjLP8hTCJeEWIlgAPmeGCYBfUjS+EjgM8t4U0ELfLamNGxBcDGr/yijx8fa2/2m 2uSlD45QLibOXpsVhh71F9U7wn505Vic3h6dhju6Bf3h8JNTdqJfxApeqLyJLn0y+Zt3 3ohsEy2ZY6jnN7lEc8hhDZ+dYC1aq90AZs5uG6b+dXT8VFHVSNwxkT6NLseoMK+2dS/h 8Bnp1rdtZILIu0BC1PPm4PMWqCeVPhG2rcHrIMlP36MUxYg874ocbfTCpt+6+34NJMof /cXZ/H8snP3aEp+LvAlCpttJfpOn17lDDnhocg8I75UFdB0d5nXfZ1Az1WTbAAek0MBN HLNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686829455; x=1689421455; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RkyB1q3oemdoRhfPq33taB4GxAmDmAqUh+hV72+zXFs=; b=YVOnnq2TaYA6PFnUzd1LETio3JV2FECTUaGtRLktDmxPsUoiYwdCsmKBRktb9jXLrv 0uHdtgLVwlJjD6s9BwsRQU4LWYGfFEOPUtxjdYAapU8S/bBC963/qOjvRbvJLOKaeUZt aQsY60SHIIejEhsVso0F+YJ9QGTZ4UaiG9lV1TCXg4OiD0eermUvBtKfbQV3fulqwNhO jlx9WGB3WAFeapI0AOcQX5mbPvaV6WThKEUPj25uGAbRBhpp5GjOstbKgBJ2RTXhd2oz Bx1UqwjouijM4JOLBU8t6ltEg8iGXrG5c/znp3F2HEHyiCmtrwdCNWNl53huXnpi7SKG aeaA== X-Gm-Message-State: AC+VfDyibsc5k/3pNMr6WOy7f6rs3yofQQVtMFqSXdpRK9Ls7zbUNmkS 1kgazDOiQ5Sgm2Osf0fo5DQvg3Ng8CxIBTntdHA= X-Google-Smtp-Source: ACHHUZ4JgTWPRKiPzKECIzL+pdrPFThE4KDtbzuuA9vJ4v0E/4E2pSAtGgkBUj61vb3lQaEi3M0oBA== X-Received: by 2002:a5d:4406:0:b0:30f:c21c:b9b5 with SMTP id z6-20020a5d4406000000b0030fc21cb9b5mr9032317wrq.50.1686829455053; Thu, 15 Jun 2023 04:44:15 -0700 (PDT) Received: from [172.30.105.10] (lmontsouris-658-1-109-35.w92-154.abo.wanadoo.fr. [92.154.6.35]) by smtp.gmail.com with ESMTPSA id i17-20020a5d6311000000b0030fae360f14sm15429154wru.68.2023.06.15.04.44.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 04:44:14 -0700 (PDT) From: Louis Rannou Date: Thu, 15 Jun 2023 13:43:53 +0200 Subject: [PATCH 1/3] rootfs-postcommands: change sysusers.d command MIME-Version: 1.0 Message-Id: <20230613-sysusersd-v1-1-eaddf3179773@baylibre.com> References: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> In-Reply-To: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> To: openembedded-core@lists.openembedded.org Cc: Louis Rannou , anuj.mittal@intel.com X-Mailer: b4 0.12.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1686829453; l=8618; i=lrannou@baylibre.com; s=20230614; h=from:subject:message-id; bh=8WGQIzyev+bL5neaYQyqs3q4EWu4+PZIKwlcqrqFgmg=; b=Kky71Li3Zk3oYQCXQC/ORYI6mGVDHJQIz9mcwzRQ0vCFwQZSlhOzzOGfc7d0YKwjx3nC42Bfj Wy71ZVUrKmVCSRC8VhgjmE+VDL8oMWIylWGAZHDroAgazOQflXfA6Jt X-Developer-Key: i=lrannou@baylibre.com; a=ed25519; pk=QLSK64UNeqThVe2CiH917a68zTpexYuA7iXw6WQ0bbI= List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jun 2023 11:44:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182848 The configuration in sysusers.d used to be parsed to create users/groups at build time instead at runtime. This was leading to several conflicts with users/groups defined in base-passwd recipe and specific definitions in recipes inheriting the useradd class. Some of those conflicts raised unseen errors in the do_rootfs command's logs. As an example, the root home directory is set by default to `/home/root` but systemd expects it as `/root`. The new command `systemd_sysusers_check` checks each configuration for users/groups and compare their properties to what is actually defined in the `/etc/passwd` and `/etc/group` of the target rootfs. Signed-off-by: Louis Rannou --- meta/classes-recipe/rootfs-postcommands.bbclass | 133 +++++++++++++++++++----- 1 file changed, 109 insertions(+), 24 deletions(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index 690fa976aa..652601b95f 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -43,7 +43,7 @@ ROOTFS_POSTUNINSTALL_COMMAND =+ "write_image_manifest ; " POSTINST_LOGFILE ?= "${localstatedir}/log/postinstall.log" # Set default target for systemd images SYSTEMD_DEFAULT_TARGET ?= '${@bb.utils.contains_any("IMAGE_FEATURES", [ "x11-base", "weston" ], "graphical.target", "multi-user.target", d)}' -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("DISTRO_FEATURES", "systemd", "set_systemd_default_target; systemd_create_users;", "", d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("DISTRO_FEATURES", "systemd", "set_systemd_default_target; systemd_sysusers_check;", "", d)}' ROOTFS_POSTPROCESS_COMMAND += 'empty_var_volatile;' @@ -69,29 +69,114 @@ python () { d.appendVar('ROOTFS_POSTPROCESS_COMMAND', 'rootfs_reproducible;') } -systemd_create_users () { - for conffile in ${IMAGE_ROOTFS}/usr/lib/sysusers.d/*.conf; do - [ -e $conffile ] || continue - grep -v "^#" $conffile | sed -e '/^$/d' | while read type name id comment; do - if [ "$type" = "u" ]; then - useradd_params="--shell /sbin/nologin" - [ "$id" != "-" ] && useradd_params="$useradd_params --uid $id" - [ "$comment" != "-" ] && useradd_params="$useradd_params --comment $comment" - useradd_params="$useradd_params --system $name" - eval useradd --root ${IMAGE_ROOTFS} $useradd_params || true - elif [ "$type" = "g" ]; then - groupadd_params="" - [ "$id" != "-" ] && groupadd_params="$groupadd_params --gid $id" - groupadd_params="$groupadd_params --system $name" - eval groupadd --root ${IMAGE_ROOTFS} $groupadd_params || true - elif [ "$type" = "m" ]; then - group=$id - eval groupadd --root ${IMAGE_ROOTFS} --system $group || true - eval useradd --root ${IMAGE_ROOTFS} --shell /sbin/nologin --system $name --no-user-group || true - eval usermod --root ${IMAGE_ROOTFS} -a -G $group $name - fi - done - done +# Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric +# uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it +# automatic or it can be a path. In the latter, the uid/gid matches the +# user/group owner of that file. +def resolve_sysusers_id(d, sid): + # If the id is a path, the uid/gid matchs to the target's uid/gid in the + # rootfs. + if '/' in sid: + try: + osstat = os.stat(os.path.join(d.getVar('IMAGE_ROOTFS'), sid)) + except FileNotFoundError: + bb.error('sysusers.d: file %s is required but it does not exist in the rootfs', sid) + return ('-', '-') + return (osstat.st_uid, osstat.st_gid) + # Else it is a uid:gid or uid:groupname syntax + if ':' in sid: + return sid.split(':') + else: + return (sid, '-') + +# Check a user exists in the rootfs password file and return its properties +def check_user_exists(d, uname=None, uid=None): + with open(os.path.join(d.getVar('IMAGE_ROOTFS'), 'etc/passwd'), 'r') as pwfile: + for line in pwfile: + (name, _, u_id, gid, comment, homedir, ushell) = line.strip().split(':') + if uname == name or uid == u_id: + return (name, u_id, gid, comment or '-', homedir or '/', ushell or '-') + return None + +# Check a group exists in the rootfs group file and return its properties +def check_group_exists(d, gname=None, gid=None): + with open(os.path.join(d.getVar('IMAGE_ROOTFS'), 'etc/group'), 'r') as gfile: + for line in gfile: + (name, _, g_id, _) = line.strip().split(':') + if name == gname or g_id == gid: + return (name, g_id) + return None + +def compare_users(user, e_user): + # user and e_user must not have None values. Unset values must be '-'. + (name, uid, gid, comment, homedir, ushell) = user + (e_name, e_uid, e_gid, e_comment, e_homedir, e_ushell) = e_user + # Ignore 'uid', 'gid' or 'comment' if they are not set + # Ignore 'shell' and 'ushell' if one is not set + return name == e_name \ + and (uid == '-' or uid == e_uid) \ + and (gid == '-' or gid == e_gid) \ + and (comment == '-' or e_comment == '-' or comment.lower() == e_comment.lower()) \ + and (homedir == '-' or e_homedir == '-' or homedir == e_homedir) \ + and (ushell == '-' or e_ushell == '-' or ushell == e_ushell) + +# Open sysusers.d configuration files and parse each line to check the users and +# groups are already defined in /etc/passwd and /etc/groups with similar +# properties. Refer to the sysusers.d(5) manual for its syntax. +python systemd_sysusers_check() { + import glob + import re + + pattern_comment = r'(-|\"[^:\"]+\")' + pattern_word = r'[^\s]+' + pattern_line = r'(' + pattern_word + r')\s+(' + pattern_word + r')\s+(' + pattern_word + r')(\s+' \ + + pattern_comment + r')?' + r'(\s+(' + pattern_word + r'))?' + r'(\s+(' + pattern_word + r'))?' + + for conffile in glob.glob(os.path.join(d.getVar('IMAGE_ROOTFS'), 'usr/lib/sysusers.d/*.conf')): + with open(conffile, 'r') as f: + for line in f: + line = line.strip() + if not len(line) or line[0] == '#': continue + ret = re.fullmatch(pattern_line, line.strip()) + if not ret: continue + (stype, sname, sid, _, scomment, _, shomedir, _, sshell) = ret.groups() + if stype == 'u': + if sid: + (suid, sgid) = resolve_sysusers_id(d, sid) + if sgid.isalpha(): + sgid = check_group_exists(d, gname=sgid) + elif sgid.isdigit(): + check_group_exists(d, gid=sgid) + else: + sgid = '-' + else: + suid = '-' + sgid = '-' + scomment = scomment.replace('"', '') if scomment else '-' + shomedir = shomedir or '-' + sshell = sshell or '-' + e_user = check_user_exists(d, uname=sname) + if not e_user: + bb.warn('User %s has never been defined' % sname) + elif not compare_users((sname, suid, sgid, scomment, shomedir, sshell), e_user): + bb.warn('User %s has been defined as (%s) but sysusers.d expects it as (%s)' + % (sname, ', '.join(e_user), + ', '.join((sname, suid, sgid, scomment, shomedir, sshell)))) + elif stype == 'g': + gid = sid or '-' + if '/' in gid: + (_, gid) = resolve_sysusers_id(d, sid) + e_group = check_group_exists(d, gname=sname) + if not e_group: + bb.warn('Group %s has never been defined' % sname) + elif gid != '-': + (_, e_gid) = e_group + if gid != e_gid: + bb.warn('Group %s has been defined with id (%s) but sysusers.d expects gid (%s)' + % (sname, e_gid, gid)) + elif stype == 'm': + check_user_exists(d, sname) + check_group_exists(d, sid) } # From patchwork Thu Jun 15 11:43:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 25672 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C38EFEB64DC for ; Thu, 15 Jun 2023 11:44:20 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.web10.15869.1686829457252939350 for ; Thu, 15 Jun 2023 04:44:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@baylibre-com.20221208.gappssmtp.com header.s=20221208 header.b=MLWuYNne; spf=pass (domain: baylibre.com, ip: 209.85.221.45, mailfrom: lrannou@baylibre.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-30fceb009faso529098f8f.0 for ; Thu, 15 Jun 2023 04:44:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20221208.gappssmtp.com; s=20221208; t=1686829455; x=1689421455; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=V+9U1fuYAs9zKZ8RaFvWYT/K3mbHLVpskyyrodumb5I=; b=MLWuYNneVZE4g8Kk1DsdOau4JqSG1Q57vdVGiAJiXqgn+o9sMpTLDTWaD+45Ewrv6X pg+LhmuBFfbi9+oLhszzFrmUgj293MGe9pdFE+RmgBgOqTSsazNHWKH0+7BtvUDu8F6i zBAQxs3s8cunPcgDn6Zxc7mpwpoarFZSfoRH+6nCR5buF/EMlTtDOPXLEzB/CLo7p+bD PtYGbmKaSJ+5jNnWICnD555Idw27zltVzuE1GIj8j91/AF/i5FOPaIU9N9N3gARVwIWP s24zytOoP36T2T+1yhE/fyVMwcmzT05fgfxlxjba/72XPpIdxIzFtju0yTsnW7cl3Ua0 EPEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686829455; x=1689421455; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V+9U1fuYAs9zKZ8RaFvWYT/K3mbHLVpskyyrodumb5I=; b=NpY0lSgMXczj8PWuTX8sRrxt0J8lc97BS/1+jk+A8Ocq31kGwqz/cD6qf8/5ed5hQB 9cOo/Q4Tz10k2f8dFnkBxOqKVKCRF78OLfkHOpyiWbmmc8AkA732TPE38dVJaJQx3tUs Pyf575Q/e8yyto5a9CMP5+p0PGEJQp0h73OnL+F1wBmz5EHH1H1iu3j3CtZLJHZJr2w1 TGGsZTxRDx1QvOJELGuQA8U8/GgKbZvSANvZn11x2UOuJZclYwVyjuou2OixKlMYo9FN Qtoz/JtQMsvwfJI1qvMtEuJQLUztHX/ZrKEzub3ZflRC69S9QTH9m/qqmp+thwTB1Eda DpVg== X-Gm-Message-State: AC+VfDynisbiKVDYUwvIlnenD5RQl9ds0fvL5PCM5D8gZQjE202dhEC4 1rVsdpS9G28GYtjzUR26Mch+qCpEhaYKB2AvftE= X-Google-Smtp-Source: ACHHUZ5Dh7CWEsXSa7p4BFkiuWBir9TzbhNRPO/r6f9WdmdQA7qoHZRmMhhgnRh8doJq1RezgmhAdg== X-Received: by 2002:adf:ec43:0:b0:311:ab6:1a8e with SMTP id w3-20020adfec43000000b003110ab61a8emr3739197wrn.9.1686829455806; Thu, 15 Jun 2023 04:44:15 -0700 (PDT) Received: from [172.30.105.10] (lmontsouris-658-1-109-35.w92-154.abo.wanadoo.fr. [92.154.6.35]) by smtp.gmail.com with ESMTPSA id i17-20020a5d6311000000b0030fae360f14sm15429154wru.68.2023.06.15.04.44.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 04:44:15 -0700 (PDT) From: Louis Rannou Date: Thu, 15 Jun 2023 13:43:54 +0200 Subject: [PATCH 2/3] systemd: replace the sysusers.d basic configuration MIME-Version: 1.0 Message-Id: <20230613-sysusersd-v1-2-eaddf3179773@baylibre.com> References: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> In-Reply-To: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> To: openembedded-core@lists.openembedded.org Cc: Louis Rannou , anuj.mittal@intel.com X-Mailer: b4 0.12.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1686829453; l=3392; i=lrannou@baylibre.com; s=20230614; h=from:subject:message-id; bh=2u+4EIk4wuXNn19J+5bpCctm+T/VfFFuTYIzzgbHX6E=; b=xgydEuiWaN6nJQt8jEw5ks9Aflnl7J1nQ6cK23/dTuMVYwBFTYFGX6KgxfG6Kkbek8ElkeZgE e1ER/P+dlurDbfQrZORAbrOL3tfu5FJwp/R65b5jy2ARxueMeUJQqof X-Developer-Key: i=lrannou@baylibre.com; a=ed25519; pk=QLSK64UNeqThVe2CiH917a68zTpexYuA7iXw6WQ0bbI= List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jun 2023 11:44:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182847 The default sysusers basic.conf.in file sets the root home directory to `/root` and does not permit its configuration. Replace the file delivered by systemd so the root home directory matches the `ROOT_HOME` variable. Signed-off-by: Louis Rannou --- meta/recipes-core/systemd/systemd/basic.conf.in | 40 +++++++++++++++++++++++++ meta/recipes-core/systemd/systemd_253.3.bb | 5 ++++ 2 files changed, 45 insertions(+) diff --git a/meta/recipes-core/systemd/systemd/basic.conf.in b/meta/recipes-core/systemd/systemd/basic.conf.in new file mode 100644 index 0000000000..fac288f7fa --- /dev/null +++ b/meta/recipes-core/systemd/systemd/basic.conf.in @@ -0,0 +1,40 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# The superuser +u root 0 "root" :ROOT_HOME: + +# The nobody user/group for NFS file systems +g {{NOBODY_GROUP_NAME}} 65534 - - +u {{NOBODY_USER_NAME }} 65534:65534 "Nobody" - + +# Administrator group: can *see* more than normal users +g adm {{ADM_GID }} - - + +# Administrator group: can *do* more than normal users +g wheel {{WHEEL_GID }} - - + +# Access to shared database of users on the system +g utmp {{UTMP_GID }} - - + +# Physical and virtual hardware access groups +g audio {{AUDIO_GID }} - - +g cdrom {{CDROM_GID }} - - +g dialout {{DIALOUT_GID}} - - +g disk {{DISK_GID }} - - +g input {{INPUT_GID }} - - +g kmem {{KMEM_GID }} - - +g kvm {{KVM_GID }} - - +g lp {{LP_GID }} - - +g render {{RENDER_GID }} - - +g sgx {{SGX_GID }} - - +g tape {{TAPE_GID }} - - +g tty {{TTY_GID }} - - +g video {{VIDEO_GID }} - - + +# Default group for normal users +g users {{USERS_GID }} - - diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb index 45dc6ab5bb..87fbf6f785 100644 --- a/meta/recipes-core/systemd/systemd_253.3.bb +++ b/meta/recipes-core/systemd/systemd_253.3.bb @@ -17,6 +17,7 @@ REQUIRED_DISTRO_FEATURES = "systemd" SRC_URI += " \ file://touchscreen.rules \ file://00-create-volatile.conf \ + file://basic.conf.in \ ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \ file://init \ @@ -252,6 +253,10 @@ EXTRA_OEMESON += "-Dkexec-path=${sbindir}/kexec \ # The 60 seconds is watchdog's default vaule. WATCHDOG_TIMEOUT ??= "60" +do_configure:prepend() { + sed s@:ROOT_HOME:@${ROOT_HOME}@g ${WORKDIR}/basic.conf.in > ${S}/sysusers.d/basic.conf.in +} + do_install() { meson_do_install install -d ${D}/${base_sbindir} From patchwork Thu Jun 15 11:43:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Louis Rannou X-Patchwork-Id: 25673 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0DBDEB64DD for ; Thu, 15 Jun 2023 11:44:20 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.web10.15870.1686829457912971528 for ; Thu, 15 Jun 2023 04:44:18 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@baylibre-com.20221208.gappssmtp.com header.s=20221208 header.b=aUb+e4fJ; spf=pass (domain: baylibre.com, ip: 209.85.221.45, mailfrom: lrannou@baylibre.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-311153ec442so431570f8f.1 for ; Thu, 15 Jun 2023 04:44:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20221208.gappssmtp.com; s=20221208; t=1686829456; x=1689421456; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Io0T/CEtWRjKJfGXwbUtSm6KPIfw+PKNbsPHG17mCow=; b=aUb+e4fJdWJUYXK9b0xbIjhLA31fPDaHGwvpTP/A8+Ba6L3j0Ihl0bC67EIU4+b6Ap bX2TxN9lczEZmTAfTXRnqlAICIoN6xXw4tYOtchEXhp/2DJqjV4YCKoAqKusRyHzWMWO 9A7OjykZDRhKzMyQb1sgvWo402WBJH8aH1ccRp4EflJqiyBrFgzt3QwY+EayZN46EPzL gW4f2Bd+SeYG8uThrsi0mQumueNqjhCmq++QibHb2SsDd6iGSnOnNJA09i6qroMdl2LR fIk0feppA1pffZNpCsXvCs89stvZt8ESzN07CPdNzi9dA4hldePGBsk39tfbmpENqxst R9Sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686829456; x=1689421456; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Io0T/CEtWRjKJfGXwbUtSm6KPIfw+PKNbsPHG17mCow=; b=dkgh6KJAkOOnr6GF3PMqeT5HiN9B304kzPz+qWO5E+cUKFc88cug46HZ9RIqgsfATT vLKbCXYDZYfLupGXDi4EZy8j6l4uQwKEo4Ne6Rncprun42JHPIfyw5Q2CLAG8WmTeVp8 qyWyLnRCDAwADf8YQCAzqUWKCDvEhXo1a/kqBtb2FuqJUFjTVbMSs214gKrn17b/JEur ZYyELYSSFinUA/zv7KGPs2VLKmi2QmiU7W8yJYrlMSUBTMIZGZ1So+6N0f9KqpkOjPiH R0/lbx2edDDQVjig7J/E8Vd7JbwYpIvu7vG/++e8SM3Ui8xd6WX/J92AtgSzx/BdNCQ9 wa7g== X-Gm-Message-State: AC+VfDwNlI+BuBFg47Br57oCbgM/+SSG4/Te8imbKojvSX13x4NrQtwR Rd3ZhErLqPgL3nMJ6NLcvYu3d37Koy4pHLtLPkw= X-Google-Smtp-Source: ACHHUZ7cT07AB9+zJFHzy/WvV3gzVdfeJE2Y7HcGmaOzNTxeOB0sv4ZZCMXzJmCrEsYbIzuzBhW/oQ== X-Received: by 2002:a5d:4010:0:b0:311:10ae:123e with SMTP id n16-20020a5d4010000000b0031110ae123emr2866972wrp.2.1686829456486; Thu, 15 Jun 2023 04:44:16 -0700 (PDT) Received: from [172.30.105.10] (lmontsouris-658-1-109-35.w92-154.abo.wanadoo.fr. [92.154.6.35]) by smtp.gmail.com with ESMTPSA id i17-20020a5d6311000000b0030fae360f14sm15429154wru.68.2023.06.15.04.44.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 04:44:16 -0700 (PDT) From: Louis Rannou Date: Thu, 15 Jun 2023 13:43:55 +0200 Subject: [PATCH 3/3] base-passwd: add the wheel group MIME-Version: 1.0 Message-Id: <20230613-sysusersd-v1-3-eaddf3179773@baylibre.com> References: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> In-Reply-To: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com> To: openembedded-core@lists.openembedded.org Cc: Louis Rannou , anuj.mittal@intel.com X-Mailer: b4 0.12.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1686829453; l=2172; i=lrannou@baylibre.com; s=20230614; h=from:subject:message-id; bh=0Hz5U53wSFJMPDG0EqB1W3h3lPTRyLbh6z8qDRSDdOo=; b=E6FqJNr13ct0Mt4oVCGJUuk5V26LcMCv38dHYrlKG5Bhae9uJRbdYuDIkaNeQW8TT3e3Tc3qr F4T6PoXtjXqAyK/CvxvuPKNeyv1F0xL9l9gjTlasmLT6lrqpGlyPDpU X-Developer-Key: i=lrannou@baylibre.com; a=ed25519; pk=QLSK64UNeqThVe2CiH917a68zTpexYuA7iXw6WQ0bbI= List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jun 2023 11:44:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182849 The wheel group is not declared while it can be used to access the systemd journal and to configure printers in CUPS. It can also be used for su and sudo permissions. So far it was created later in the rootfs postcommand systemd_create_users. Signed-off-by: Louis Rannou --- .../base-passwd/0007-Add-wheel-group.patch | 20 ++++++++++++++++++++ meta/recipes-core/base-passwd/base-passwd_3.6.1.bb | 1 + 2 files changed, 21 insertions(+) diff --git a/meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch b/meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch new file mode 100644 index 0000000000..00eaec38a2 --- /dev/null +++ b/meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch @@ -0,0 +1,20 @@ + +We need to have a wheel group which has some system privileges to consult the +systemd journal or manage printers with cups. + +Upstream status says the group does not exist by default. + +Upstream-Status: Inappropriate [enable feature] + +Signed-off-by: Louis Rannou +Index: base-passwd-3.5.26/group.master +=================================================================== +--- base-passwd-3.5.29.orig/group.master ++++ base-passwd-3.5.29/group.master +@@ -38,5 +38,6 @@ + staff:*:50: + games:*:60: + shutdown:*:70: ++wheel:*:80: + users:*:100: + nogroup:*:65534: diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb index 853717176d..204016b3e7 100644 --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb @@ -12,6 +12,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar file://0004-Add-an-input-group-for-the-dev-input-devices.patch \ file://0005-Add-kvm-group.patch \ file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \ + file://0007-Add-wheel-group.patch \ " SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af"