[V3,3/3] bash: add pkg_postrm to remove the entry in /etc/shells

Submitted by Ming Liu on Oct. 18, 2013, 11:11 a.m.

Details

Message ID 1382094700-17805-3-git-send-email-ming.liu@windriver.com
State New
Headers show

Commit Message

Ming Liu Oct. 18, 2013, 11:11 a.m.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
---
 meta/recipes-extended/bash/bash.inc |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index 64b476f..7c18f37 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -44,7 +44,19 @@  do_install_ptest () {
 }
 
 pkg_postinst_${PN} () {
-	touch $D${sysconfdir}/shells
-	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
-	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
+	if [ ! -f $D${sysconfdir}/shells ]; then
+		touch $D${sysconfdir}/shells
+	fi
+
+	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
+}
+
+pkg_postrm_${PN} () {
+	if [ -f $D${sysconfdir}/shells ]; then
+		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
+
+		if [ ! -s $D${sysconfdir}/shells ]; then
+			rm $D${sysconfdir}/shells
+		fi
+	fi
 }

Comments

Phil Blundell Oct. 18, 2013, 2:59 p.m.
On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>  pkg_postinst_${PN} () {
> -	touch $D${sysconfdir}/shells
> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
> +	if [ ! -f $D${sysconfdir}/shells ]; then
> +		touch $D${sysconfdir}/shells
> +	fi
> +
> +	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
> +}

This patch contains significant changes to the postinst script which
aren't described in the commit message.

p.

> +
> +pkg_postrm_${PN} () {
> +	if [ -f $D${sysconfdir}/shells ]; then
> +		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
> +
> +		if [ ! -s $D${sysconfdir}/shells ]; then
> +			rm $D${sysconfdir}/shells
> +		fi
> +	fi
>  }
Mark Hatle Oct. 18, 2013, 3:12 p.m.
On 10/18/13 9:59 AM, Phil Blundell wrote:
> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>   pkg_postinst_${PN} () {
>> -	touch $D${sysconfdir}/shells
>> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
>> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
>> +	if [ ! -f $D${sysconfdir}/shells ]; then

One note with the above check.  Whichever package is responsible for providing 
the 'shells' file needs to be installed -first-.  So anything that manipulates 
the 'shells' file will need an RDEPENDS on that package.

--Mark

>> +		touch $D${sysconfdir}/shells
>> +	fi
>> +
>> +	grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo ${base_bindir}/bash >> $D${sysconfdir}/shells
>> +}
>
> This patch contains significant changes to the postinst script which
> aren't described in the commit message.
>
> p.
>
>> +
>> +pkg_postrm_${PN} () {
>> +	if [ -f $D${sysconfdir}/shells ]; then
>> +		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
>> +
>> +		if [ ! -s $D${sysconfdir}/shells ]; then
>> +			rm $D${sysconfdir}/shells
>> +		fi
>> +	fi
>>   }
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
Phil Blundell Oct. 18, 2013, 3:18 p.m.
On Fri, 2013-10-18 at 10:12 -0500, Mark Hatle wrote:
> On 10/18/13 9:59 AM, Phil Blundell wrote:
> > On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
> >>   pkg_postinst_${PN} () {
> >> -	touch $D${sysconfdir}/shells
> >> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
> >> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
> >> +	if [ ! -f $D${sysconfdir}/shells ]; then
> 
> One note with the above check.  Whichever package is responsible for providing 
> the 'shells' file needs to be installed -first-.  So anything that manipulates 
> the 'shells' file will need an RDEPENDS on that package.

Isn't the whole point of the check above that it now creates /etc/shells
if it didn't exist already?

That said, though, I'm still not entirely convinced that having
semi-random packages create a file that isn't mentioned in either FILES
or CONFFILES is a very good thing.  I'm also not totally clear on what
exactly the problem is that this set of patches is trying to solve: the
original commit message says that having nonexistent files named
in /etc/shells is "unreasonable" but doesn't provide any supporting
evidence for that assertion.

p.
Mark Hatle Oct. 18, 2013, 5 p.m.
On 10/18/13 10:18 AM, Phil Blundell wrote:
> On Fri, 2013-10-18 at 10:12 -0500, Mark Hatle wrote:
>> On 10/18/13 9:59 AM, Phil Blundell wrote:
>>> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>>>    pkg_postinst_${PN} () {
>>>> -	touch $D${sysconfdir}/shells
>>>> -	grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> $D${sysconfdir}/shells
>>>> -	grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
>>>> +	if [ ! -f $D${sysconfdir}/shells ]; then
>>
>> One note with the above check.  Whichever package is responsible for providing
>> the 'shells' file needs to be installed -first-.  So anything that manipulates
>> the 'shells' file will need an RDEPENDS on that package.
>
> Isn't the whole point of the check above that it now creates /etc/shells
> if it didn't exist already?

Situation  bash has dep on base-files:

base-files package gets install (creates basic /etc/shells)
bash gets installed (checks for /etc/shells, adds /bin/bash)

Alternative situation:

bash has no dep on base-files:

bash gets installed (checks for /etc/shells, doesn't exist)
base-files gets installed (creates basic /etc/shells)

> That said, though, I'm still not entirely convinced that having
> semi-random packages create a file that isn't mentioned in either FILES

I don't want it to create the file, that is the wrong behavior.  The -package- 
needs to depend on the package that provides the base configuration for the 
system.  -something- has to create the file, or be installed first.

> or CONFFILES is a very good thing.  I'm also not totally clear on what
> exactly the problem is that this set of patches is trying to solve: the
> original commit message says that having nonexistent files named
> in /etc/shells is "unreasonable" but doesn't provide any supporting
> evidence for that assertion.

The original problem is that /etc/shells contains too much "crap", and we've got 
customers saying "hey you are opening up potential security holes by having 
things in there that are not valid."  (Beyond the file being sloppy)

So we would prefer that a minimal file exist, and then entries for valid shells 
be added dynamically to the system, only if the packages that provide them are 
supported.

--Mark

> p.
>
>
Ming Liu Oct. 20, 2013, 5:50 a.m.
On 10/18/2013 11:12 PM, Mark Hatle wrote:
> On 10/18/13 9:59 AM, Phil Blundell wrote:
>> On Fri, 2013-10-18 at 19:11 +0800, Ming Liu wrote:
>>>   pkg_postinst_${PN} () {
>>> -    touch $D${sysconfdir}/shells
>>> -    grep -q "bin/bash" $D${sysconfdir}/shells || echo /bin/bash >> 
>>> $D${sysconfdir}/shells
>>> -    grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> 
>>> $D${sysconfdir}/shells
>>> +    if [ ! -f $D${sysconfdir}/shells ]; then
>
> One note with the above check.  Whichever package is responsible for 
> providing the 'shells' file needs to be installed -first-.  So 
> anything that manipulates the 'shells' file will need an RDEPENDS on 
> that package.
Yes, that is a good idea, I will change it as you suggest.

the best,
thank you

>
> --Mark
>
>>> +        touch $D${sysconfdir}/shells
>>> +    fi
>>> +
>>> +    grep -q "^${base_bindir}/bash$" $D${sysconfdir}/shells || echo 
>>> ${base_bindir}/bash >> $D${sysconfdir}/shells
>>> +}
>>
>> This patch contains significant changes to the postinst script which
>> aren't described in the commit message.
>>
>> p.
>>
>>> +
>>> +pkg_postrm_${PN} () {
>>> +    if [ -f $D${sysconfdir}/shells ]; then
>>> +        printf "$(grep -v "^${base_bindir}/bash$" 
>>> $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
>>> +
>>> +        if [ ! -s $D${sysconfdir}/shells ]; then
>>> +            rm $D${sysconfdir}/shells
>>> +        fi
>>> +    fi
>>>   }
>>
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>