'Re: [OE-core] [PATCH v2] base-passwd: Disable shell for default users'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [PATCH v2] base-passwd: Disable shell for default users
From:       "Jiaqing Zhao" <jiaqing.zhao () linux ! intel ! com>
Date:       2022-04-30 2:55:01
Message-ID: 422636e9-2273-7776-d8b9-8840592218b1 () linux ! intel ! com
[Download RAW message or body]

On 2022-04-29 20:22, Richard Purdie wrote:
> On Thu, 2022-04-28 at 17:49 +0800, Jiaqing Zhao wrote:
> > Change the shell of all global static users other than root (which
> > retains /bin/sh) and sync (as /bin/sync is rather harmless) to
> > /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
> > 
> > Upstream-Status: Backport \
> >                 [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30]
> > Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
> > ---
> > v2:
> > Fix indentation in bbfile.
> > ---
> > .../base-passwd/disable-shell.patch           | 57 +++++++++++++++++++
> > .../base-passwd/base-passwd_3.5.29.bb         |  1 +
> > 2 files changed, 58 insertions(+)
> > create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
> > 
> > diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch \
> > b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch new file mode \
> > 100644 index 0000000000..dddc93ca35
> > --- /dev/null
> > +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
> > @@ -0,0 +1,57 @@
> > +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001
> > +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
> > +Date: Mon, 18 Apr 2022 11:22:43 +0800
> > +Subject: [PATCH] Disable shell for default users
> > +
> > +Change the shell of all global static users other than root (which
> > +retains /bin/sh) and sync (as /bin/sync is rather harmless) to
> > +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
> > +
> > +Upstream-Status: Backport \
> > [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] +Signed-off-by: Jiaqing \
> > Zhao <jiaqing.zhao@linux.intel.com> +---
> > + passwd.master | 32 ++++++++++++++++----------------
> > + 1 file changed, 16 insertions(+), 16 deletions(-)
> > +
> > +diff --git a/passwd.master b/passwd.master
> > +index e1c32ff..0cd5ffd 100644
> > +--- a/passwd.master
> > ++++ b/passwd.master
> > +@@ -1,18 +1,18 @@
> > + root::0:0:root:/root:/bin/sh
> > +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh
> > +-bin:*:2:2:bin:/bin:/bin/sh
> > +-sys:*:3:3:sys:/dev:/bin/sh
> > ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin
> > ++bin:*:2:2:bin:/bin:/sbin/nologin
> > ++sys:*:3:3:sys:/dev:/sbin/nologin
> > + sync:*:4:65534:sync:/bin:/bin/sync
> > +-games:*:5:60:games:/usr/games:/bin/sh
> > +-man:*:6:12:man:/var/cache/man:/bin/sh
> > +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh
> > +-mail:*:8:8:mail:/var/mail:/bin/sh
> > +-news:*:9:9:news:/var/spool/news:/bin/sh
> > +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
> > +-proxy:*:13:13:proxy:/bin:/bin/sh
> > +-www-data:*:33:33:www-data:/var/www:/bin/sh
> > +-backup:*:34:34:backup:/var/backups:/bin/sh
> > +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh
> > +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh
> > +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> > +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
> > ++games:*:5:60:games:/usr/games:/sbin/nologin
> > ++man:*:6:12:man:/var/cache/man:/sbin/nologin
> > ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin
> > ++mail:*:8:8:mail:/var/mail:/sbin/nologin
> > ++news:*:9:9:news:/var/spool/news:/sbin/nologin
> > ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin
> > ++proxy:*:13:13:proxy:/bin:/sbin/nologin
> > ++www-data:*:33:33:www-data:/var/www:/sbin/nologin
> > ++backup:*:34:34:backup:/var/backups:/sbin/nologin
> > ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin
> > ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin
> > ++gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/sbin/nologin
> > ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin
> > +-- 
> > +2.32.0
> > +
> > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb \
> > b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb index \
> >                 9a27ad3ab5..ef7792ae49 100644
> > --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
> > +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
> > @@ -14,6 +14,7 @@ SRC_URI = \
> > "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar \
> > file://input.patch \ file://disable-docs.patch \
> > file://kvm.patch \
> > +           file://disable-shell.patch \
> > "
> > 
> > SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
> 
> This change causes a couple of ptest regressions in sed and strace:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/3185/steps/12/logs/stdio
>  https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/3432/steps/13/logs/stdio
>  
> Cheers,
> 
> Richard

The sed and sedtrace failed ptest as the script switches to user `nobody` and run the \
test, they cannot be performed after shell is disabled by default for user `nobody`. \
The patchset v3 fixes that issue. I've verified sed and strace ptests are passed in \
my local build. Please help run it in the yocto autobuilder as I don't have the \
permission.

Thanks,
Jiaqing



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165066): https://lists.openembedded.org/g/openembedded-core/message/165066
Mute This Topic: https://lists.openembedded.org/mt/90749534/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic