The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
copy the extended attributes of the root. This can make
use of homes impossible! This patch corrects the issue
by copying the extended attributes of the root directory:
/home/user will get the extended attributes of /etc/skel.
The patch is submitted upstream (see
http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)
The existing patch specific to open-embedded is updated:
0001-useradd.c-create-parent-directories-when-necessary.patch
Also, attr are activated for native tools.
This is needed when users are created during image creation.
(From OE-Core rev: eed66e85af5ca6bbdd80cc3d5cf8453e8d8880bc)
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The groupadd from shadow does not allow upper case group names, the
same is true for the upstream shadow. But distributions like
Debian/Ubuntu/CentOS has their own way to cope with this problem,
this patch is picked up from CentOS release 7.0 to relax the usernames
restrictions to allow the upper case group names, and the relaxation is
POSIX compliant because POSIX indicate that usernames are composed of
characters from the portable filename character set [A-Za-z0-9._-].
(From OE-Core rev: 31c6c8150394de067085be5b0058037077860a8a)
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When building shadow-native, syslog was disabled for useradd and
groupadd. This disables it also for groupdel, groupmems, groupmod,
userdel and usermod (i.e., the use of syslog is now disabled for all
commands supported by useradd_base.bbclass).
(From OE-Core rev: 0791ba7ea82444729a1a7d1b2443f633bcba2002)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-su.c-fix-to-exec-command-correctly.patch is removed. Below is the reason.
This patch is introduced to solve the 'su: applet not found' problem when
executing `su -l xxx -c env'. The patch references codes of previous release
of shadow. However, this patch introduces bug#5359. So it's not correct.
Let's first look at the root cause of 'su: applet not found' problem.
This problem appears when /bin/sh is provided by busybox.
When executing `su -l xxx -c env' command, the following function is invoked.
execve("/bin/sh", ["-su", "-c", "env"], [/* 6 vars */])
Note that the argv[0] provided to new executable file (/bin/sh) is "-su".
As /bin/sh is a symlink to /bin/busybox. It's /bin/busybox that is executed.
In busybox's appletlib.c, it would examine argv[0], try to find an applet
that has the same name, and then try to execute the main function of the
applet. This logic results in `su' applet from busybox to be executed.
However, we default to set 'BUSYBOX_SPLIT_SUID' to "1", so 'su' is not found.
Further more, even if we set 'BUSYBOX_SPLIT_SUID' to "0", so that 'su' applet
is found. The whole behaviour is still not correct. Because 'su' from shadow
takes higher priority than that from busybox, so 'su' from busybox should never
be executed on such system unless it's specified clearly by the end user.
The logic of busybox's appletlib.c is totally correct from the point of busybox
itself. It's an integration problem.
To solve the above problem, this patch comment out SU_NAME in /etc/login.defs
so that the final function executed in shadow's su is as below.
execve("/bin/sh", ["-sh", "-c", "env"], [/* 6 vars */])
[YOCTO #5359]
[YOCTO #7137]
(From OE-Core rev: 6820f05dad0b4f9b9bbcf7c2a0af8c34f66199ae)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Old version of the ARM AMBA serial port driver creates those device nodes.
(From OE-Core rev: fa17b9ea435f5c49e3bea56524152b21d915d464)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The subordinate IDs support in pkg-shadow allows unprivileged users to manage a
set of UIDs and GIDs. These subordinate IDs are specified by root, and can be
further used by the unprivileged user they have been assigned to. This user can
then create an e.g. user namespace, where he is allowed to manage his own set of
users and group from the pool of subordinate IDs. More details can be found at
http://lwn.net/Articles/533617/.
Pull a required change from upstream in order to make shadow cross-compile with
subordinate IDs support. Enable flag in recipe.
Changes since v1:
- update changelog
(From OE-Core rev: 8548868c05e52700fd4712298b1705b8ec7ae446)
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Even if useradd --root <root> is used it would still read login.defs
before doing the chroot() and thus use the one provided by the host
rather than the sysroot.
(From OE-Core rev: b85917a4ebe636316fa7305017cd32a47b392039)
(From OE-Core rev: 0af59a04135f067f0e01883defa77c6f714eab2e)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In systems where bash is not installed and /bin/sh is provided by
busybox. Commands like `su -l -c '/home/root/test' xuser' would fail
complaining the the 'su' applet could not be found.
This patch references the old version of shadow to keep the behaviour
the way it was in old version so that we would avoid the problem mentioned
above.
(From OE-Core rev: ab0115d1b8a0cb0b25bdb14fd2a3e6c6bb9a44f8)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade shadow from 4.1.4.3 to 4.2.1.
Changes during this upgrade are as following.
1. Remove the "merged" patches. These patches are either merged or
the same functionality has been implemented upstream.
add_root_cmd_groupmems.patch
add_root_cmd_options.patch
fix-etc-gshadow-reading.patch
shadow-4.1.4.2-env-reset-keep-locale.patch
shadow-4.1.4.2-groupmod-pam-check.patch
shadow-4.1.4.2-su_no_sanitize_env.patch
shadow.automake-1.11.patch
shadow_fix_for_automake-1.12.patch
useradd.patch
2. Remove the unneeded patch.
The following patch has been removed because the logic in the related
codes of the new version has been changed. In specific, the codes now
can handle the 'NULL' return value. So there's no need for the following
patch.
slackware_fix_for_glib-2.17_crypt.patch
3. Teak the current patch to match the new version.
allow-for-setting-password-in-clear-text.patch
4. Add a patch to fix compilation failure.
usermod-fix-compilation-failure-with-subids-disabled.patch
5. Add a patch to fix the installation failure.
fix-installation-failure-with-subids-disabled.patch
5. Add a patch to fix the failure at rootfs time if extrausers is inherited.
commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
6. Fix the bad section in the recipe.
7. Disable the new subids feature in the new version as it doesn't support
cross compilation for now.
8. Modify the pkg_postinst to `exit 1' if the `pwconv' or `grpconv' fails.
Also, fix the arguments to use '--root $D' instead of '--root=$D'.
9. Add a patch for shadow-native to create parent directories when necessary.
0001-useradd.c-create-parent-directories-when-necessary.patch
(From OE-Core rev: b73e5cd51551556f9e6a4f7d9e7deec4d9d661bd)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In
commit 10cdd66fe800cffe3f2cbf5c95550b4f7902a311
Author: Ming Liu <ming.liu@windriver.com>
Date: Thu Jul 18 10:04:22 2013 +0800
libpam: add a new 'nullok_secure' option support to pam_unix
'null_ok_secure' option was fixed. Since that commit 'su' stopped working in
pseudo terminals (created in X environments) for root-accounts with empty
password.
Background: The PAM configuration for 'su' includes 'common-auth' which uses
'nullok_secure' option for pam_unix.
(From OE-Core rev: d28eba07553020bf9bfb1419663c1d18ab36ab66)
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Allow user to set password in clear text. This is convenient when
we're building out an image.
This feature is mainly used by useradd.bbclass and extrausers.bbclass.
This patch adds a new option '-P' to useradd, usermod, groupadd and groupmod
commands provided by shadow-native. The shadow package on target and in SDK
will not be affected.
[YOCTO #5365]
(From OE-Core rev: 31dee7946340bf0f1e94e4e714191d3d6ca3bf6a)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
/etc/default/locale missing message appears when login
and running su <user>
qemu0 login[4189]: pam_env(login:session): Unable to open env file: /etc/default/locale: No such file or directory
qemu0 login[4189]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
qemu0 su[999]: pam_env(su:session): Unable to open env file: /etc/default/locale: No such file or directory
qemu0 su[999]: pam_unix(su:session): session opened for user root by root(uid=0)
This commit remove reference from pam.d/login and pam.d/su
to /etc/default/locale env file to avoid the error messages
as RHEL, fedora does.
(From OE-Core rev: 010ffabfb8631bd4894cc3f1f6f0834f3279f30c)
Signed-off-by: Qiang Chen <qiang.chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a Debian patch to fix the reading of the
gshadow file in order to make newgrp work correctly.
(From OE-Core rev: 3ef8db6217f7c40a9eb063d21ce6f25b16d88d53)
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
[sgw - tweaked commit message]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch add_root_cmd_groupmems.patch that we apply to shadow-native
allows program groupmems from the shadow utility package to chroot()
so it can be used to modify etc/passwd and etc/group if they are
located in a sysroot.
The --root option in groupmems is needed for class useradd.
(From OE-Core rev: ae7aa0ef68372c15224c0c518cb90ba7350137b4)
Signed-off-by: Mikhail Durnev <mikhail_durnev@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch came from Slackware and address a change in crypt()'s handling
of an invalid seed, which in the past returned an encrypted string and now
returns a NULL.
[YOCTO #4097] related to tinylogin segfault
(From OE-Core rev: a7f7e6da8383b4bde6d8ce951e5c3c955073c0bd)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patched version of grpconv takes arguments but the check on
argc was not removed. This patch removes this check which
otherwise results in a spurious warning during rootfs creation.
(From OE-Core rev: 845a24e78835e93807cfb810fa99715ac4d14e21)
Signed-off-by: Martin Donnelly <martin.donnelly@ge.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable use of syslog to prevent sysroot user and group additions
from writing entries to the host's syslog.
This fixes [YOCTO #2012]
(From OE-Core rev: e5aee0a2f5973a7aef81d0f38307a93791f616c6)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Existing tty list does not include ttyGS0, add it
(From OE-Core rev: 6ba9dc6460eb615e002e90ead0f4d5bc31856f22)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The add_root_cmd_options.patch that we apply to shadow-native allow the
various programs from the shadow utility package to chroot() so they can
be used to modify etc/passwd and etc/group if they are located in a
sysroot.
Some of the shadow programs (gpasswd, useradd and usermod) need to parse
the command line in two passes. But we can't use getopt_long() twice
because getopt_long() reorders the command line arguments, and
consequently corrupts the option parsing during the second pass.
This patch fixes this issue by replacing the first pass by a very simple
manual walk of the command line to handle the --root argument.
This change is a patch of another patch, I apologize if it is
difficult to read. But IMHO it wouldn't make sense to put the patch for
this issue in another separated file.
The --root options in groupadd and useradd are needed to make the
useradd class work, and this issue was preventing to use useradd and
groupadd long options while using the class.
(From OE-Core rev: 6e9e19b18597103d8fe09f258cfd9904bb5f1c27)
Signed-off-by: Julian Pidancet <julian.pidancet@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes (or, at least, papers over) a failure in do_install for recipes which
inherit useradd.bbclass. Rewinding optind in this way is not entirely portable
but in practice it seems to work on GNU-ish build hosts at least.
(From OE-Core rev: 8fce8180c802ad187c4df44c17207bfb026ce6c7)
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
add shadow-update-pam-conf.patch to update the pam related configure files
in oe way rather than Fedora.
(From OE-Core rev: 10e6fdd7e8fed5733f65a504148bba54bccb3c48)
Signed-off-by: Kang Kai <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pseudo was recently changed so that when system() calls are
made after a chroot(), the host binaries can no longer be found,
breaking the system("mkdir -p") approach when useradd creates
home directories.
Instead, use mkdir(2) to create home directories with a helper
function to ensure parent directories get created.
(From OE-Core rev: 7d4099a964ec79b1ac4cf5348cf9f4221c3d4908)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Packaging login.defs with base-passwd causes problems due to the
file being included in target package installs. Instead, this
shadow-sysroot recipe can be used by useradd.bbclass to put
login.defs into the target sysroot without disturbing packages
intended for target devices.
(From OE-Core rev: 6cbf741d73070759ecb9a284e6511c63d945f7c1)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds a -native recipe for the shadow utilities.
The custom --root option allows the the following utilities to be
run within a chroot when invoked under pseudo:
* useradd
* groupadd
* usermod
* groupmod
* userdel
* groupdel
* passwd
* gpasswd
* pwconv
* pwunconv
* grpconv
* grpunconv
They can then be used to manipulate user and group account information
in target sysroots.
useradd was also modified to create home directories recursively when
necessary.
(From OE-Core rev: 37b8c18a3c2f3e77a9810a56a8ee786855ae1ba3)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Taking over maintenance of the shadow recipe. Cleaning it up in
preparation of adding a -native version that will be used to add
users/groups during preinstall.
(From OE-Core rev: 254ca8c1667b8d35914555714239a09bfb4f43be)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
SElinux has been disabled in the recipe, leading to messages like this:
[ 167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
[ 167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so
(From OE-Core rev: b90e9c2318fc421f37c57788ece54ce791a90b62)
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
