From: Louis Rannou <lrannou@baylibre.com>
To: openembedded-core@lists.openembedded.org
Cc: Louis Rannou <lrannou@baylibre.com>, anuj.mittal@intel.com
Subject: [PATCH 1/3] rootfs-postcommands: change sysusers.d command
Date: Thu, 15 Jun 2023 13:43:53 +0200 [thread overview]
Message-ID: <20230613-sysusersd-v1-1-eaddf3179773@baylibre.com> (raw)
In-Reply-To: <20230613-sysusersd-v1-0-eaddf3179773@baylibre.com>
The configuration in sysusers.d used to be parsed to create users/groups at
build time instead at runtime. This was leading to several conflicts with
users/groups defined in base-passwd recipe and specific definitions in recipes
inheriting the useradd class. Some of those conflicts raised unseen errors in
the do_rootfs command's logs.
As an example, the root home directory is set by default to `/home/root` but
systemd expects it as `/root`.
The new command `systemd_sysusers_check` checks each configuration for
users/groups and compare their properties to what is actually defined in the
`/etc/passwd` and `/etc/group` of the target rootfs.
Signed-off-by: Louis Rannou <lrannou@baylibre.com>
---
meta/classes-recipe/rootfs-postcommands.bbclass | 133 +++++++++++++++++++-----
1 file changed, 109 insertions(+), 24 deletions(-)
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index 690fa976aa..652601b95f 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -43,7 +43,7 @@ ROOTFS_POSTUNINSTALL_COMMAND =+ "write_image_manifest ; "
POSTINST_LOGFILE ?= "${localstatedir}/log/postinstall.log"
# Set default target for systemd images
SYSTEMD_DEFAULT_TARGET ?= '${@bb.utils.contains_any("IMAGE_FEATURES", [ "x11-base", "weston" ], "graphical.target", "multi-user.target", d)}'
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("DISTRO_FEATURES", "systemd", "set_systemd_default_target; systemd_create_users;", "", d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("DISTRO_FEATURES", "systemd", "set_systemd_default_target; systemd_sysusers_check;", "", d)}'
ROOTFS_POSTPROCESS_COMMAND += 'empty_var_volatile;'
@@ -69,29 +69,114 @@ python () {
d.appendVar('ROOTFS_POSTPROCESS_COMMAND', 'rootfs_reproducible;')
}
-systemd_create_users () {
- for conffile in ${IMAGE_ROOTFS}/usr/lib/sysusers.d/*.conf; do
- [ -e $conffile ] || continue
- grep -v "^#" $conffile | sed -e '/^$/d' | while read type name id comment; do
- if [ "$type" = "u" ]; then
- useradd_params="--shell /sbin/nologin"
- [ "$id" != "-" ] && useradd_params="$useradd_params --uid $id"
- [ "$comment" != "-" ] && useradd_params="$useradd_params --comment $comment"
- useradd_params="$useradd_params --system $name"
- eval useradd --root ${IMAGE_ROOTFS} $useradd_params || true
- elif [ "$type" = "g" ]; then
- groupadd_params=""
- [ "$id" != "-" ] && groupadd_params="$groupadd_params --gid $id"
- groupadd_params="$groupadd_params --system $name"
- eval groupadd --root ${IMAGE_ROOTFS} $groupadd_params || true
- elif [ "$type" = "m" ]; then
- group=$id
- eval groupadd --root ${IMAGE_ROOTFS} --system $group || true
- eval useradd --root ${IMAGE_ROOTFS} --shell /sbin/nologin --system $name --no-user-group || true
- eval usermod --root ${IMAGE_ROOTFS} -a -G $group $name
- fi
- done
- done
+# Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric
+# uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it
+# automatic or it can be a path. In the latter, the uid/gid matches the
+# user/group owner of that file.
+def resolve_sysusers_id(d, sid):
+ # If the id is a path, the uid/gid matchs to the target's uid/gid in the
+ # rootfs.
+ if '/' in sid:
+ try:
+ osstat = os.stat(os.path.join(d.getVar('IMAGE_ROOTFS'), sid))
+ except FileNotFoundError:
+ bb.error('sysusers.d: file %s is required but it does not exist in the rootfs', sid)
+ return ('-', '-')
+ return (osstat.st_uid, osstat.st_gid)
+ # Else it is a uid:gid or uid:groupname syntax
+ if ':' in sid:
+ return sid.split(':')
+ else:
+ return (sid, '-')
+
+# Check a user exists in the rootfs password file and return its properties
+def check_user_exists(d, uname=None, uid=None):
+ with open(os.path.join(d.getVar('IMAGE_ROOTFS'), 'etc/passwd'), 'r') as pwfile:
+ for line in pwfile:
+ (name, _, u_id, gid, comment, homedir, ushell) = line.strip().split(':')
+ if uname == name or uid == u_id:
+ return (name, u_id, gid, comment or '-', homedir or '/', ushell or '-')
+ return None
+
+# Check a group exists in the rootfs group file and return its properties
+def check_group_exists(d, gname=None, gid=None):
+ with open(os.path.join(d.getVar('IMAGE_ROOTFS'), 'etc/group'), 'r') as gfile:
+ for line in gfile:
+ (name, _, g_id, _) = line.strip().split(':')
+ if name == gname or g_id == gid:
+ return (name, g_id)
+ return None
+
+def compare_users(user, e_user):
+ # user and e_user must not have None values. Unset values must be '-'.
+ (name, uid, gid, comment, homedir, ushell) = user
+ (e_name, e_uid, e_gid, e_comment, e_homedir, e_ushell) = e_user
+ # Ignore 'uid', 'gid' or 'comment' if they are not set
+ # Ignore 'shell' and 'ushell' if one is not set
+ return name == e_name \
+ and (uid == '-' or uid == e_uid) \
+ and (gid == '-' or gid == e_gid) \
+ and (comment == '-' or e_comment == '-' or comment.lower() == e_comment.lower()) \
+ and (homedir == '-' or e_homedir == '-' or homedir == e_homedir) \
+ and (ushell == '-' or e_ushell == '-' or ushell == e_ushell)
+
+# Open sysusers.d configuration files and parse each line to check the users and
+# groups are already defined in /etc/passwd and /etc/groups with similar
+# properties. Refer to the sysusers.d(5) manual for its syntax.
+python systemd_sysusers_check() {
+ import glob
+ import re
+
+ pattern_comment = r'(-|\"[^:\"]+\")'
+ pattern_word = r'[^\s]+'
+ pattern_line = r'(' + pattern_word + r')\s+(' + pattern_word + r')\s+(' + pattern_word + r')(\s+' \
+ + pattern_comment + r')?' + r'(\s+(' + pattern_word + r'))?' + r'(\s+(' + pattern_word + r'))?'
+
+ for conffile in glob.glob(os.path.join(d.getVar('IMAGE_ROOTFS'), 'usr/lib/sysusers.d/*.conf')):
+ with open(conffile, 'r') as f:
+ for line in f:
+ line = line.strip()
+ if not len(line) or line[0] == '#': continue
+ ret = re.fullmatch(pattern_line, line.strip())
+ if not ret: continue
+ (stype, sname, sid, _, scomment, _, shomedir, _, sshell) = ret.groups()
+ if stype == 'u':
+ if sid:
+ (suid, sgid) = resolve_sysusers_id(d, sid)
+ if sgid.isalpha():
+ sgid = check_group_exists(d, gname=sgid)
+ elif sgid.isdigit():
+ check_group_exists(d, gid=sgid)
+ else:
+ sgid = '-'
+ else:
+ suid = '-'
+ sgid = '-'
+ scomment = scomment.replace('"', '') if scomment else '-'
+ shomedir = shomedir or '-'
+ sshell = sshell or '-'
+ e_user = check_user_exists(d, uname=sname)
+ if not e_user:
+ bb.warn('User %s has never been defined' % sname)
+ elif not compare_users((sname, suid, sgid, scomment, shomedir, sshell), e_user):
+ bb.warn('User %s has been defined as (%s) but sysusers.d expects it as (%s)'
+ % (sname, ', '.join(e_user),
+ ', '.join((sname, suid, sgid, scomment, shomedir, sshell))))
+ elif stype == 'g':
+ gid = sid or '-'
+ if '/' in gid:
+ (_, gid) = resolve_sysusers_id(d, sid)
+ e_group = check_group_exists(d, gname=sname)
+ if not e_group:
+ bb.warn('Group %s has never been defined' % sname)
+ elif gid != '-':
+ (_, e_gid) = e_group
+ if gid != e_gid:
+ bb.warn('Group %s has been defined with id (%s) but sysusers.d expects gid (%s)'
+ % (sname, e_gid, gid))
+ elif stype == 'm':
+ check_user_exists(d, sname)
+ check_group_exists(d, sid)
}
#
--
2.41.0
next prev parent reply other threads:[~2023-06-15 11:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 11:43 [PATCH 0/3] rootfs-postcommands: replace the sysusers.d postcommand Louis Rannou
2023-06-15 11:43 ` Louis Rannou [this message]
2023-06-15 11:43 ` [PATCH 2/3] systemd: replace the sysusers.d basic configuration Louis Rannou
2023-06-16 16:51 ` [OE-core] " Peter Kjellerstedt
2023-06-19 12:27 ` Louis Rannou
[not found] ` <5a438786-9f24-e30d-ed84-08bf48b7bfd4@baylibre.com>
2023-06-29 13:03 ` Louis Rannou
2023-07-25 17:11 ` Peter Kjellerstedt
2023-06-15 11:43 ` [PATCH 3/3] base-passwd: add the wheel group Louis Rannou
2023-06-18 9:37 ` [OE-core] " Alexandre Belloni
2023-06-19 12:28 ` Louis Rannou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230613-sysusersd-v1-1-eaddf3179773@baylibre.com \
--to=lrannou@baylibre.com \
--cc=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.