From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH v2] base-passwd: Disable shell for default users
Date: Fri, 29 Apr 2022 12:37:01 +0800 [thread overview]
Message-ID: <c499f0d9-e2ba-0594-4a66-e3db13cb20fd@linux.intel.com> (raw)
In-Reply-To: <f8b6dac873114d92985ac907c1c7e088@axis.com>
On 2022-04-28 21:34, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Jiaqing Zhao
>> Sent: den 28 april 2022 11:50
>> To: openembedded-core@lists.openembedded.org
>> Cc: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> Subject: [OE-core] [PATCH v2] base-passwd: Disable shell for default users
>>
>> Change the shell of all global static users other than root (which
>> retains /bin/sh) and sync (as /bin/sync is rather harmless) to
>> /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
>>
>> Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30]
>
> Since Kirkstone is out the door, is there any reason to not update
> the version of base-passwd instead?
>
> //Peter
The reason is that since base-passwd 3.5.30, it switches to dh-autoreconf instead of autoconf to configure
Changelog: https://launchpad.net/ubuntu/+source/base-passwd/3.5.30
> [ Colin Watson ]
> * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
Since openembedded does not have the Debian toolchain, this recipe is marked NO UPDATE with reason "Version 3.5.38 requires cdebconf for update-passwd utility".
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb#L8
Jiaqing
>
>> Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> ---
>> v2:
>> Fix indentation in bbfile.
>> ---
>> .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++
>> .../base-passwd/base-passwd_3.5.29.bb | 1 +
>> 2 files changed, 58 insertions(+)
>> create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-
>> shell.patch
>>
>> diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> new file mode 100644
>> index 0000000000..dddc93ca35
>> --- /dev/null
>> +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> @@ -0,0 +1,57 @@
>> +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001
>> +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> +Date: Mon, 18 Apr 2022 11:22:43 +0800
>> +Subject: [PATCH] Disable shell for default users
>> +
>> +Change the shell of all global static users other than root (which
>> +retains /bin/sh) and sync (as /bin/sync is rather harmless) to
>> +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
>> +
>> +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-
>> passwd/3.5.30]
>> +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> +---
>> + passwd.master | 32 ++++++++++++++++----------------
>> + 1 file changed, 16 insertions(+), 16 deletions(-)
>> +
>> +diff --git a/passwd.master b/passwd.master
>> +index e1c32ff..0cd5ffd 100644
>> +--- a/passwd.master
>> ++++ b/passwd.master
>> +@@ -1,18 +1,18 @@
>> + root::0:0:root:/root:/bin/sh
>> +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh
>> +-bin:*:2:2:bin:/bin:/bin/sh
>> +-sys:*:3:3:sys:/dev:/bin/sh
>> ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin
>> ++bin:*:2:2:bin:/bin:/sbin/nologin
>> ++sys:*:3:3:sys:/dev:/sbin/nologin
>> + sync:*:4:65534:sync:/bin:/bin/sync
>> +-games:*:5:60:games:/usr/games:/bin/sh
>> +-man:*:6:12:man:/var/cache/man:/bin/sh
>> +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh
>> +-mail:*:8:8:mail:/var/mail:/bin/sh
>> +-news:*:9:9:news:/var/spool/news:/bin/sh
>> +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
>> +-proxy:*:13:13:proxy:/bin:/bin/sh
>> +-www-data:*:33:33:www-data:/var/www:/bin/sh
>> +-backup:*:34:34:backup:/var/backups:/bin/sh
>> +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh
>> +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh
>> +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>> +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
>> ++games:*:5:60:games:/usr/games:/sbin/nologin
>> ++man:*:6:12:man:/var/cache/man:/sbin/nologin
>> ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin
>> ++mail:*:8:8:mail:/var/mail:/sbin/nologin
>> ++news:*:9:9:news:/var/spool/news:/sbin/nologin
>> ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin
>> ++proxy:*:13:13:proxy:/bin:/sbin/nologin
>> ++www-data:*:33:33:www-data:/var/www:/sbin/nologin
>> ++backup:*:34:34:backup:/var/backups:/sbin/nologin
>> ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin
>> ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin
>> ++gnats:*:41:41:Gnats Bug-Reporting System
>> (admin):/var/lib/gnats:/sbin/nologin
>> ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin
>> +--
>> +2.32.0
>> +
>> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> index 9a27ad3ab5..ef7792ae49 100644
>> --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> @@ -14,6 +14,7 @@ SRC_URI =
>> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
>> file://input.patch \
>> file://disable-docs.patch \
>> file://kvm.patch \
>> + file://disable-shell.patch \
>> "
>>
>> SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
>> --
>> 2.34.1
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164947): https://lists.openembedded.org/g/openembedded-core/message/164947
> Mute This Topic: https://lists.openembedded.org/mt/90749534/6787970
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jiaqing.zhao@linux.intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2022-04-29 4:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-28 9:49 [PATCH v2] base-passwd: Disable shell for default users Jiaqing Zhao
2022-04-28 13:34 ` [OE-core] " Peter Kjellerstedt
2022-04-29 4:37 ` Jiaqing Zhao [this message]
2022-04-29 12:22 ` Richard Purdie
2022-04-30 2:55 ` Jiaqing Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c499f0d9-e2ba-0594-4a66-e3db13cb20fd@linux.intel.com \
--to=jiaqing.zhao@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.kjellerstedt@axis.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.