From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2] package/openssh: Add sysusers.d snippet
Date: Tue, 18 Dec 2018 20:59:46 +0100 [thread overview]
Message-ID: <20181218195946.GH24194@scaer> (raw)
In-Reply-To: <9cf83ac8-2d39-0eb5-92cb-0469eb0a9d6e@mind.be>
Arnout, All,
On 2018-12-17 23:59 +0100, Arnout Vandecappelle spake thusly:
> On 17/12/2018 19:13, Yann E. MORIN wrote:
> > Chris, All,
> >
> > On 2018-12-17 15:07 +0000, Chris Lesiak spake thusly:
> >> On 12/16/18 7:45 AM, Yann E. MORIN wrote:
> >>> On 2018-02-16 12:10 -0600, Chris Lesiak spake thusly:
> >>>> Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
> > [--SNIP--]
> >>>> diff --git a/package/openssh/sshd_sysusers.conf b/package/openssh/sshd_sysusers.conf
> >>>> new file mode 100644
> >>>> index 0000000000..3ea46f65c6
> >>>> --- /dev/null
> >>>> +++ b/package/openssh/sshd_sysusers.conf
> > [--SNIP--]
> >>>> +u sshd - "Privilege-separated SSH"
> >>> We've discussed this a bit with Thomas, and there is one thing that we
> >>> did not like much, is that it is not integrated nicely in the existing
> >>> users support in Buildroot.
> >>>
> >>> Shouldn't we have a generic mechanism, that takes all the FOO_USERS, and
> >>> turns them into sysusers.d(%) entries? Maybe something like:
> >>>
> >>> define SYSTEMD_SYSUSERS
> >>> mkdir -p $(TARGET_DIR)/usr/lib/sysusers.d/
> >>> echo "$(PACKAGES_USERS)" \
> >>> |while read user uid group gid passwd home shell groups comment; do
> >>> printf "u %s %s %s\n" "${user}" "${uid}" "${comment}"
> Obviously, we also want to add the comment, home and shell to the conf file.
No, because the format of the sysusers.d files do not allow for that,
see the man page.
[--SNIP the reason for it: stateles systems--]
> > And with the above, all users of all packages are in the PACKAGES_USERS
> > variable, but there is no way to track them back to the corresponding
> > packages.
>
> Anything is possible, with enough infra work :-)
>
> In this case, it could be something like updating the _USERS support in
> pkg-generic.mk to:
>
> ifneq ($$($(2)_USERS),)
> ifeq ($$(BR2_PACKAGE_SYSTEMD_SYSUSERS),y)
> $(2)_POST_INSTALL_TARGET_HOOKS += SYSTEMD_INSTALL_PKG_SYSUSERS_CONF
> else
> PACKAGES_USERS += $$($(2)_USERS)$$(sep)
> endif
> endif
>
> with
>
> define SYSTEMD_INSTALL_PKG_SYSUSERS_CONF
> mkdir -p $(TARGET_DIR)/usr/lib/sysusers.d/
> echo "$($(PKG)_USERS)" \
> | while read user uid group gid passwd home shell groups comment; do
> printf 'u %s %s "%s"\n' "${user}" "${uid}" "${comment}" "$home" "$shell"
> done >$(TARGET_DIR)/usr/lib/sysusers.d/$($(PKG)_NAME).conf
> # And similarly for groups...
> endef
Yeah, but is it worth it? Afterall, we only need the users to be created
at runtime. Do we need to track in separate files what packages installed
what user? We do not have that separation in /etc/paswd, mind you! ;-)
> There's a slight complication though: what if the package does install a
> sysusers.d file? In that case, we don't want to create one from the Buildroot
> infra, but we still want to create a user in the non-systemd case...
That's the tricky part. We would need some target-finalize hook to do
all that job:
- for each user in PACKAGES_USERS, create a sysusers.d file if there
is none yet,
- for each user in sysusers.d, create an entry in /etc/passwd if there
is none yet.
> > Currently, the set of users created by FOO_USERS and the set of users
> > created by sysusers.d files is not consistent. Your proposed patch fixes
> > it for openssh only, but:
> >
> > - the user definition is duplicated: one in the .mk, one in the
> > sysusers.d file, so becomes a maintenacne burden (e.g. should we
> > need to create anotehr user for it, for example)
>
> Well, no, as I wrote above: it makes no sense to add a user both to passwd and
> to sysusers.d, since the sysusers.d will just go ignored.
And as Thomas and Chris explained: it does make sense, and now you saw
the Light, so all is fine! ;-)
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
prev parent reply other threads:[~2018-12-18 19:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-23 23:22 [Buildroot] [PATCH] package/openssh: Add sysusers.d snippet Chris Lesiak
2018-02-06 15:10 ` Samuel Martin
2018-02-16 18:10 ` [Buildroot] [PATCH v2] " Chris Lesiak
2018-12-16 13:45 ` Yann E. MORIN
2018-12-17 15:07 ` Chris Lesiak
2018-12-17 18:13 ` Yann E. MORIN
2018-12-17 21:24 ` Chris Lesiak
2018-12-17 22:59 ` Arnout Vandecappelle
2018-12-18 7:49 ` Thomas Petazzoni
2018-12-18 14:14 ` Chris Lesiak
2018-12-18 14:32 ` Arnout Vandecappelle
2018-12-18 17:03 ` Chris Lesiak
2019-02-06 13:13 ` Arnout Vandecappelle
2018-12-18 20:01 ` Yann E. MORIN
2018-12-18 19:59 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181218195946.GH24194@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox