From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH v2] base-passwd: Disable shell for default users
Date: Fri, 29 Apr 2022 12:37:01 +0800 [thread overview]
Message-ID: <c499f0d9-e2ba-0594-4a66-e3db13cb20fd@linux.intel.com> (raw)
In-Reply-To: <f8b6dac873114d92985ac907c1c7e088@axis.com>
On 2022-04-28 21:34, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Jiaqing Zhao
>> Sent: den 28 april 2022 11:50
>> To: openembedded-core@lists.openembedded.org
>> Cc: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> Subject: [OE-core] [PATCH v2] base-passwd: Disable shell for default users
>>
>> Change the shell of all global static users other than root (which
>> retains /bin/sh) and sync (as /bin/sync is rather harmless) to
>> /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
>>
>> Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30]
>
> Since Kirkstone is out the door, is there any reason to not update
> the version of base-passwd instead?
>
> //Peter
The reason is that since base-passwd 3.5.30, it switches to dh-autoreconf instead of autoconf to configure
Changelog: https://launchpad.net/ubuntu/+source/base-passwd/3.5.30
> [ Colin Watson ]
> * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
Since openembedded does not have the Debian toolchain, this recipe is marked NO UPDATE with reason "Version 3.5.38 requires cdebconf for update-passwd utility".
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb#L8
Jiaqing
>
>> Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> ---
>> v2:
>> Fix indentation in bbfile.
>> ---
>> .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++
>> .../base-passwd/base-passwd_3.5.29.bb | 1 +
>> 2 files changed, 58 insertions(+)
>> create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-
>> shell.patch
>>
>> diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> new file mode 100644
>> index 0000000000..dddc93ca35
>> --- /dev/null
>> +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
>> @@ -0,0 +1,57 @@
>> +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001
>> +From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> +Date: Mon, 18 Apr 2022 11:22:43 +0800
>> +Subject: [PATCH] Disable shell for default users
>> +
>> +Change the shell of all global static users other than root (which
>> +retains /bin/sh) and sync (as /bin/sync is rather harmless) to
>> +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
>> +
>> +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-
>> passwd/3.5.30]
>> +Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
>> +---
>> + passwd.master | 32 ++++++++++++++++----------------
>> + 1 file changed, 16 insertions(+), 16 deletions(-)
>> +
>> +diff --git a/passwd.master b/passwd.master
>> +index e1c32ff..0cd5ffd 100644
>> +--- a/passwd.master
>> ++++ b/passwd.master
>> +@@ -1,18 +1,18 @@
>> + root::0:0:root:/root:/bin/sh
>> +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh
>> +-bin:*:2:2:bin:/bin:/bin/sh
>> +-sys:*:3:3:sys:/dev:/bin/sh
>> ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin
>> ++bin:*:2:2:bin:/bin:/sbin/nologin
>> ++sys:*:3:3:sys:/dev:/sbin/nologin
>> + sync:*:4:65534:sync:/bin:/bin/sync
>> +-games:*:5:60:games:/usr/games:/bin/sh
>> +-man:*:6:12:man:/var/cache/man:/bin/sh
>> +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh
>> +-mail:*:8:8:mail:/var/mail:/bin/sh
>> +-news:*:9:9:news:/var/spool/news:/bin/sh
>> +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
>> +-proxy:*:13:13:proxy:/bin:/bin/sh
>> +-www-data:*:33:33:www-data:/var/www:/bin/sh
>> +-backup:*:34:34:backup:/var/backups:/bin/sh
>> +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh
>> +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh
>> +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>> +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
>> ++games:*:5:60:games:/usr/games:/sbin/nologin
>> ++man:*:6:12:man:/var/cache/man:/sbin/nologin
>> ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin
>> ++mail:*:8:8:mail:/var/mail:/sbin/nologin
>> ++news:*:9:9:news:/var/spool/news:/sbin/nologin
>> ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin
>> ++proxy:*:13:13:proxy:/bin:/sbin/nologin
>> ++www-data:*:33:33:www-data:/var/www:/sbin/nologin
>> ++backup:*:34:34:backup:/var/backups:/sbin/nologin
>> ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin
>> ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin
>> ++gnats:*:41:41:Gnats Bug-Reporting System
>> (admin):/var/lib/gnats:/sbin/nologin
>> ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin
>> +--
>> +2.32.0
>> +
>> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> index 9a27ad3ab5..ef7792ae49 100644
>> --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
>> @@ -14,6 +14,7 @@ SRC_URI =
>> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
>> file://input.patch \
>> file://disable-docs.patch \
>> file://kvm.patch \
>> + file://disable-shell.patch \
>> "
>>
>> SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
>> --
>> 2.34.1
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164947): https://lists.openembedded.org/g/openembedded-core/message/164947
> Mute This Topic: https://lists.openembedded.org/mt/90749534/6787970
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jiaqing.zhao@linux.intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2022-04-29 4:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-28 9:49 [PATCH v2] base-passwd: Disable shell for default users Jiaqing Zhao
2022-04-28 13:34 ` [OE-core] " Peter Kjellerstedt
2022-04-29 4:37 ` Jiaqing Zhao [this message]
2022-04-29 12:22 ` Richard Purdie
2022-04-30 2:55 ` Jiaqing Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c499f0d9-e2ba-0594-4a66-e3db13cb20fd@linux.intel.com \
--to=jiaqing.zhao@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.kjellerstedt@axis.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox