From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2231C433EF for ; Fri, 29 Apr 2022 04:37:14 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web10.6561.1651207025680458152 for ; Thu, 28 Apr 2022 21:37:05 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=n2TLkYxl; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 134.134.136.31, mailfrom: jiaqing.zhao@linux.intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651207025; x=1682743025; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=Hd1kwGuJYGfQh5JfR/zB82keOqOnw+iLk43NhTrn6+A=; b=n2TLkYxlXRd4o8OeqNAhX/nFr94kyPbAYfHERHkX/Catnw6NaOvcp/ay BiFLP/8dIc0Z8v2vwkOmEL6VxlRtYpEoVp3uiP72zKGDR6ncf4opfdDoL JT00fFoMDMJAdsEzZLIqKDPGGl6EcVTjkMbiog20v7D5nlb3bjmnh7g5p qy7VSXaxvmauyRVbMJyI5x1wbgyViIr03K5GCxgHaLNGXOfqWribhYk0T bazFy5vCQOIC6si84nLclDXoeo25qFrZZI+VF0SomNV/Wf7cO/a6B4K6n 9SMbdQrpD2DvpbEFCqu4qRRe6rf8Ib77ysSQIoXF6GzD4WdOJs315c6K5 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10331"; a="327021047" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="327021047" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Apr 2022 21:37:04 -0700 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="534290182" Received: from jiaqingz-mobl.ccr.corp.intel.com (HELO [10.249.171.110]) ([10.249.171.110]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Apr 2022 21:37:04 -0700 Message-ID: Date: Fri, 29 Apr 2022 12:37:01 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: [OE-core] [PATCH v2] base-passwd: Disable shell for default users Content-Language: en-US To: Peter Kjellerstedt , "openembedded-core@lists.openembedded.org" References: <20220428094932.1411461-1-jiaqing.zhao@linux.intel.com> From: Jiaqing Zhao In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Apr 2022 04:37:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/164988 On 2022-04-28 21:34, Peter Kjellerstedt wrote: >> -----Original Message----- >> From: openembedded-core@lists.openembedded.org > core@lists.openembedded.org> On Behalf Of Jiaqing Zhao >> Sent: den 28 april 2022 11:50 >> To: openembedded-core@lists.openembedded.org >> Cc: Jiaqing Zhao >> Subject: [OE-core] [PATCH v2] base-passwd: Disable shell for default users >> >> Change the shell of all global static users other than root (which >> retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> /sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> >> Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30] > > Since Kirkstone is out the door, is there any reason to not update > the version of base-passwd instead? > > //Peter The reason is that since base-passwd 3.5.30, it switches to dh-autoreconf instead of autoconf to configure Changelog: https://launchpad.net/ubuntu/+source/base-passwd/3.5.30 > [ Colin Watson ] > * Remove config.h.in and configure, now autogenerated by dh-autoreconf. Since openembedded does not have the Debian toolchain, this recipe is marked NO UPDATE with reason "Version 3.5.38 requires cdebconf for update-passwd utility". https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb#L8 Jiaqing > >> Signed-off-by: Jiaqing Zhao >> --- >> v2: >> Fix indentation in bbfile. >> --- >> .../base-passwd/disable-shell.patch | 57 +++++++++++++++++++ >> .../base-passwd/base-passwd_3.5.29.bb | 1 + >> 2 files changed, 58 insertions(+) >> create mode 100644 meta/recipes-core/base-passwd/base-passwd/disable- >> shell.patch >> >> diff --git a/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> new file mode 100644 >> index 0000000000..dddc93ca35 >> --- /dev/null >> +++ b/meta/recipes-core/base-passwd/base-passwd/disable-shell.patch >> @@ -0,0 +1,57 @@ >> +From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001 >> +From: Jiaqing Zhao >> +Date: Mon, 18 Apr 2022 11:22:43 +0800 >> +Subject: [PATCH] Disable shell for default users >> + >> +Change the shell of all global static users other than root (which >> +retains /bin/sh) and sync (as /bin/sync is rather harmless) to >> +/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded) >> + >> +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base- >> passwd/3.5.30] >> +Signed-off-by: Jiaqing Zhao >> +--- >> + passwd.master | 32 ++++++++++++++++---------------- >> + 1 file changed, 16 insertions(+), 16 deletions(-) >> + >> +diff --git a/passwd.master b/passwd.master >> +index e1c32ff..0cd5ffd 100644 >> +--- a/passwd.master >> ++++ b/passwd.master >> +@@ -1,18 +1,18 @@ >> + root::0:0:root:/root:/bin/sh >> +-daemon:*:1:1:daemon:/usr/sbin:/bin/sh >> +-bin:*:2:2:bin:/bin:/bin/sh >> +-sys:*:3:3:sys:/dev:/bin/sh >> ++daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin >> ++bin:*:2:2:bin:/bin:/sbin/nologin >> ++sys:*:3:3:sys:/dev:/sbin/nologin >> + sync:*:4:65534:sync:/bin:/bin/sync >> +-games:*:5:60:games:/usr/games:/bin/sh >> +-man:*:6:12:man:/var/cache/man:/bin/sh >> +-lp:*:7:7:lp:/var/spool/lpd:/bin/sh >> +-mail:*:8:8:mail:/var/mail:/bin/sh >> +-news:*:9:9:news:/var/spool/news:/bin/sh >> +-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh >> +-proxy:*:13:13:proxy:/bin:/bin/sh >> +-www-data:*:33:33:www-data:/var/www:/bin/sh >> +-backup:*:34:34:backup:/var/backups:/bin/sh >> +-list:*:38:38:Mailing List Manager:/var/list:/bin/sh >> +-irc:*:39:39:ircd:/var/run/ircd:/bin/sh >> +-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh >> +-nobody:*:65534:65534:nobody:/nonexistent:/bin/sh >> ++games:*:5:60:games:/usr/games:/sbin/nologin >> ++man:*:6:12:man:/var/cache/man:/sbin/nologin >> ++lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin >> ++mail:*:8:8:mail:/var/mail:/sbin/nologin >> ++news:*:9:9:news:/var/spool/news:/sbin/nologin >> ++uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin >> ++proxy:*:13:13:proxy:/bin:/sbin/nologin >> ++www-data:*:33:33:www-data:/var/www:/sbin/nologin >> ++backup:*:34:34:backup:/var/backups:/sbin/nologin >> ++list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin >> ++irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin >> ++gnats:*:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/sbin/nologin >> ++nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin >> +-- >> +2.32.0 >> + >> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> index 9a27ad3ab5..ef7792ae49 100644 >> --- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> +++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb >> @@ -14,6 +14,7 @@ SRC_URI = >> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar >> file://input.patch \ >> file://disable-docs.patch \ >> file://kvm.patch \ >> + file://disable-shell.patch \ >> " >> >> SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421" >> -- >> 2.34.1 > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164947): https://lists.openembedded.org/g/openembedded-core/message/164947 > Mute This Topic: https://lists.openembedded.org/mt/90749534/6787970 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jiaqing.zhao@linux.intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >