* [PATCH 0/2] Fix Yocto#5539 and Yocto#7137
@ 2015-04-21 9:30 Chen Qi
2015-04-21 9:30 ` [PATCH 1/2] shadow: fix `su' behaviour Chen Qi
2015-04-21 9:30 ` [PATCH 2/2] bash: explicitly define NON_INTERACTIVE_LOGIN_SHELLS in CFLAGS Chen Qi
0 siblings, 2 replies; 3+ messages in thread
From: Chen Qi @ 2015-04-21 9:30 UTC (permalink / raw)
To: openembedded-core
The following changes since commit c9b06c79ed8a082d1b385e9f61721aeeda9bf1af:
init-install-efi.sh: fix gummiboot entry installation (2015-04-21 07:19:07 +0100)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib ChenQi/bug-5539-7137
http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=ChenQi/bug-5539-7137
Chen Qi (2):
shadow: fix `su' behaviour
bash: explicitly define NON_INTERACTIVE_LOGIN_SHELLS in CFLAGS
meta/recipes-extended/bash/bash.inc | 5 +++++
.../0001-su.c-fix-to-exec-command-correctly.patch | 25 ----------------------
meta/recipes-extended/shadow/shadow.inc | 5 ++++-
3 files changed, 9 insertions(+), 26 deletions(-)
delete mode 100644 meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
--
1.9.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] shadow: fix `su' behaviour
2015-04-21 9:30 [PATCH 0/2] Fix Yocto#5539 and Yocto#7137 Chen Qi
@ 2015-04-21 9:30 ` Chen Qi
2015-04-21 9:30 ` [PATCH 2/2] bash: explicitly define NON_INTERACTIVE_LOGIN_SHELLS in CFLAGS Chen Qi
1 sibling, 0 replies; 3+ messages in thread
From: Chen Qi @ 2015-04-21 9:30 UTC (permalink / raw)
To: openembedded-core
0001-su.c-fix-to-exec-command-correctly.patch is removed. Below is the reason.
This patch is introduced to solve the 'su: applet not found' problem when
executing `su -l xxx -c env'. The patch references codes of previous release
of shadow. However, this patch introduces bug#5359. So it's not correct.
Let's first look at the root cause of 'su: applet not found' problem.
This problem appears when /bin/sh is provided by busybox.
When executing `su -l xxx -c env' command, the following function is invoked.
execve("/bin/sh", ["-su", "-c", "env"], [/* 6 vars */])
Note that the argv[0] provided to new executable file (/bin/sh) is "-su".
As /bin/sh is a symlink to /bin/busybox. It's /bin/busybox that is executed.
In busybox's appletlib.c, it would examine argv[0], try to find an applet
that has the same name, and then try to execute the main function of the
applet. This logic results in `su' applet from busybox to be executed.
However, we default to set 'BUSYBOX_SPLIT_SUID' to "1", so 'su' is not found.
Further more, even if we set 'BUSYBOX_SPLIT_SUID' to "0", so that 'su' applet
is found. The whole behaviour is still not correct. Because 'su' from shadow
takes higher priority than that from busybox, so 'su' from busybox should never
be executed on such system unless it's specified clearly by the end user.
The logic of busybox's appletlib.c is totally correct from the point of busybox
itself. It's an integration problem.
To solve the above problem, this patch comment out SU_NAME in /etc/login.defs
so that the final function executed in shadow's su is as below.
execve("/bin/sh", ["-sh", "-c", "env"], [/* 6 vars */])
[YOCTO #5359]
[YOCTO #7137]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../0001-su.c-fix-to-exec-command-correctly.patch | 25 ----------------------
meta/recipes-extended/shadow/shadow.inc | 5 ++++-
2 files changed, 4 insertions(+), 26 deletions(-)
delete mode 100644 meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
diff --git a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
deleted file mode 100644
index 31337de..0000000
--- a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Upstream-Status: Pending
-
-Subject: su.c: fix to exec command correctly
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- src/su.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/su.c b/src/su.c
-index 3704217..bc4f2ac 100644
---- a/src/su.c
-+++ b/src/su.c
-@@ -1156,7 +1156,7 @@ int main (int argc, char **argv)
- * Use the shell and create an argv
- * with the rest of the command line included.
- */
-- argv[-1] = cp;
-+ argv[-1] = shellstr;
- execve_shell (shellstr, &argv[-1], environ);
- err = errno;
- (void) fprintf (stderr,
---
-1.7.9.5
-
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 7c63d88..5451718 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -14,7 +14,6 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://shadow-4.1.3-dots-in-usernames.patch \
file://usermod-fix-compilation-failure-with-subids-disabled.patch \
file://fix-installation-failure-with-subids-disabled.patch \
- file://0001-su.c-fix-to-exec-command-correctly.patch \
file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
@@ -108,6 +107,10 @@ do_install() {
# Disable checking emails.
sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs
+ # Comment out SU_NAME to work correctly with busybox
+ # See Bug#5359 and Bug#7173
+ sed -i 's:^SU_NAME:#SU_NAME:g' ${D}${sysconfdir}/login.defs
+
# Use proper encryption for passwords
sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] bash: explicitly define NON_INTERACTIVE_LOGIN_SHELLS in CFLAGS
2015-04-21 9:30 [PATCH 0/2] Fix Yocto#5539 and Yocto#7137 Chen Qi
2015-04-21 9:30 ` [PATCH 1/2] shadow: fix `su' behaviour Chen Qi
@ 2015-04-21 9:30 ` Chen Qi
1 sibling, 0 replies; 3+ messages in thread
From: Chen Qi @ 2015-04-21 9:30 UTC (permalink / raw)
To: openembedded-core
If NON_INTERACTIVE_LOGIN_SHELLS is defined, all login shells read the
startup files, even if they are not interactive.
This is the behaviour of other major distros like Ubuntu and Fedora.
We also need to set it so that when executing `su -l xxx -c env' command,
/etc/profile is parsed.
[YOCTO #5359]
[YOCTO #7137]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/recipes-extended/bash/bash.inc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index d7b28cf..c06f157 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -9,6 +9,11 @@ inherit autotools gettext texinfo update-alternatives ptest
EXTRA_AUTORECONF += "--exclude=autoheader"
EXTRA_OECONF = "--enable-job-control"
+# If NON_INTERACTIVE_LOGIN_SHELLS is defined, all login shells read the
+# startup files, even if they are not interactive.
+# This is what other major distros do. And this is what we wanted. See bug#5359 and bug#7137.
+CFLAGS += "-DNON_INTERACTIVE_LOGIN_SHELLS"
+
ALTERNATIVE_${PN} = "sh"
ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh"
ALTERNATIVE_TARGET[sh] = "${base_bindir}/bash"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-21 9:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-21 9:30 [PATCH 0/2] Fix Yocto#5539 and Yocto#7137 Chen Qi
2015-04-21 9:30 ` [PATCH 1/2] shadow: fix `su' behaviour Chen Qi
2015-04-21 9:30 ` [PATCH 2/2] bash: explicitly define NON_INTERACTIVE_LOGIN_SHELLS in CFLAGS Chen Qi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox