From f6535ea12ab7f4d99adbe78919a7ed252175565f Mon Sep 17 00:00:00 2001 From: Kevin Tian Date: Fri, 6 Aug 2010 10:34:29 +0800 Subject: shadow: add new recipe 4.1.4.2 (borrow from OpenEmbedded with below tweaks) Enhance login_defs_pam.sed according to shadow source, to ensuer we don't leave any unknown definitions in /etc/login.defs when pam is enabled no need for --disable-account-tools-setuid which is detected upon pam automatically, and no specific CFLAGS append move shadow site options to generic site files adjust indention RDEPENDS on a list of pam-plugins since they're separately packaged test with both pam enabled and pam disabled. when pam is enabled, tried some same tweak with desired effect. Signed-off-by: Kevin Tian --- meta-lsb/packages/shadow/shadow.inc | 121 ++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 meta-lsb/packages/shadow/shadow.inc (limited to 'meta-lsb/packages/shadow/shadow.inc') diff --git a/meta-lsb/packages/shadow/shadow.inc b/meta-lsb/packages/shadow/shadow.inc new file mode 100644 index 000000000..fcbcb3eb7 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow.inc @@ -0,0 +1,121 @@ +DESCRIPTION = "Tools to change and administer password and group data." +HOMEPAGE = "http://pkg-shadow.alioth.debian.org/" +BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +SECTION = "base utils" +LICENSE = "BSD | Artistic" +LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ + file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" + +PAM_PLUGINS = " libpam-runtime \ + pam-plugin-faildelay \ + pam-plugin-securetty \ + pam-plugin-nologin \ + pam-plugin-env \ + pam-plugin-group \ + pam-plugin-limits \ + pam-plugin-lastlog \ + pam-plugin-motd \ + pam-plugin-mail \ + pam-plugin-shells \ + pam-plugin-rootok" + +DEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +RDEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}" + +# since we deduce from ${SERIAL_CONSOLE} +PACKAGE_ARCH = "${MACHINE_ARCH}" + +# Additional Policy files for PAM +PAM_SRC_URI = "file://pam.d/chfn \ + file://pam.d/chpasswd \ + file://pam.d/chsh \ + file://pam.d/login \ + file://pam.d/newusers \ + file://pam.d/passwd \ + file://pam.d/su" + +SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \ + file://login_defs_pam.sed \ + ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://securetty" + +inherit autotools gettext + +EXTRA_OECONF += "--without-audit \ + --without-libcrack \ + ${@base_contains('DISTRO_FEATURES', 'pam', '--with-libpam', '--without-libpam', d)} \ + --without-selinux" + +do_install_append() { + # Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user + # reconfigures Shadow to default (see sed below). + install -d ${D}${localstatedir}/spool/mail + + if [ -e ${WORKDIR}/pam.d ]; then + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + # Remove defaults that are not used when supporting PAM + sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + fi + + # Enable CREATE_HOME by default. + sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs + + # As we are on an embedded system ensure the users mailbox is in ~/ not + # /var/spool/mail by default as who knows where or how big /var is. + # The system MDA will set this later anyway. + sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs + sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs + + # disable checking emails at all + sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs + + # now we don't have a mail system. disable mail creation for now + sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd + sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd + + install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} + for i in passwd chfn newgrp chsh ; do + mv ${D}${bindir}/$i ${D}${bindir}/$i.${PN} + done + + mv ${D}${sbindir}/chpasswd ${D}${sbindir}/chpasswd.${PN} + mv ${D}${sbindir}/vigr ${D}${base_sbindir}/vigr.${PN} + mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw.${PN} + mv ${D}${bindir}/login ${D}${base_bindir}/login.${PN} + + # Ensure we add a suitable securetty file to the package that has most common embedded TTYs defined. + if [ ! -z "${SERIAL_CONSOLE}" ]; then + # our SERIAL_CONSOLE contains baud rate too and sometime -L option as well. + # the following pearl :) takes that and converts it into newline sepated tty's and appends + # them into securetty. So if a machine has a weird looking console device node (e.g. ttyAMA0) that securetty + # does not know then it will get appended to securetty and root login will be allowed on + # that console. + echo "${SERIAL_CONSOLE}" | sed -e 's/[0-9][0-9]\|\-L//g'|tr "[ ]" "[\n]" >> ${WORKDIR}/securetty + fi + install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty +} + +pkg_postinst_${PN} () { + update-alternatives --install ${bindir}/passwd passwd passwd.${PN} 200 + update-alternatives --install ${sbindir}/chpasswd chpasswd chpasswd.${PN} 200 + update-alternatives --install ${bindir}/chfn chfn chfn.${PN} 200 + update-alternatives --install ${bindir}/newgrp newgrp newgrp.${PN} 200 + update-alternatives --install ${bindir}/chsh chsh chsh.${PN} 200 + update-alternatives --install ${base_bindir}/login login login.${PN} 200 + update-alternatives --install ${base_sbindir}/vipw vipw vipw.${PN} 200 + update-alternatives --install ${base_sbindir}/vigr vigr vigr.${PN} 200 + + if [ "x$D" != "x" ]; then + exit 1 + fi + + pwconv + grpconv +} + +pkg_prerm_${PN} () { + for i in passwd chpasswd chfn newgrp chsh login vipw vigr ; do + update-alternatives --remove $i $i.${PN} + done +} -- cgit v1.2.3