From 9caf7cafdd740da030954b2c5bc1053518ab1d39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 24 Sep 2014 10:58:50 +0100 Subject: [PATCH] * Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation to guarantee user/group ordering on the image and then to check for any unexpected change to those files. (LP: #1332538) Any change to either the initial set of users and groups or to the post-package-install set will now be fatal to the image and will require a manual update of the hardcoded user/group list contained in this new chroot_early hook. * Bump dependency on live-build accordingly. * Update the setup_user hook to also take care of gshadow. --- debian/changelog | 16 ++ debian/control | 2 +- .../hooks/00-uid-gid-fix.chroot_early | 251 ++++++++++++++++++ .../ubuntu-touch/hooks/01-setup_user.chroot | 4 + .../hooks/99zz-check-uid-gid.chroot | 37 +++ 5 files changed, 309 insertions(+), 1 deletion(-) create mode 100755 live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early create mode 100755 live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot diff --git a/debian/changelog b/debian/changelog index 509acf8d..4a586b8f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +livecd-rootfs (2.245) utopic; urgency=medium + + * Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd, + /etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation + to guarantee user/group ordering on the image and then to check for any + unexpected change to those files. (LP: #1332538) + + Any change to either the initial set of users and groups or to the + post-package-install set will now be fatal to the image and will require + a manual update of the hardcoded user/group list contained in this new + chroot_early hook. + * Bump dependency on live-build accordingly. + * Update the setup_user hook to also take care of gshadow. + + -- Stéphane Graber Mon, 22 Sep 2014 16:02:58 -0400 + livecd-rootfs (2.244) utopic; urgency=medium * Substitute DEB_HOST_MULTIARCH into hook scripts at build time, rather diff --git a/debian/control b/debian/control index 3e0e3b1a..8e7abdaa 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk Package: livecd-rootfs Architecture: any -Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties +Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a57-1ubuntu12~), android-tools-fsutils [armhf], python3-software-properties Suggests: partimage Breaks: ubuntu-defaults-builder (<< 0.32) Description: construction script for the livecd rootfs diff --git a/live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early b/live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early new file mode 100755 index 00000000..ca26e92a --- /dev/null +++ b/live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early @@ -0,0 +1,251 @@ +#!/bin/sh -eu + +# Known good post-debootstrap values +passwd_bootstrap="9ebb1c3da5b0ad8f1d366528b32c97cb" +shadow_bootstrap="1c562aa2ed2f443b9151953e800eca16" +group_bootstrap="60cd81599d39db5d624e63c8c18d4a5e" +gshadow_bootstrap="3819432fb99fe6b8f38410c58d503de1" + +# Current post-debootstrap values +passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1) +shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1) +group_hash=$(set -- $(md5sum /etc/group) && echo $1) +gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1) + +# /etc/passwd +if [ "$passwd_bootstrap" = "$passwd_hash" ]; then + cat > /etc/passwd <&2 + exit 1 +fi + +# /etc/shadow +if [ "$shadow_bootstrap" = "$shadow_hash" ]; then + cat > /etc/shadow <&2 + exit 1 +fi + +# /etc/group +if [ "$group_bootstrap" = "$group_hash" ]; then + cat > /etc/group <&2 + exit 1 +fi + +# /etc/gshadow +if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then + cat > /etc/gshadow <&2 + exit 1 +fi + +# Record the current state for later comparison +for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do + rm -f ${file}- + cp ${file} ${file}.orig +done diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index 03ebce5e..966f5d3e 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -21,13 +21,17 @@ sed -i 's/^shadow:.*compat/\0 extrausers/' /etc/nsswitch.conf grep "^$USER" /etc/group >> /var/lib/extrausers/group grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow +grep "^$USER" /etc/gshadow >> /var/lib/extrausers/gshadow chmod 0644 /var/lib/extrausers/group chmod 0644 /var/lib/extrausers/passwd chmod 0640 /var/lib/extrausers/shadow +chmod 0640 /var/lib/extrausers/gshadow chown root:shadow /var/lib/extrausers/shadow +chown root:shadow /var/lib/extrausers/gshadow sed -i "/^$USER/d" /etc/group sed -i "/^$USER/d" /etc/passwd sed -i "/^$USER/d" /etc/shadow +sed -i "/^$USER/d" /etc/gshadow # Prevent the system user from being presented in the greeter by bumping MIN_UID sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs diff --git a/live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot b/live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot new file mode 100755 index 00000000..54b03a55 --- /dev/null +++ b/live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot @@ -0,0 +1,37 @@ +#!/bin/sh -eu + +passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1) +shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1) +group_length=$(cat /etc/group | wc -l) +gshadow_length=$(cat /etc/gshadow | wc -l) + +passwd_orig_hash=$(set -- $(md5sum /etc/passwd.orig) && echo $1) +shadow_orig_hash=$(set -- $(cat /etc/shadow.orig | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1) +group_orig_length=$(cat /etc/group.orig | wc -l) +gshadow_orig_length=$(cat /etc/gshadow.orig | wc -l) + +if [ "$passwd_hash" != "$passwd_orig_hash" ]; then + echo "/etc/passwd has changed during setup." >&2 + diff -Nrup /etc/passwd.orig /etc/passwd >&2 + exit 1 +fi + +if [ "$shadow_hash" != "$shadow_orig_hash" ]; then + echo "/etc/shadow has changed during setup." >&2 + diff -Nrup /etc/shadow.orig /etc/shadow >&2 + exit 1 +fi + +if [ "$group_length" != "$group_orig_length" ]; then + echo "/etc/group has changed during setup." >&2 + diff -Nrup /etc/group.orig /etc/group >&2 + exit 1 +fi + +if [ "$gshadow_length" != "$gshadow_orig_length" ]; then + echo "/etc/gshadow has changed during setup." >&2 + diff -Nrup /etc/gshadow.orig /etc/gshadow >&2 + exit 1 +fi + +rm /etc/passwd.orig /etc/shadow.orig /etc/group.orig /etc/gshadow.orig