* Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd,

/etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation
  to guarantee user/group ordering on the image and then to check for any
  unexpected change to those files. (LP: #1332538)
  Any change to either the initial set of users and groups or to the
  post-package-install set will now be fatal to the image and will require
  a manual update of the hardcoded user/group list contained in this new
  chroot_early hook.
* Bump dependency on live-build accordingly.
* Update the setup_user hook to also take care of gshadow.
ubuntu/yakkety
Stéphane Graber 10 years ago committed by Colin Watson
parent 6cadf04b6c
commit 9caf7cafdd

16
debian/changelog vendored

@ -1,3 +1,19 @@
livecd-rootfs (2.245) utopic; urgency=medium
* Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd,
/etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation
to guarantee user/group ordering on the image and then to check for any
unexpected change to those files. (LP: #1332538)
Any change to either the initial set of users and groups or to the
post-package-install set will now be fatal to the image and will require
a manual update of the hardcoded user/group list contained in this new
chroot_early hook.
* Bump dependency on live-build accordingly.
* Update the setup_user hook to also take care of gshadow.
-- Stéphane Graber <stgraber@ubuntu.com> Mon, 22 Sep 2014 16:02:58 -0400
livecd-rootfs (2.244) utopic; urgency=medium livecd-rootfs (2.244) utopic; urgency=medium
* Substitute DEB_HOST_MULTIARCH into hook scripts at build time, rather * Substitute DEB_HOST_MULTIARCH into hook scripts at build time, rather

2
debian/control vendored

@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk
Package: livecd-rootfs Package: livecd-rootfs
Architecture: any Architecture: any
Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a57-1ubuntu12~), android-tools-fsutils [armhf], python3-software-properties
Suggests: partimage Suggests: partimage
Breaks: ubuntu-defaults-builder (<< 0.32) Breaks: ubuntu-defaults-builder (<< 0.32)
Description: construction script for the livecd rootfs Description: construction script for the livecd rootfs

@ -0,0 +1,251 @@
#!/bin/sh -eu
# Known good post-debootstrap values
passwd_bootstrap="9ebb1c3da5b0ad8f1d366528b32c97cb"
shadow_bootstrap="1c562aa2ed2f443b9151953e800eca16"
group_bootstrap="60cd81599d39db5d624e63c8c18d4a5e"
gshadow_bootstrap="3819432fb99fe6b8f38410c58d503de1"
# Current post-debootstrap values
passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
group_hash=$(set -- $(md5sum /etc/group) && echo $1)
gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1)
# /etc/passwd
if [ "$passwd_bootstrap" = "$passwd_hash" ]; then
cat > /etc/passwd <<EOF
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:100:103::/home/syslog:/bin/false
usermetrics:x:101:104:User Metrics:/var/lib/usermetrics:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
clickpkg:x:103:107::/nonexistent:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
rtkit:x:106:109:RealtimeKit,,,:/proc:/bin/false
whoopsie:x:107:110::/nonexistent:/bin/false
lightdm:x:108:111:Light Display Manager:/var/lib/lightdm:/bin/false
lxc-dnsmasq:x:109:114:LXC dnsmasq,,,:/var/lib/lxc:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
system:x:1000:1000:system,,,:/nonexistent:/bin/false
radio:x:1001:1001:radio,,,:/nonexistent:/bin/false
EOF
else
echo "/etc/passwd post-debootstrap hash doesn't match record" >&2
exit 1
fi
# /etc/shadow
if [ "$shadow_bootstrap" = "$shadow_hash" ]; then
cat > /etc/shadow <<EOF
root:*:16329:0:99999:7:::
daemon:*:16329:0:99999:7:::
bin:*:16329:0:99999:7:::
sys:*:16329:0:99999:7:::
sync:*:16329:0:99999:7:::
games:*:16329:0:99999:7:::
man:*:16329:0:99999:7:::
lp:*:16329:0:99999:7:::
mail:*:16329:0:99999:7:::
news:*:16329:0:99999:7:::
uucp:*:16329:0:99999:7:::
proxy:*:16329:0:99999:7:::
www-data:*:16329:0:99999:7:::
backup:*:16329:0:99999:7:::
list:*:16329:0:99999:7:::
irc:*:16329:0:99999:7:::
gnats:*:16329:0:99999:7:::
nobody:*:16329:0:99999:7:::
syslog:*:16329:0:99999:7:::
usermetrics:*:16329:0:99999:7:::
messagebus:*:16329:0:99999:7:::
clickpkg:*:16329:0:99999:7:::
dnsmasq:*:16329:0:99999:7:::
sshd:*:16329:0:99999:7:::
rtkit:*:16329:0:99999:7:::
whoopsie:*:16329:0:99999:7:::
lightdm:*:16329:0:99999:7:::
lxc-dnsmasq:!:16329:0:99999:7:::
pulse:*:16329:0:99999:7:::
system:!:16329:0:99999:7:::
radio:!:16329:0:99999:7:::
EOF
else
echo "/etc/shadow post-debootstrap hash doesn't match record" >&2
exit 1
fi
# /etc/group
if [ "$group_bootstrap" = "$group_hash" ]; then
cat > /etc/group <<EOF
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:1005:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
netdev:x:101:
crontab:x:102:
syslog:x:103:
usermetrics:x:104:
systemd-journal:x:105:
messagebus:x:106:
clickpkg:x:107:
ssh:x:108:
rtkit:x:109:
whoopsie:x:110:
lightdm:x:111:
nopasswdlogin:x:112:
bluetooth:x:1002:
lxc-dnsmasq:x:114:
pulse:x:115:
pulse-access:x:116:
system:x:1000:
radio:x:1001:
gps:x:1021:
android_net:x:3003:
android_net2:x:3004:
android_net3:x:3002:
android_graphics:x:1003:
android_input:x:1004:
sdcard_rw:x:1015:
android_media:x:1013:
android_nvram:x:9997:
android_cache:x:2001:
EOF
else
echo "/etc/group post-debootstrap hash doesn't match record" >&2
exit 1
fi
# /etc/gshadow
if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then
cat > /etc/gshadow <<EOF
root:*::
daemon:*::
bin:*::
sys:*::
adm:*::syslog
tty:*::
disk:*::
lp:*::
mail:*::
news:*::
uucp:*::
man:*::
proxy:*::
kmem:*::
dialout:*::
fax:*::
voice:*::
cdrom:*::
floppy:*::
tape:*::
sudo:*::
audio:*::pulse
dip:*::
www-data:*::
backup:*::
operator:*::
list:*::
irc:*::
src:*::
gnats:*::
shadow:*::
utmp:*::
video:*::
sasl:*::
plugdev:*::
staff:*::
games:*::
users:*::
nogroup:*::
netdev:!::
crontab:!::
syslog:!::
usermetrics:!::
systemd-journal:!::
messagebus:!::
clickpkg:!::
ssh:!::
rtkit:!::
whoopsie:!::
lightdm:!::
nopasswdlogin:!::
bluetooth:!::
lxc-dnsmasq:!::
pulse:!::
pulse-access:!::
system:!::
radio:!::
gps:!::
android_net:!::
android_net2:!::
android_net3:!::
android_graphics:!::
android_input:!::
sdcard_rw:!::
android_media:!::
android_nvram:!::
android_cache:!::
EOF
else
echo "/etc/gshadow post-debootstrap hash doesn't match record" >&2
exit 1
fi
# Record the current state for later comparison
for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do
rm -f ${file}-
cp ${file} ${file}.orig
done

@ -21,13 +21,17 @@ sed -i 's/^shadow:.*compat/\0 extrausers/' /etc/nsswitch.conf
grep "^$USER" /etc/group >> /var/lib/extrausers/group grep "^$USER" /etc/group >> /var/lib/extrausers/group
grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd
grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow
grep "^$USER" /etc/gshadow >> /var/lib/extrausers/gshadow
chmod 0644 /var/lib/extrausers/group chmod 0644 /var/lib/extrausers/group
chmod 0644 /var/lib/extrausers/passwd chmod 0644 /var/lib/extrausers/passwd
chmod 0640 /var/lib/extrausers/shadow chmod 0640 /var/lib/extrausers/shadow
chmod 0640 /var/lib/extrausers/gshadow
chown root:shadow /var/lib/extrausers/shadow chown root:shadow /var/lib/extrausers/shadow
chown root:shadow /var/lib/extrausers/gshadow
sed -i "/^$USER/d" /etc/group sed -i "/^$USER/d" /etc/group
sed -i "/^$USER/d" /etc/passwd sed -i "/^$USER/d" /etc/passwd
sed -i "/^$USER/d" /etc/shadow sed -i "/^$USER/d" /etc/shadow
sed -i "/^$USER/d" /etc/gshadow
# Prevent the system user from being presented in the greeter by bumping MIN_UID # Prevent the system user from being presented in the greeter by bumping MIN_UID
sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs

@ -0,0 +1,37 @@
#!/bin/sh -eu
passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
group_length=$(cat /etc/group | wc -l)
gshadow_length=$(cat /etc/gshadow | wc -l)
passwd_orig_hash=$(set -- $(md5sum /etc/passwd.orig) && echo $1)
shadow_orig_hash=$(set -- $(cat /etc/shadow.orig | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
group_orig_length=$(cat /etc/group.orig | wc -l)
gshadow_orig_length=$(cat /etc/gshadow.orig | wc -l)
if [ "$passwd_hash" != "$passwd_orig_hash" ]; then
echo "/etc/passwd has changed during setup." >&2
diff -Nrup /etc/passwd.orig /etc/passwd >&2
exit 1
fi
if [ "$shadow_hash" != "$shadow_orig_hash" ]; then
echo "/etc/shadow has changed during setup." >&2
diff -Nrup /etc/shadow.orig /etc/shadow >&2
exit 1
fi
if [ "$group_length" != "$group_orig_length" ]; then
echo "/etc/group has changed during setup." >&2
diff -Nrup /etc/group.orig /etc/group >&2
exit 1
fi
if [ "$gshadow_length" != "$gshadow_orig_length" ]; then
echo "/etc/gshadow has changed during setup." >&2
diff -Nrup /etc/gshadow.orig /etc/gshadow >&2
exit 1
fi
rm /etc/passwd.orig /etc/shadow.orig /etc/group.orig /etc/gshadow.orig
Loading…
Cancel
Save