/etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation to guarantee user/group ordering on the image and then to check for any unexpected change to those files. (LP: #1332538) Any change to either the initial set of users and groups or to the post-package-install set will now be fatal to the image and will require a manual update of the hardcoded user/group list contained in this new chroot_early hook. * Bump dependency on live-build accordingly. * Update the setup_user hook to also take care of gshadow.ubuntu/yakkety
parent
6cadf04b6c
commit
9caf7cafdd
@ -0,0 +1,251 @@
|
|||||||
|
#!/bin/sh -eu
|
||||||
|
|
||||||
|
# Known good post-debootstrap values
|
||||||
|
passwd_bootstrap="9ebb1c3da5b0ad8f1d366528b32c97cb"
|
||||||
|
shadow_bootstrap="1c562aa2ed2f443b9151953e800eca16"
|
||||||
|
group_bootstrap="60cd81599d39db5d624e63c8c18d4a5e"
|
||||||
|
gshadow_bootstrap="3819432fb99fe6b8f38410c58d503de1"
|
||||||
|
|
||||||
|
# Current post-debootstrap values
|
||||||
|
passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
|
||||||
|
shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
|
||||||
|
group_hash=$(set -- $(md5sum /etc/group) && echo $1)
|
||||||
|
gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1)
|
||||||
|
|
||||||
|
# /etc/passwd
|
||||||
|
if [ "$passwd_bootstrap" = "$passwd_hash" ]; then
|
||||||
|
cat > /etc/passwd <<EOF
|
||||||
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||||
|
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||||
|
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||||
|
sync:x:4:65534:sync:/bin:/bin/sync
|
||||||
|
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||||
|
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||||
|
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||||
|
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||||
|
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||||
|
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||||
|
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||||
|
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||||
|
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||||
|
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
||||||
|
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
||||||
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
||||||
|
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
||||||
|
syslog:x:100:103::/home/syslog:/bin/false
|
||||||
|
usermetrics:x:101:104:User Metrics:/var/lib/usermetrics:/bin/false
|
||||||
|
messagebus:x:102:106::/var/run/dbus:/bin/false
|
||||||
|
clickpkg:x:103:107::/nonexistent:/bin/false
|
||||||
|
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
|
||||||
|
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
|
||||||
|
rtkit:x:106:109:RealtimeKit,,,:/proc:/bin/false
|
||||||
|
whoopsie:x:107:110::/nonexistent:/bin/false
|
||||||
|
lightdm:x:108:111:Light Display Manager:/var/lib/lightdm:/bin/false
|
||||||
|
lxc-dnsmasq:x:109:114:LXC dnsmasq,,,:/var/lib/lxc:/bin/false
|
||||||
|
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
|
||||||
|
system:x:1000:1000:system,,,:/nonexistent:/bin/false
|
||||||
|
radio:x:1001:1001:radio,,,:/nonexistent:/bin/false
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "/etc/passwd post-debootstrap hash doesn't match record" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# /etc/shadow
|
||||||
|
if [ "$shadow_bootstrap" = "$shadow_hash" ]; then
|
||||||
|
cat > /etc/shadow <<EOF
|
||||||
|
root:*:16329:0:99999:7:::
|
||||||
|
daemon:*:16329:0:99999:7:::
|
||||||
|
bin:*:16329:0:99999:7:::
|
||||||
|
sys:*:16329:0:99999:7:::
|
||||||
|
sync:*:16329:0:99999:7:::
|
||||||
|
games:*:16329:0:99999:7:::
|
||||||
|
man:*:16329:0:99999:7:::
|
||||||
|
lp:*:16329:0:99999:7:::
|
||||||
|
mail:*:16329:0:99999:7:::
|
||||||
|
news:*:16329:0:99999:7:::
|
||||||
|
uucp:*:16329:0:99999:7:::
|
||||||
|
proxy:*:16329:0:99999:7:::
|
||||||
|
www-data:*:16329:0:99999:7:::
|
||||||
|
backup:*:16329:0:99999:7:::
|
||||||
|
list:*:16329:0:99999:7:::
|
||||||
|
irc:*:16329:0:99999:7:::
|
||||||
|
gnats:*:16329:0:99999:7:::
|
||||||
|
nobody:*:16329:0:99999:7:::
|
||||||
|
syslog:*:16329:0:99999:7:::
|
||||||
|
usermetrics:*:16329:0:99999:7:::
|
||||||
|
messagebus:*:16329:0:99999:7:::
|
||||||
|
clickpkg:*:16329:0:99999:7:::
|
||||||
|
dnsmasq:*:16329:0:99999:7:::
|
||||||
|
sshd:*:16329:0:99999:7:::
|
||||||
|
rtkit:*:16329:0:99999:7:::
|
||||||
|
whoopsie:*:16329:0:99999:7:::
|
||||||
|
lightdm:*:16329:0:99999:7:::
|
||||||
|
lxc-dnsmasq:!:16329:0:99999:7:::
|
||||||
|
pulse:*:16329:0:99999:7:::
|
||||||
|
system:!:16329:0:99999:7:::
|
||||||
|
radio:!:16329:0:99999:7:::
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "/etc/shadow post-debootstrap hash doesn't match record" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# /etc/group
|
||||||
|
if [ "$group_bootstrap" = "$group_hash" ]; then
|
||||||
|
cat > /etc/group <<EOF
|
||||||
|
root:x:0:
|
||||||
|
daemon:x:1:
|
||||||
|
bin:x:2:
|
||||||
|
sys:x:3:
|
||||||
|
adm:x:4:syslog
|
||||||
|
tty:x:5:
|
||||||
|
disk:x:6:
|
||||||
|
lp:x:7:
|
||||||
|
mail:x:8:
|
||||||
|
news:x:9:
|
||||||
|
uucp:x:10:
|
||||||
|
man:x:12:
|
||||||
|
proxy:x:13:
|
||||||
|
kmem:x:15:
|
||||||
|
dialout:x:20:
|
||||||
|
fax:x:21:
|
||||||
|
voice:x:22:
|
||||||
|
cdrom:x:24:
|
||||||
|
floppy:x:25:
|
||||||
|
tape:x:26:
|
||||||
|
sudo:x:27:
|
||||||
|
audio:x:1005:
|
||||||
|
dip:x:30:
|
||||||
|
www-data:x:33:
|
||||||
|
backup:x:34:
|
||||||
|
operator:x:37:
|
||||||
|
list:x:38:
|
||||||
|
irc:x:39:
|
||||||
|
src:x:40:
|
||||||
|
gnats:x:41:
|
||||||
|
shadow:x:42:
|
||||||
|
utmp:x:43:
|
||||||
|
video:x:44:
|
||||||
|
sasl:x:45:
|
||||||
|
plugdev:x:46:
|
||||||
|
staff:x:50:
|
||||||
|
games:x:60:
|
||||||
|
users:x:100:
|
||||||
|
nogroup:x:65534:
|
||||||
|
netdev:x:101:
|
||||||
|
crontab:x:102:
|
||||||
|
syslog:x:103:
|
||||||
|
usermetrics:x:104:
|
||||||
|
systemd-journal:x:105:
|
||||||
|
messagebus:x:106:
|
||||||
|
clickpkg:x:107:
|
||||||
|
ssh:x:108:
|
||||||
|
rtkit:x:109:
|
||||||
|
whoopsie:x:110:
|
||||||
|
lightdm:x:111:
|
||||||
|
nopasswdlogin:x:112:
|
||||||
|
bluetooth:x:1002:
|
||||||
|
lxc-dnsmasq:x:114:
|
||||||
|
pulse:x:115:
|
||||||
|
pulse-access:x:116:
|
||||||
|
system:x:1000:
|
||||||
|
radio:x:1001:
|
||||||
|
gps:x:1021:
|
||||||
|
android_net:x:3003:
|
||||||
|
android_net2:x:3004:
|
||||||
|
android_net3:x:3002:
|
||||||
|
android_graphics:x:1003:
|
||||||
|
android_input:x:1004:
|
||||||
|
sdcard_rw:x:1015:
|
||||||
|
android_media:x:1013:
|
||||||
|
android_nvram:x:9997:
|
||||||
|
android_cache:x:2001:
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "/etc/group post-debootstrap hash doesn't match record" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# /etc/gshadow
|
||||||
|
if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then
|
||||||
|
cat > /etc/gshadow <<EOF
|
||||||
|
root:*::
|
||||||
|
daemon:*::
|
||||||
|
bin:*::
|
||||||
|
sys:*::
|
||||||
|
adm:*::syslog
|
||||||
|
tty:*::
|
||||||
|
disk:*::
|
||||||
|
lp:*::
|
||||||
|
mail:*::
|
||||||
|
news:*::
|
||||||
|
uucp:*::
|
||||||
|
man:*::
|
||||||
|
proxy:*::
|
||||||
|
kmem:*::
|
||||||
|
dialout:*::
|
||||||
|
fax:*::
|
||||||
|
voice:*::
|
||||||
|
cdrom:*::
|
||||||
|
floppy:*::
|
||||||
|
tape:*::
|
||||||
|
sudo:*::
|
||||||
|
audio:*::pulse
|
||||||
|
dip:*::
|
||||||
|
www-data:*::
|
||||||
|
backup:*::
|
||||||
|
operator:*::
|
||||||
|
list:*::
|
||||||
|
irc:*::
|
||||||
|
src:*::
|
||||||
|
gnats:*::
|
||||||
|
shadow:*::
|
||||||
|
utmp:*::
|
||||||
|
video:*::
|
||||||
|
sasl:*::
|
||||||
|
plugdev:*::
|
||||||
|
staff:*::
|
||||||
|
games:*::
|
||||||
|
users:*::
|
||||||
|
nogroup:*::
|
||||||
|
netdev:!::
|
||||||
|
crontab:!::
|
||||||
|
syslog:!::
|
||||||
|
usermetrics:!::
|
||||||
|
systemd-journal:!::
|
||||||
|
messagebus:!::
|
||||||
|
clickpkg:!::
|
||||||
|
ssh:!::
|
||||||
|
rtkit:!::
|
||||||
|
whoopsie:!::
|
||||||
|
lightdm:!::
|
||||||
|
nopasswdlogin:!::
|
||||||
|
bluetooth:!::
|
||||||
|
lxc-dnsmasq:!::
|
||||||
|
pulse:!::
|
||||||
|
pulse-access:!::
|
||||||
|
system:!::
|
||||||
|
radio:!::
|
||||||
|
gps:!::
|
||||||
|
android_net:!::
|
||||||
|
android_net2:!::
|
||||||
|
android_net3:!::
|
||||||
|
android_graphics:!::
|
||||||
|
android_input:!::
|
||||||
|
sdcard_rw:!::
|
||||||
|
android_media:!::
|
||||||
|
android_nvram:!::
|
||||||
|
android_cache:!::
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "/etc/gshadow post-debootstrap hash doesn't match record" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Record the current state for later comparison
|
||||||
|
for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do
|
||||||
|
rm -f ${file}-
|
||||||
|
cp ${file} ${file}.orig
|
||||||
|
done
|
@ -0,0 +1,37 @@
|
|||||||
|
#!/bin/sh -eu
|
||||||
|
|
||||||
|
passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
|
||||||
|
shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
|
||||||
|
group_length=$(cat /etc/group | wc -l)
|
||||||
|
gshadow_length=$(cat /etc/gshadow | wc -l)
|
||||||
|
|
||||||
|
passwd_orig_hash=$(set -- $(md5sum /etc/passwd.orig) && echo $1)
|
||||||
|
shadow_orig_hash=$(set -- $(cat /etc/shadow.orig | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
|
||||||
|
group_orig_length=$(cat /etc/group.orig | wc -l)
|
||||||
|
gshadow_orig_length=$(cat /etc/gshadow.orig | wc -l)
|
||||||
|
|
||||||
|
if [ "$passwd_hash" != "$passwd_orig_hash" ]; then
|
||||||
|
echo "/etc/passwd has changed during setup." >&2
|
||||||
|
diff -Nrup /etc/passwd.orig /etc/passwd >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$shadow_hash" != "$shadow_orig_hash" ]; then
|
||||||
|
echo "/etc/shadow has changed during setup." >&2
|
||||||
|
diff -Nrup /etc/shadow.orig /etc/shadow >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$group_length" != "$group_orig_length" ]; then
|
||||||
|
echo "/etc/group has changed during setup." >&2
|
||||||
|
diff -Nrup /etc/group.orig /etc/group >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$gshadow_length" != "$gshadow_orig_length" ]; then
|
||||||
|
echo "/etc/gshadow has changed during setup." >&2
|
||||||
|
diff -Nrup /etc/gshadow.orig /etc/gshadow >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm /etc/passwd.orig /etc/shadow.orig /etc/group.orig /etc/gshadow.orig
|
Loading…
Reference in new issue