Import patches-unapplied version 2.245 to ubuntu/utopic-proposed

Imported using git-ubuntu import. Changelog parent: aa7b103571 New changelog entries: * Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation to guarantee user/group ordering on the image and then to check for any unexpected change to those files. (LP: #1332538) Any change to either the initial set of users and groups or to the post-package-install set will now be fatal to the image and will require a manual update of the hardcoded user/group list contained in this new chroot_early hook. * Bump dependency on live-build accordingly. * Update the setup_user hook to also take care of gshadow.
10 years ago · d803954231
parent aa7b103571
commit d803954231
5 changed files with 309 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,19 @@
+livecd-rootfs (2.245) utopic; urgency=medium
+
+  * Add two new hooks for Ubuntu Touch to setup sensible /etc/passwd,
+    /etc/shadow, /etc/group and /etc/gshadow PRIOR to package installation
+    to guarantee user/group ordering on the image and then to check for any
+    unexpected change to those files. (LP: #1332538)
+
+    Any change to either the initial set of users and groups or to the
+    post-package-install set will now be fatal to the image and will require
+    a manual update of the hardcoded user/group list contained in this new
+    chroot_early hook.
+  * Bump dependency on live-build accordingly.
+  * Update the setup_user hook to also take care of gshadow.
+
+ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 22 Sep 2014 16:02:58 -0400
+
 livecd-rootfs (2.244) utopic; urgency=medium

  * Substitute DEB_HOST_MULTIARCH into hook scripts at build time, rather
--- a/debian/control
+++ b/debian/control
@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk

 Package: livecd-rootfs
 Architecture: any
-Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties
+Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a57-1ubuntu12~), android-tools-fsutils [armhf], python3-software-properties
 Suggests: partimage
 Breaks: ubuntu-defaults-builder (<< 0.32)
 Description: construction script for the livecd rootfs
--- a/live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early
+++ b/live-build/ubuntu-touch/hooks/00-uid-gid-fix.chroot_early
@ -0,0 +1,251 @@
+#!/bin/sh -eu
+
+# Known good post-debootstrap values
+passwd_bootstrap="9ebb1c3da5b0ad8f1d366528b32c97cb"
+shadow_bootstrap="1c562aa2ed2f443b9151953e800eca16"
+group_bootstrap="60cd81599d39db5d624e63c8c18d4a5e"
+gshadow_bootstrap="3819432fb99fe6b8f38410c58d503de1"
+
+# Current post-debootstrap values
+passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
+shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
+group_hash=$(set -- $(md5sum /etc/group) && echo $1)
+gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1)
+
+# /etc/passwd
+if [ "$passwd_bootstrap" = "$passwd_hash" ]; then
+    cat > /etc/passwd <<EOF
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+syslog:x:100:103::/home/syslog:/bin/false
+usermetrics:x:101:104:User Metrics:/var/lib/usermetrics:/bin/false
+messagebus:x:102:106::/var/run/dbus:/bin/false
+clickpkg:x:103:107::/nonexistent:/bin/false
+dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
+rtkit:x:106:109:RealtimeKit,,,:/proc:/bin/false
+whoopsie:x:107:110::/nonexistent:/bin/false
+lightdm:x:108:111:Light Display Manager:/var/lib/lightdm:/bin/false
+lxc-dnsmasq:x:109:114:LXC dnsmasq,,,:/var/lib/lxc:/bin/false
+pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
+system:x:1000:1000:system,,,:/nonexistent:/bin/false
+radio:x:1001:1001:radio,,,:/nonexistent:/bin/false
+EOF
+else
+    echo "/etc/passwd post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/shadow
+if [ "$shadow_bootstrap" = "$shadow_hash" ]; then
+    cat > /etc/shadow <<EOF
+root:*:16329:0:99999:7:::
+daemon:*:16329:0:99999:7:::
+bin:*:16329:0:99999:7:::
+sys:*:16329:0:99999:7:::
+sync:*:16329:0:99999:7:::
+games:*:16329:0:99999:7:::
+man:*:16329:0:99999:7:::
+lp:*:16329:0:99999:7:::
+mail:*:16329:0:99999:7:::
+news:*:16329:0:99999:7:::
+uucp:*:16329:0:99999:7:::
+proxy:*:16329:0:99999:7:::
+www-data:*:16329:0:99999:7:::
+backup:*:16329:0:99999:7:::
+list:*:16329:0:99999:7:::
+irc:*:16329:0:99999:7:::
+gnats:*:16329:0:99999:7:::
+nobody:*:16329:0:99999:7:::
+syslog:*:16329:0:99999:7:::
+usermetrics:*:16329:0:99999:7:::
+messagebus:*:16329:0:99999:7:::
+clickpkg:*:16329:0:99999:7:::
+dnsmasq:*:16329:0:99999:7:::
+sshd:*:16329:0:99999:7:::
+rtkit:*:16329:0:99999:7:::
+whoopsie:*:16329:0:99999:7:::
+lightdm:*:16329:0:99999:7:::
+lxc-dnsmasq:!:16329:0:99999:7:::
+pulse:*:16329:0:99999:7:::
+system:!:16329:0:99999:7:::
+radio:!:16329:0:99999:7:::
+EOF
+else
+    echo "/etc/shadow post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/group
+if [ "$group_bootstrap" = "$group_hash" ]; then
+    cat > /etc/group <<EOF
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:syslog
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:1005:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+netdev:x:101:
+crontab:x:102:
+syslog:x:103:
+usermetrics:x:104:
+systemd-journal:x:105:
+messagebus:x:106:
+clickpkg:x:107:
+ssh:x:108:
+rtkit:x:109:
+whoopsie:x:110:
+lightdm:x:111:
+nopasswdlogin:x:112:
+bluetooth:x:1002:
+lxc-dnsmasq:x:114:
+pulse:x:115:
+pulse-access:x:116:
+system:x:1000:
+radio:x:1001:
+gps:x:1021:
+android_net:x:3003:
+android_net2:x:3004:
+android_net3:x:3002:
+android_graphics:x:1003:
+android_input:x:1004:
+sdcard_rw:x:1015:
+android_media:x:1013:
+android_nvram:x:9997:
+android_cache:x:2001:
+EOF
+else
+    echo "/etc/group post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/gshadow
+if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then
+    cat > /etc/gshadow <<EOF
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::syslog
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::pulse
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+netdev:!::
+crontab:!::
+syslog:!::
+usermetrics:!::
+systemd-journal:!::
+messagebus:!::
+clickpkg:!::
+ssh:!::
+rtkit:!::
+whoopsie:!::
+lightdm:!::
+nopasswdlogin:!::
+bluetooth:!::
+lxc-dnsmasq:!::
+pulse:!::
+pulse-access:!::
+system:!::
+radio:!::
+gps:!::
+android_net:!::
+android_net2:!::
+android_net3:!::
+android_graphics:!::
+android_input:!::
+sdcard_rw:!::
+android_media:!::
+android_nvram:!::
+android_cache:!::
+EOF
+else
+    echo "/etc/gshadow post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# Record the current state for later comparison
+for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do
+    rm -f ${file}-
+    cp ${file} ${file}.orig
+done
--- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot
+++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot
@ -21,13 +21,17 @@ sed -i 's/^shadow:.*compat/\0 extrausers/' /etc/nsswitch.conf
 grep "^$USER" /etc/group >> /var/lib/extrausers/group
 grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd
 grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow
+grep "^$USER" /etc/gshadow >> /var/lib/extrausers/gshadow
 chmod 0644 /var/lib/extrausers/group
 chmod 0644 /var/lib/extrausers/passwd
 chmod 0640 /var/lib/extrausers/shadow
+chmod 0640 /var/lib/extrausers/gshadow
 chown root:shadow /var/lib/extrausers/shadow
+chown root:shadow /var/lib/extrausers/gshadow
 sed -i "/^$USER/d" /etc/group
 sed -i "/^$USER/d" /etc/passwd
 sed -i "/^$USER/d" /etc/shadow
+sed -i "/^$USER/d" /etc/gshadow

 # Prevent the system user from being presented in the greeter by bumping MIN_UID
 sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs
--- a/live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot
+++ b/live-build/ubuntu-touch/hooks/99zz-check-uid-gid.chroot
@ -0,0 +1,37 @@
+#!/bin/sh -eu
+
+passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
+shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
+group_length=$(cat /etc/group | wc -l)
+gshadow_length=$(cat /etc/gshadow | wc -l)
+
+passwd_orig_hash=$(set -- $(md5sum /etc/passwd.orig) && echo $1)
+shadow_orig_hash=$(set -- $(cat /etc/shadow.orig | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
+group_orig_length=$(cat /etc/group.orig | wc -l)
+gshadow_orig_length=$(cat /etc/gshadow.orig | wc -l)
+
+if [ "$passwd_hash" != "$passwd_orig_hash" ]; then
+    echo "/etc/passwd has changed during setup." >&2
+    diff -Nrup /etc/passwd.orig /etc/passwd >&2
+    exit 1
+fi
+
+if [ "$shadow_hash" != "$shadow_orig_hash" ]; then
+    echo "/etc/shadow has changed during setup." >&2
+    diff -Nrup /etc/shadow.orig /etc/shadow >&2
+    exit 1
+fi
+
+if [ "$group_length" != "$group_orig_length" ]; then
+    echo "/etc/group has changed during setup." >&2
+    diff -Nrup /etc/group.orig /etc/group >&2
+    exit 1
+fi
+
+if [ "$gshadow_length" != "$gshadow_orig_length" ]; then
+    echo "/etc/gshadow has changed during setup." >&2
+    diff -Nrup /etc/gshadow.orig /etc/gshadow >&2
+    exit 1
+fi
+
+rm /etc/passwd.orig /etc/shadow.orig /etc/group.orig /etc/gshadow.orig