diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty new file mode 100644 index 0000000000..c7042fae2c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty @@ -0,0 +1,33 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +vc/0 +vc/1 +vc/2 +vc/3 +vc/4 +vc/5 +vc/6 +vc/7 +vc/8 +vc/9 +vc/10 +vc/11 +vc/12 +tty0 +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 + +tts/0 +ttyS0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf new file mode 100644 index 0000000000..0acaf6838a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf @@ -0,0 +1,5 @@ +L /etc/login.defs - - - - ../usr/share/shadow/login.defs +L /etc/securetty - - - - ../usr/share/shadow/securetty + +d /etc/default - - - - - +L /etc/default/useradd - - - - ../../usr/share/shadow/useradd diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf new file mode 100644 index 0000000000..612187d6ae --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf @@ -0,0 +1 @@ +f /var/log/faillog - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild index ded6bdddef..4570e82f7e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild @@ -3,7 +3,8 @@ EAPI=7 -inherit libtool pam +TMPFILES_OPTIONAL=1 +inherit libtool pam systemd tmpfiles DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" @@ -100,14 +101,14 @@ set_login_opt() { comment="#" sed -i \ -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die + "${ED}"/usr/share/shadow/login.defs || die else sed -i -r \ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs + "${ED}"/usr/share/shadow/login.defs fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" + local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs) + einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}" } src_install() { @@ -118,29 +119,41 @@ src_install() { find "${ED}" -name '*.la' -type f -delete || die - insinto /etc + # Remove files from /etc, they will be symlinks to /usr instead. + rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd} + + # CoreOS: break shadow.conf into two files so that we only have to apply + # etc-shadow.conf in the initrd. + dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf + dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf + # Package the symlinks for the SDK and containers. + systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/* + + insinto /usr/share/shadow if ! use pam ; then insopts -m0600 doins etc/login.access etc/limits fi + # Using a securetty with devfs device names added + # (compat names kept for non-devfs compatibility) + insopts -m0600 ; doins "${FILESDIR}"/securetty + # Output arch-specific cruft + local devs + case $(tc-arch) in + ppc*) devs="hvc0 hvsi0 ttyPSC0";; + hppa) devs="ttyB0";; + arm) devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";; + sh) devs="ttySC0 ttySC1";; + amd64|x86) devs="hvc0";; + esac + if [[ -n ${devs} ]]; then + printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty + fi # needed for 'useradd -D' - insinto /etc/default insopts -m0600 doins "${FILESDIR}"/default/useradd - if use split-usr ; then - # move passwd to / to help recover broke systems #64441 - # We cannot simply remove this or else net-misc/scponly - # and other tools will break because of hardcoded passwd - # location - dodir /bin - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym ../../bin/passwd /usr/bin/passwd - fi - - cd "${S}" || die - insinto /etc insopts -m0644 newins etc/login.defs login.defs @@ -194,7 +207,7 @@ src_install() { -e 'b exit' \ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ -e ': exit' \ - "${ED}"/etc/login.defs || die + "${ED}"/usr/share/shadow/login.defs || die # remove manpages that pam will install for us # and/or don't apply when using pam @@ -229,28 +242,3 @@ pkg_preinst() { rm -f "${EROOT}"/etc/pam.d/system-auth.new \ "${EROOT}/etc/login.defs.new" } - -pkg_postinst() { - # Missing entries from /etc/passwd can cause odd system blips. - # See bug #829872. - if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then - ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." - fi - - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then - grpconv -R "${EROOT:-/}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - [[ ! -f "${EROOT}"/etc/subgid ]] && - touch "${EROOT}"/etc/subgid - [[ ! -f "${EROOT}"/etc/subuid ]] && - touch "${EROOT}"/etc/subuid - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -}