aboutsummaryrefslogtreecommitdiff
path: root/support
diff options
context:
space:
mode:
authorGravatar Yann E. MORIN <yann.morin.1998@free.fr>2013-04-12 07:14:18 +0000
committerGravatar Peter Korsgaard <jacmet@sunsite.dk>2013-04-25 22:56:42 +0200
commit1f3af04db77f9e9e707bd37ee85f6508aef797f2 (patch)
treed697d2aa29aaa71c77f9e3186e6d98cb697fc21b /support
parent74bdc4b9ddf6d4d2ecdd238715dcbf14292b8829 (diff)
downloadbuildroot-1f3af04db77f9e9e707bd37ee85f6508aef797f2.tar.gz
buildroot-1f3af04db77f9e9e707bd37ee85f6508aef797f2.tar.bz2
packages: add ability for packages to create users
Packages that install daemons may need those daemons to run as a non-root, or an otherwise non-system (eg. 'daemon'), user. Add infrastructure for packages to create users, by declaring the FOO_USERS variable that contain a makedev-syntax-like description of the user(s) to add. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Samuel Martin <s.martin49@gmail.com> Cc: Cam Hutchison <camh@xdna.net> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Diffstat (limited to 'support')
-rwxr-xr-xsupport/scripts/mkusers409
1 files changed, 409 insertions, 0 deletions
diff --git a/support/scripts/mkusers b/support/scripts/mkusers
new file mode 100755
index 0000000000..19aa085e10
--- /dev/null
+++ b/support/scripts/mkusers
@@ -0,0 +1,409 @@
+#!/bin/bash
+set -e
+myname="${0##*/}"
+
+#----------------------------------------------------------------------------
+# Configurable items
+MIN_UID=1000
+MAX_UID=1999
+MIN_GID=1000
+MAX_GID=1999
+# No more is configurable below this point
+#----------------------------------------------------------------------------
+
+#----------------------------------------------------------------------------
+error() {
+ local fmt="${1}"
+ shift
+
+ printf "%s: " "${myname}" >&2
+ printf "${fmt}" "${@}" >&2
+}
+fail() {
+ error "$@"
+ exit 1
+}
+
+#----------------------------------------------------------------------------
+if [ ${#} -ne 2 ]; then
+ fail "usage: %s USERS_TABLE TARGET_DIR\n"
+fi
+USERS_TABLE="${1}"
+TARGET_DIR="${2}"
+shift 2
+PASSWD="${TARGET_DIR}/etc/passwd"
+SHADOW="${TARGET_DIR}/etc/shadow"
+GROUP="${TARGET_DIR}/etc/group"
+# /etc/gshadow is not part of the standard skeleton, so not everybody
+# will have it, but some may hav it, and its content must be in sync
+# with /etc/group, so any use of gshadow must be conditional.
+GSHADOW="${TARGET_DIR}/etc/gshadow"
+
+# We can't simply source ${BUILDROOT_CONFIG} as it may contains constructs
+# such as:
+# BR2_DEFCONFIG="$(CONFIG_DIR)/defconfig"
+# which when sourced from a shell script will eventually try to execute
+# a command name 'CONFIG_DIR', which is plain wrong for virtually every
+# systems out there.
+# So, we have to scan that file instead. Sigh... :-(
+PASSWD_METHOD="$( sed -r -e '/^BR2_TARGET_GENERIC_PASSWD_METHOD="(.*)"$/!d;' \
+ -e 's//\1/;' \
+ "${BUILDROOT_CONFIG}" \
+ )"
+
+#----------------------------------------------------------------------------
+get_uid() {
+ local username="${1}"
+
+ awk -F: -v username="${username}" \
+ '$1 == username { printf( "%d\n", $3 ); }' "${PASSWD}"
+}
+
+#----------------------------------------------------------------------------
+get_ugid() {
+ local username="${1}"
+
+ awk -F:i -v username="${username}" \
+ '$1 == username { printf( "%d\n", $4 ); }' "${PASSWD}"
+}
+
+#----------------------------------------------------------------------------
+get_gid() {
+ local group="${1}"
+
+ awk -F: -v group="${group}" \
+ '$1 == group { printf( "%d\n", $3 ); }' "${GROUP}"
+}
+
+#----------------------------------------------------------------------------
+get_username() {
+ local uid="${1}"
+
+ awk -F: -v uid="${uid}" \
+ '$3 == uid { printf( "%s\n", $1 ); }' "${PASSWD}"
+}
+
+#----------------------------------------------------------------------------
+get_group() {
+ local gid="${1}"
+
+ awk -F: -v gid="${gid}" \
+ '$3 == gid { printf( "%s\n", $1 ); }' "${GROUP}"
+}
+
+#----------------------------------------------------------------------------
+get_ugroup() {
+ local username="${1}"
+ local ugid
+
+ ugid="$( get_ugid "${username}" )"
+ if [ -n "${ugid}" ]; then
+ get_group "${ugid}"
+ fi
+}
+
+#----------------------------------------------------------------------------
+# Sanity-check the new user/group:
+# - check the gid is not already used for another group
+# - check the group does not already exist with another gid
+# - check the user does not already exist with another gid
+# - check the uid is not already used for another user
+# - check the user does not already exist with another uid
+# - check the user does not already exist in another group
+check_user_validity() {
+ local username="${1}"
+ local uid="${2}"
+ local group="${3}"
+ local gid="${4}"
+ local _uid _ugid _gid _username _group _ugroup
+
+ _group="$( get_group "${gid}" )"
+ _gid="$( get_gid "${group}" )"
+ _ugid="$( get_ugid "${username}" )"
+ _username="$( get_username "${uid}" )"
+ _uid="$( get_uid "${username}" )"
+ _ugroup="$( get_ugroup "${username}" )"
+
+ if [ "${username}" = "root" ]; then
+ fail "invalid username '%s\n'" "${username}"
+ fi
+
+ if [ ${gid} -lt -1 -o ${gid} -eq 0 ]; then
+ fail "invalid gid '%d'\n" ${gid}
+ elif [ ${gid} -ne -1 ]; then
+ # check the gid is not already used for another group
+ if [ -n "${_group}" -a "${_group}" != "${group}" ]; then
+ fail "gid is already used by group '${_group}'\n"
+ fi
+
+ # check the group does not already exists with another gid
+ if [ -n "${_gid}" -a ${_gid} -ne ${gid} ]; then
+ fail "group already exists with gid '${_gid}'\n"
+ fi
+
+ # check the user does not already exists with another gid
+ if [ -n "${_ugid}" -a ${_ugid} -ne ${gid} ]; then
+ fail "user already exists with gid '${_ugid}'\n"
+ fi
+ fi
+
+ if [ ${uid} -lt -1 -o ${uid} -eq 0 ]; then
+ fail "invalid uid '%d'\n" ${uid}
+ elif [ ${uid} -ne -1 ]; then
+ # check the uid is not already used for another user
+ if [ -n "${_username}" -a "${_username}" != "${username}" ]; then
+ fail "uid is already used by user '${_username}'\n"
+ fi
+
+ # check the user does not already exists with another uid
+ if [ -n "${_uid}" -a ${_uid} -ne ${uid} ]; then
+ fail "user already exists with uid '${_uid}'\n"
+ fi
+ fi
+
+ # check the user does not already exist in another group
+ if [ -n "${_ugroup}" -a "${_ugroup}" != "${group}" ]; then
+ fail "user already exists with group '${_ugroup}'\n"
+ fi
+
+ return 0
+}
+
+#----------------------------------------------------------------------------
+# Generate a unique GID for given group. If the group already exists,
+# then simply report its current GID. Otherwise, generate the lowest GID
+# that is:
+# - not 0
+# - comprised in [MIN_GID..MAX_GID]
+# - not already used by a group
+generate_gid() {
+ local group="${1}"
+ local gid
+
+ gid="$( get_gid "${group}" )"
+ if [ -z "${gid}" ]; then
+ for(( gid=MIN_GID; gid<=MAX_GID; gid++ )); do
+ if [ -z "$( get_group "${gid}" )" ]; then
+ break
+ fi
+ done
+ if [ ${gid} -gt ${MAX_GID} ]; then
+ fail "can not allocate a GID for group '%s'\n" "${group}"
+ fi
+ fi
+ printf "%d\n" "${gid}"
+}
+
+#----------------------------------------------------------------------------
+# Add a group; if it does already exist, remove it first
+add_one_group() {
+ local group="${1}"
+ local gid="${2}"
+ local _f
+
+ # Generate a new GID if needed
+ if [ ${gid} -eq -1 ]; then
+ gid="$( generate_gid "${group}" )"
+ fi
+
+ # Remove any previous instance of this group, and re-add the new one
+ sed -i -e '/^'"${group}"':.*/d;' "${GROUP}"
+ printf "%s:x:%d:\n" "${group}" "${gid}" >>"${GROUP}"
+
+ # Ditto for /etc/gshadow if it exists
+ if [ -f "${GSHADOW}" ]; then
+ sed -i -e '/^'"${group}"':.*/d;' "${GSHADOW}"
+ printf "%s:*::\n" "${group}" >>"${GSHADOW}"
+ fi
+}
+
+#----------------------------------------------------------------------------
+# Generate a unique UID for given username. If the username already exists,
+# then simply report its current UID. Otherwise, generate the lowest UID
+# that is:
+# - not 0
+# - comprised in [MIN_UID..MAX_UID]
+# - not already used by a user
+generate_uid() {
+ local username="${1}"
+ local uid
+
+ uid="$( get_uid "${username}" )"
+ if [ -z "${uid}" ]; then
+ for(( uid=MIN_UID; uid<=MAX_UID; uid++ )); do
+ if [ -z "$( get_username "${uid}" )" ]; then
+ break
+ fi
+ done
+ if [ ${uid} -gt ${MAX_UID} ]; then
+ fail "can not allocate a UID for user '%s'\n" "${username}"
+ fi
+ fi
+ printf "%d\n" "${uid}"
+}
+
+#----------------------------------------------------------------------------
+# Add given user to given group, if not already the case
+add_user_to_group() {
+ local username="${1}"
+ local group="${2}"
+ local _f
+
+ for _f in "${GROUP}" "${GSHADOW}"; do
+ [ -f "${_f}" ] || continue
+ sed -r -i -e 's/^('"${group}"':.*:)(([^:]+,)?)'"${username}"'(,[^:]+*)?$/\1\2\4/;' \
+ -e 's/^('"${group}"':.*)$/\1,'"${username}"'/;' \
+ -e 's/,+/,/' \
+ -e 's/:,/:/' \
+ "${_f}"
+ done
+}
+
+#----------------------------------------------------------------------------
+# Encode a password
+encode_password() {
+ local passwd="${1}"
+
+ mkpasswd -m "${PASSWD_METHOD}" "${passwd}"
+}
+
+#----------------------------------------------------------------------------
+# Add a user; if it does already exist, remove it first
+add_one_user() {
+ local username="${1}"
+ local uid="${2}"
+ local group="${3}"
+ local gid="${4}"
+ local passwd="${5}"
+ local home="${6}"
+ local shell="${7}"
+ local groups="${8}"
+ local comment="${9}"
+ local _f _group _home _shell _gid _passwd
+
+ # First, sanity-check the user
+ check_user_validity "${username}" "${uid}" "${group}" "${gid}"
+
+ # Generate a new UID if needed
+ if [ ${uid} -eq -1 ]; then
+ uid="$( generate_uid "${username}" )"
+ fi
+
+ # Remove any previous instance of this user
+ for _f in "${PASSWD}" "${SHADOW}"; do
+ sed -r -i -e '/^'"${username}"':.*/d;' "${_f}"
+ done
+
+ _gid="$( get_gid "${group}" )"
+ _shell="${shell}"
+ if [ "${shell}" = "-" ]; then
+ _shell="/bin/false"
+ fi
+ case "${home}" in
+ -) _home="/";;
+ /) fail "home can not explicitly be '/'\n";;
+ /*) _home="${home}";;
+ *) fail "home must be an absolute path\n";;
+ esac
+ case "${passwd}" in
+ !=*)
+ _passwd='!'"$( encode_passwd "${passwd#!=}" )"
+ ;;
+ =*)
+ _passwd="$( encode_passwd "${passwd#=}" )"
+ ;;
+ *)
+ _passwd="${passwd}"
+ ;;
+ esac
+
+ printf "%s:x:%d:%d:%s:%s:%s\n" \
+ "${username}" "${uid}" "${_gid}" \
+ "${comment}" "${_home}" "${_shell}" \
+ >>"${PASSWD}"
+ printf "%s:%s:::::::\n" \
+ "${username}" "${_passwd}" \
+ >>"${SHADOW}"
+
+ # Add the user to its additional groups
+ if [ "${groups}" != "-" ]; then
+ for _group in ${groups//,/ }; do
+ add_user_to_group "${username}" "${_group}"
+ done
+ fi
+
+ # If the user has a home, chown it
+ # (Note: stdout goes to the fakeroot-script)
+ if [ "${home}" != "-" ]; then
+ mkdir -p "${TARGET_DIR}/${home}"
+ printf "chown -R %d:%d '%s'\n" "${uid}" "${_gid}" "${TARGET_DIR}/${home}"
+ fi
+}
+
+#----------------------------------------------------------------------------
+main() {
+ local username uid group gid passwd home shell groups comment
+
+ # Some sanity checks
+ if [ ${MIN_UID} -le 0 ]; then
+ fail "MIN_UID must be >0 (currently %d)\n" ${MIN_UID}
+ fi
+ if [ ${MIN_GID} -le 0 ]; then
+ fail "MIN_GID must be >0 (currently %d)\n" ${MIN_GID}
+ fi
+
+ # We first create groups whose gid is not -1, and then we create groups
+ # whose gid is -1 (automatic), so that, if a group is defined both with
+ # a specified gid and an automatic gid, we ensure the specified gid is
+ # used, rather than a different automatic gid is computed.
+
+ # First, create all the main groups which gid is *not* automatic
+ while read username uid group gid passwd home shell groups comment; do
+ [ -n "${username}" ] || continue # Package with no user
+ [ ${gid} -ge 0 ] || continue # Automatic gid
+ add_one_group "${group}" "${gid}"
+ done <"${USERS_TABLE}"
+
+ # Then, create all the main groups which gid *is* automatic
+ while read username uid group gid passwd home shell groups comment; do
+ [ -n "${username}" ] || continue # Package with no user
+ [ ${gid} -eq -1 ] || continue # Non-automatic gid
+ add_one_group "${group}" "${gid}"
+ done <"${USERS_TABLE}"
+
+ # Then, create all the additional groups
+ # If any additional group is already a main group, we should use
+ # the gid of that main group; otherwise, we can use any gid
+ while read username uid group gid passwd home shell groups comment; do
+ [ -n "${username}" ] || continue # Package with no user
+ if [ "${groups}" != "-" ]; then
+ for g in ${groups//,/ }; do
+ add_one_group "${g}" -1
+ done
+ fi
+ done <"${USERS_TABLE}"
+
+ # When adding users, we do as for groups, in case two packages create
+ # the same user, one with an automatic uid, the other with a specified
+ # uid, to ensure the specified uid is used, rather than an incompatible
+ # uid be generated.
+
+ # Now, add users whose uid is *not* automatic
+ while read username uid group gid passwd home shell groups comment; do
+ [ -n "${username}" ] || continue # Package with no user
+ [ ${uid} -ge 0 ] || continue # Automatic uid
+ add_one_user "${username}" "${uid}" "${group}" "${gid}" "${passwd}" \
+ "${home}" "${shell}" "${groups}" "${comment}"
+ done <"${USERS_TABLE}"
+
+ # Finally, add users whose uid *is* automatic
+ while read username uid group gid passwd home shell groups comment; do
+ [ -n "${username}" ] || continue # Package with no user
+ [ ${uid} -eq -1 ] || continue # Non-automatic uid
+ add_one_user "${username}" "${uid}" "${group}" "${gid}" "${passwd}" \
+ "${home}" "${shell}" "${groups}" "${comment}"
+ done <"${USERS_TABLE}"
+}
+
+#----------------------------------------------------------------------------
+main "${@}"