Hello community, here is the log from the commit of package mkinitrd for openSUSE:Factory checked in at 2013-04-23 17:20:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mkinitrd (Old) and /work/SRC/openSUSE:Factory/.mkinitrd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mkinitrd", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/mkinitrd/mkinitrd.changes 2013-04-05 17:28:32.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mkinitrd.new/mkinitrd.changes 2013-04-23 17:20:21.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Apr 22 14:43:49 UTC 2013 - [email protected] + +- Be sure that plymouth does not break emergency shell +- Add sulogin and shadow password entry for root + +------------------------------------------------------------------- New: ---- mkinitrd-2.7.2-sulogin.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mkinitrd.spec ++++++ --- /var/tmp/diff_new_pack.imYvu5/_old 2013-04-23 17:20:26.000000000 +0200 +++ /var/tmp/diff_new_pack.imYvu5/_new 2013-04-23 17:20:26.000000000 +0200 @@ -51,6 +51,7 @@ Group: System/Base BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: mkinitrd.tar.bz2 +Patch0: mkinitrd-2.7.2-sulogin.patch # Note: the whole package is maintained in this git repository, please # don't change it in the build service without sending the author a # pull request or patch first. Otherwise, you risk that your changes will be @@ -85,6 +86,7 @@ %prep %setup +%patch0 %build %__cc $RPM_OPT_FLAGS -Wall -Os -o lib/mkinitrd/bin/run-init src/run-init.c ++++++ mkinitrd-2.7.2-sulogin.patch ++++++ >From a258757bce1debd35eba6f4e5b3f1f38f799b7c4 Mon Sep 17 00:00:00 2001 From: Werner Fink <[email protected]> Date: Wed, 10 Apr 2013 12:57:27 +0200 Subject: [PATCH] Switch plymouth and/or splash off before escaping to emergency shell As well as use sulogin to have a emergency shell on all consoles and to enable a password check. For this check the initrd should be set to be readable only by root to avoid that users can to spy on the confidential data stored within the initrd. Signed-off-by: Werner Fink <[email protected]> --- man/mkinitrd.8.txt | 3 +++ sbin/mkinitrd | 7 ++++--- scripts/boot-mount.sh | 12 +++--------- scripts/boot-network.sh | 4 +--- scripts/boot-start.sh | 25 ++++++++++++++++++++++--- scripts/setup-done.sh | 11 +++++++---- scripts/setup-prepare.sh | 42 +++++++++++++++++++++++++++++++++--------- 7 files changed, 73 insertions(+), 31 deletions(-) diff --git man/mkinitrd.8.txt man/mkinitrd.8.txt index 88014be..03014e6 100644 --- man/mkinitrd.8.txt +++ man/mkinitrd.8.txt @@ -142,6 +142,9 @@ created. This is useful if you call mkinitrd(8) not for the running system but for example in a spec file to pre-generate an initrd or to generate a special kdump initrd (which *mkdumprd*(8) does). +*-P*:: +Do not include the password of the super user (root). + *-A*:: Create a so called "monster initrd" which includes all available features and modules. diff --git sbin/mkinitrd sbin/mkinitrd index 42d5974..09db0e3 100755 --- sbin/mkinitrd +++ sbin/mkinitrd @@ -279,7 +279,7 @@ find_tmpdir() { local dir st size last_size=0 - for dir in "$TMPDIR" /dev/shm /tmp /var/tmp; do + for dir in ${TMPDIR:-/tmp} /dev/shm /tmp /var/tmp; do if test ! -w "$dir"; then continue fi @@ -306,12 +306,13 @@ find_tmpdir() } find_tmpdir -work_dir=$(mktemp -qd $tmp_dir/${mkinit_name}.XXXXXX) +work_dir=$(mktemp -qd $tmp_dir/${mkinit_name}.XXXXXXXX) if [ $? -ne 0 ]; then echo "$0: Can't create temp dir, exiting." >&2 exit 1 fi - +TMPDIR=$work_dir +export TMPDIR saved_args=$@ read_options diff --git scripts/boot-mount.sh scripts/boot-mount.sh index 8347303..7440e94 100644 --- scripts/boot-mount.sh +++ scripts/boot-mount.sh @@ -67,9 +67,7 @@ read_only=${cmd_ro} # And now for the real thing if ! discover_root ; then - echo "not found -- exiting to /bin/sh" - cd / - PATH=$PATH PS1='$ ' sh -i + emergency "not found" fi sysdev=$(udevadm info -q path -n $rootdev) @@ -95,9 +93,7 @@ fi oacp=$(type -p on_ac_power) # check filesystem if possible if [ -z "$rootfstype" ]; then - echo "invalid root filesystem -- exiting to /bin/sh" - cd / - PATH=$PATH PS1='$ ' sh -i + emergency "invalid root filesystem" # skip fsck if running on battery elif [ -n "${oacp}" ] && ! ${oacp} -q ; then echo skipping fsck because running on batteries @@ -159,9 +155,7 @@ fi echo mount $opt $rootdev /root mount $opt $rootdev /root if [ $? -ne 0 ] ; then - echo "could not mount root filesystem -- exiting to /bin/sh" - cd / - PATH=$PATH PS1='$ ' sh -i + emergency "could not mount root filesystem" fi unset discover_root diff --git scripts/boot-network.sh scripts/boot-network.sh index 33cb8ed..3c12bb3 100644 --- scripts/boot-network.sh +++ scripts/boot-network.sh @@ -59,9 +59,7 @@ configure_dynamic() if [ -s /var/lib/dhcpcd/dhcpcd-$interface.info ] ; then . /var/lib/dhcpcd/dhcpcd-$interface.info else - echo "no response from dhcp server -- exiting to /bin/sh" - cd / - PATH=$PATH PS1='$ ' sh -i + emergency "no response from dhcp server" fi [ -e "/var/run/dhcpcd-$interface.pid" ] && kill -9 $(cat /var/run/dhcpcd-$interface.pid) if [ -n "$DNS" ]; then diff --git scripts/boot-start.sh scripts/boot-start.sh index 9587d0d..cd87a14 100644 --- scripts/boot-start.sh +++ scripts/boot-start.sh @@ -14,6 +14,7 @@ #%programs: showconsole #%programs: sleep #%programs: umount +#%programs: sulogin # tools used by linuxrc/init #%programs: insmod @@ -45,13 +46,31 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin die() { umount /proc umount /sys - if [ "$devpts" = "yes" ]; then - umount -t devpts /dev/pts - fi + umount /dev/pts umount /dev exit $1 } +emergency() { + local plymouth sulogin + if plymouth=$(type -p plymouth 2> /dev/null) ; then + $plymouth quit + $plymouth --wait + fi + if test -w /proc/splash ; then + echo verbose >| /proc/splash + fi + cd / + echo -n "${1+$@} -- " + if sulogin=$(type -p sulogin 2> /dev/null); then + echo "exiting to $sulogin" + PATH=$PATH PS1='$ ' $sulogin /dev/console + else + echo "exiting to /bin/sh" + PATH=$PATH PS1='$ ' /bin/sh -i + fi +} + mount -t proc proc /proc mount -t sysfs sysfs /sys if mount -t devtmpfs -o mode=0755,nr_inodes=0 devtmpfs /dev; then diff --git scripts/setup-done.sh scripts/setup-done.sh index b2127ea..c6c50e9 100644 --- scripts/setup-done.sh +++ scripts/setup-done.sh @@ -13,8 +13,12 @@ fi pushd . > /dev/null 2>&1 cd $tmp_mnt # suid mount will fail if mkinitrd was called as user -find . -type f \( -perm -4000 -o -perm -2000 \) -exec chmod 755 {} \; -find *bin usr/*bin -type f -exec chmod 755 {} \; +find . -type f -and \( -perm -4000 -or -perm -2000 \) -exec chmod 755 {} \+ +find *bin usr/*bin -type f -exec chmod 755 {} \+ +# find any files which are only readable by owner and/or group +# if so make initrd only radable by the (super) user +secure=$(find etc \( -type f -or -type d \) -and \! -perm -004 2>/dev/null | wc -l) +(($secure == 0)) || umask 0066 if ! find . ! -name "*~" | cpio --quiet -H newc --create | $COMPRESS > $tmp_initrd then oops 8 "Failed to build initrd" @@ -28,8 +32,7 @@ if [[ $kernel_image =~ uImage ]]; then tmp_initrd=$tmp_initrd.uboot fi popd > /dev/null 2>&1 -if ! cp -f $tmp_initrd $initrd_image ; then +if ! cp -pf $tmp_initrd $initrd_image ; then oops 8 "Failed to install initrd" fi rm -rf $tmp_mnt - diff --git scripts/setup-prepare.sh scripts/setup-prepare.sh index 71ef225..5391bf3 100644 --- scripts/setup-prepare.sh +++ scripts/setup-prepare.sh @@ -9,6 +9,7 @@ #%param_M: "System.map file to use." map sysmap #%param_A: "Create a so called \"monster initrd\" which includes all features and modules possible." #%param_B: "Do not update bootloader configuration." +#%param_P: "Do not include the password of the super user (root)." #%param_v: "Verbose mode." #%param_R: "Print release (version)." #%param_L: "Disable logging." @@ -215,21 +216,44 @@ for mod in $root_dir/etc/modprobe.conf $root_dir/etc/modprobe.conf.local \ $root_dir/etc/modprobe.d ; do test -e $mod && cp -r $mod $tmp_mnt/etc done -cat > $tmp_mnt/bin/true <<-EOF -#! /bin/sh -: -EOF +cat > $tmp_mnt/bin/true <<-'EOF' + #! /bin/sh + : + EOF chmod +x $tmp_mnt/bin/true mkdir -p $tmp_mnt/var/log +# password support only if initrd is created by super user +(($(id -u) == 0)) || param_P=yes +if [ -z "$param_P" ]; then + pw=x +else + pw= +fi + # all dev nodes belong to root, but some may be # owned by a group other than root -# getent passwd | sed '/^root:/s/^\([^:]\+\):[^:]*:\([^:]\+\):\([^:]\+\):.*/\1::\2:\3:::/p;d' > $tmp_mnt/etc/passwd -echo 'root::0:0:::' > $tmp_mnt/etc/passwd -echo 'nobody::65534:65533:::' >> $tmp_mnt/etc/passwd -getent group | sed 's/^\([^:]\+\):[^:]*:\([^:]\+\):.*/\1::\2:/' > $tmp_mnt/etc/group -(echo 'passwd: files';echo 'group: files') > $tmp_mnt/etc/nsswitch.conf +# getent --service=files passwd | \ +# sed -n "/^\(nobody\|root\):/s/^\([^:]\+\):[^:]*:\([^:]\+\):\([^:]\+\):.*/\1:${pw}:\2:\3::\/:/p" > $tmp_mnt/etc/passwd +cat > $tmp_mnt/etc/passwd <<-EOF + root:${pw}:0:0::/: + nobody:${pw}:65534:65533::/: + EOF +getent --service=files group | sed -n 's/^\([^:+]\+\):[^:]*:\([^:]\+\):.*/\1::\2:/p' > $tmp_mnt/etc/group +cat > $tmp_mnt/etc/nsswitch.conf <<-'EOF' + passwd: files + shadow: files + group: files + EOF +if [ -z "$param_P" ]; then + oumask=$(umask) + umask 0026 + getent --service=files shadow | \ + sed -n '/^\(nobody\|root\):/s/^\([^:]\+\):\([^:]\+\):\([0-9]*\):.*/\1:\2:\3::::::/p' > $tmp_mnt/etc/shadow + chgrp shadow $tmp_mnt/etc/shadow + umask $oumask +fi # scsi_id config file f=/etc/scsi_id.config -- 1.7.10.4 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
