From: Randolph Sapp <[email protected]> Change this single xuser account template into a generic standard-user-account that uses distro level variables for configuration.
This allows for seamless configuration of multiple out-of-box scripts and tests across layers without having to implicitly hope that the username or groups haven't been changed by a bbappend or recipe override. This also adds a class and a variable to allow recipes to assert that the user is in requested groups. This was proposed specifically to remove some issues highlighted in: https://lists.openembedded.org/g/openembedded-core/message/230665 Signed-off-by: Randolph Sapp <[email protected]> --- meta-selftest/files/static-group | 3 +- meta-selftest/files/static-passwd | 3 +- meta/classes-recipe/standard-user.bbclass | 26 ++++++++++++ .../distro/include/default-distrovars.inc | 12 ++++++ meta/conf/distro/include/maintainers.inc | 2 +- meta/conf/documentation.conf | 4 ++ meta/recipes-graphics/wayland/weston-init.bb | 12 +++--- .../x11-common/xserver-nodm-init_3.0.bb | 8 ++-- .../{system-xuser.conf => system-user.conf} | 2 +- .../standard-user-account_0.1.bb | 42 +++++++++++++++++++ .../user-creation/xuser-account_0.1.bb | 30 ------------- scripts/sstate-sysroot-cruft.sh | 6 +-- 12 files changed, 101 insertions(+), 49 deletions(-) create mode 100644 meta/classes-recipe/standard-user.bbclass rename meta/recipes-support/user-creation/files/{system-xuser.conf => system-user.conf} (90%) create mode 100644 meta/recipes-support/user-creation/standard-user-account_0.1.bb delete mode 100644 meta/recipes-support/user-creation/xuser-account_0.1.bb diff --git a/meta-selftest/files/static-group b/meta-selftest/files/static-group index 6a9ece20a8..9ef91bbdca 100644 --- a/meta-selftest/files/static-group +++ b/meta-selftest/files/static-group @@ -20,12 +20,11 @@ pulse:x:520: bind:x:521: builder:x:522: weston-launch:x:524: -weston:x:525: wayland:x:526: render:x:527: sgx:x:528: ptest:x:529: -xuser:x:530: +user:x:530: seat:x:531: audio:x:532: empower:x:533: diff --git a/meta-selftest/files/static-passwd b/meta-selftest/files/static-passwd index 98017c8153..cddf095ff2 100644 --- a/meta-selftest/files/static-passwd +++ b/meta-selftest/files/static-passwd @@ -16,8 +16,7 @@ pulse:x:520:520::/:/bin/nologin bind:x:521:521::/:/bin/nologin builder:x:522:522::/:/bin/nologin _apt:x:523:523::/:/bin/nologin -weston:x:525:525::/:/bin/nologin ptest:x:529:529::/:/bin/nologin -xuser:x:530:530::/:/bin/nologin +user:x:530:530::/:/bin/nologin cmake-example:x:534:534::/var/lib/cmake-example:/bin/false meson-example:x:535:535::/var/lib/meson-example:/bin/false diff --git a/meta/classes-recipe/standard-user.bbclass b/meta/classes-recipe/standard-user.bbclass new file mode 100644 index 0000000000..ff931b8092 --- /dev/null +++ b/meta/classes-recipe/standard-user.bbclass @@ -0,0 +1,26 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# + +STANDARD_USER_PACKAGES ?= "${PN}" +REQUIRED_STANDARD_USER_GROUPS ?= "" + +python __anonymous() { + d.appendVar("DEPENDS", " standard-user-account") + + for pkg in d.getVar('STANDARD_USER_PACKAGES').split(): + d.appendVar("RDEPENDS:" + pkg, " standard-user-account") + + active_groups = set(d.getVar('STANDARD_USER_GROUPS').split()) + active_groups.update(d.getVar('STANDARD_USER_SYSTEM_GROUPS').split()) + required_groups = set(d.getVar('REQUIRED_STANDARD_USER_GROUPS').split()) + + if not required_groups.issubset(active_groups): + raise bb.parse.SkipRecipe( + "one of '%s' needs to be in STANDARD_USER_GROUPS or " + "STANDARD_USER_SYSTEM_GROUPS" + % ' '.join(required_groups) + ) +} diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc index 69c6db589b..88c3bc38be 100644 --- a/meta/conf/distro/include/default-distrovars.inc +++ b/meta/conf/distro/include/default-distrovars.inc @@ -66,3 +66,15 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}" # the variable to be empty. # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master CONNECTIVITY_CHECK_URIS ?= "https://www.yoctoproject.org/connectivity.html"; + +# The STANDARD_USER_NAME is the default underprivileged user account name. +# The STANDARD_USER_GROUPS is a space delimited list of user groups that account +# should belong to, and STANDARD_USER_SYSTEM_GROUPS is the same but for system +# groups. +# +# Please take note that not all tooling currently supports changing these +# variables. Scripts like sstate-sysroot-cruft.sh and reproducible builds expect +# these values to be the defaults listed below. +STANDARD_USER_NAME ??= "user" +STANDARD_USER_GROUPS ??= "" +STANDARD_USER_SYSTEM_GROUPS ??= "video render tty audio input shutdown disk wayland" diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 66902616f5..8d2a92f041 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -814,6 +814,7 @@ RECIPE_MAINTAINER:pn-spirv-tools = "Jose Quaresma <[email protected]>" RECIPE_MAINTAINER:pn-sqlite3 = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-squashfs-tools = "Robert Yang <[email protected]>" RECIPE_MAINTAINER:pn-ssh-pregen-hostkeys = "Richard Purdie <[email protected]>" +RECIPE_MAINTAINER:pn-standard-user-account = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-startup-notification = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-strace = "Robert Yang <[email protected]>" RECIPE_MAINTAINER:pn-stress-ng = "Unassigned <[email protected]>" @@ -940,7 +941,6 @@ RECIPE_MAINTAINER:pn-xserver-xf86-config = "Unassigned <unassigned@yoctoproject. RECIPE_MAINTAINER:pn-xserver-xorg = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-xset = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-xtrans = "Unassigned <[email protected]>" -RECIPE_MAINTAINER:pn-xuser-account = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-xvinfo = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-xwayland = "Unassigned <[email protected]>" RECIPE_MAINTAINER:pn-xwininfo = "Unassigned <[email protected]>" diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf index 842cf31739..8701e001d6 100644 --- a/meta/conf/documentation.conf +++ b/meta/conf/documentation.conf @@ -346,6 +346,7 @@ RDEPENDS[doc] = "Lists a package's runtime dependencies (i.e. other packages) th REQUIRED_COMBINED_FEATURES[doc] = "When a recipe inherits the features_check class, all items in this variable must be included in COMBINED_FEATURES." REQUIRED_DISTRO_FEATURES[doc] = "When a recipe inherits the features_check class, all items in this variable must be included in DISTRO_FEATURES." REQUIRED_MACHINE_FEATURES[doc] = "When a recipe inherits the features_check class, all items in this variable must be included in MACHINE_FEATURES." +REQUIRED_STANDARD_USER_GROUPS[doc] = "When a recipe inherits the standard-user class, all items in this variable must be included in STANDARD_USER_GROUPS or STANDARD_USER_SYSTEM_GROUPS." RM_WORK_EXCLUDE[doc] = "With rm_work enabled, this variable specifies a list of packages whose work directories should not be removed." ROOTFS[doc] = "Indicates a filesystem image to include as the root filesystem." ROOTFS_POSTPROCESS_COMMAND[doc] = "Added by classes to run post processing commands once the OpenEmbedded build system has created the root filesystem." @@ -388,6 +389,9 @@ SSTATE_MIRRORS[doc] = "Configures the OpenEmbedded build system to search other STAGING_KERNEL_DIR[doc] = "The directory with kernel headers that are required to build out-of-tree modules." STAMP[doc] = "Specifies the base path used to create recipe stamp files. The path to an actual stamp file is constructed by evaluating this string and then appending additional information." STAMPS_DIR[doc] = "Specifies the base directory in which the OpenEmbedded build system places stamps." +STANDARD_USER_GROUPS[doc] = "Specifies the default underprivileged user's groups." +STANDARD_USER_NAME[doc] = "Specifies the default underprivileged user's account name." +STANDARD_USER_SYSTEM_GROUPS[doc] = "Specifies the default underprivileged user's system groups." SUMMARY[doc] = "The short (80 characters or less) summary of the binary package for packaging systems such as opkg, rpm or dpkg. By default, SUMMARY is used to define the DESCRIPTION variable if DESCRIPTION is not set in the recipe." SYSLINUX_DEFAULT_CONSOLE[doc] = "Specifies the kernel boot default console." SYSLINUX_OPTS[doc] = "Lists additional options to add to the syslinux file." diff --git a/meta/recipes-graphics/wayland/weston-init.bb b/meta/recipes-graphics/wayland/weston-init.bb index 29cfba0833..feecda7c83 100644 --- a/meta/recipes-graphics/wayland/weston-init.bb +++ b/meta/recipes-graphics/wayland/weston-init.bb @@ -26,8 +26,8 @@ PACKAGECONFIG[use-pixman] = ",," DEFAULTBACKEND ??= "" DEFAULTBACKEND:qemuall ?= "drm" -WESTON_USER ??= "weston" -WESTON_USER_HOME ??= "/home/${WESTON_USER}" +WESTON_USER = "${STANDARD_USER_NAME}" +WESTON_USER_HOME = "/home/${WESTON_USER}" do_install() { # Install weston-start script @@ -83,14 +83,14 @@ do_install() { INHIBIT_UPDATERCD_BBCLASS = "${@oe.utils.conditional('VIRTUAL-RUNTIME_init_manager', 'systemd', '1', '', d)}" -inherit update-rc.d systemd useradd - -USERADD_PACKAGES = "${PN}" +inherit update-rc.d systemd standard-user # rdepends on weston which depends on virtual/egl # require ${THISDIR}/required-distro-features.inc +REQUIRED_STANDARD_USER_GROUPS = "video input render seat wayland" + RDEPENDS:${PN} = "weston kbd ${@bb.utils.contains('PACKAGECONFIG', 'xwayland', 'weston-xwayland', '', d)}" INITSCRIPT_NAME = "weston" @@ -109,5 +109,3 @@ FILES:${PN} += "\ CONFFILES:${PN} += "${sysconfdir}/xdg/weston/weston.ini ${sysconfdir}/default/weston" SYSTEMD_SERVICE:${PN} = "weston.service weston.socket" -USERADD_PARAM:${PN} = "--home ${WESTON_USER_HOME} --shell /bin/sh --user-group -G video,input,render,seat,wayland ${WESTON_USER}" -GROUPADD_PARAM:${PN} = "-r wayland; -r render; -r seat" diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb index 169269eefb..4b8f7ff7b2 100644 --- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb @@ -18,7 +18,9 @@ S = "${UNPACKDIR}" PACKAGE_ARCH = "${MACHINE_ARCH}" inherit update-rc.d systemd features_check +inherit_defer ${@oe.utils.conditional('ROOTLESS_X', '1', 'standard-user', '', d)} +REQUIRED_STANDARD_USER_GROUPS = "video tty audio input shutdown disk" REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}" PACKAGECONFIG ??= "blank" @@ -38,8 +40,8 @@ do_install() { BLANK_ARGS="${@bb.utils.contains('PACKAGECONFIG', 'blank', '', '-s 0 -dpms', d)}" NO_CURSOR_ARG="${@bb.utils.contains('PACKAGECONFIG', 'nocursor', '-nocursor', '', d)}" if [ "${ROOTLESS_X}" = "1" ] ; then - XUSER_HOME="/home/xuser" - XUSER="xuser" + XUSER_HOME="/home/${STANDARD_USER_NAME}" + XUSER="${STANDARD_USER_NAME}" install -D capability.conf ${D}${sysconfdir}/security/capability.conf sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf else @@ -62,7 +64,7 @@ do_install() { fi } -RDEPENDS:${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}" +RDEPENDS:${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'libcap libcap-bin', '', d)}" INITSCRIPT_NAME = "xserver-nodm" INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ." diff --git a/meta/recipes-support/user-creation/files/system-xuser.conf b/meta/recipes-support/user-creation/files/system-user.conf similarity index 90% rename from meta/recipes-support/user-creation/files/system-xuser.conf rename to meta/recipes-support/user-creation/files/system-user.conf index d42e3d1f50..7e94a1c938 100644 --- a/meta/recipes-support/user-creation/files/system-xuser.conf +++ b/meta/recipes-support/user-creation/files/system-user.conf @@ -1,7 +1,7 @@ <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> <busconfig> - <policy user="xuser"> + <policy user="@STANDARD_USER_NAME@"> <allow send_destination="net.connman"/> <allow send_destination="net.connman.vpn"/> <allow send_destination="org.ofono"/> diff --git a/meta/recipes-support/user-creation/standard-user-account_0.1.bb b/meta/recipes-support/user-creation/standard-user-account_0.1.bb new file mode 100644 index 0000000000..7aa42e0338 --- /dev/null +++ b/meta/recipes-support/user-creation/standard-user-account_0.1.bb @@ -0,0 +1,42 @@ +SUMMARY = "Creates a standard user account" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://system-user.conf" + +inherit allarch useradd + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +COMMON_ARGS = "--create-home --user-group" + +python __anonymous() { + common_args = d.getVar("COMMON_ARGS") or "" + user = d.getVar("STANDARD_USER_NAME") or "" + pn = d.getVar("PN") or "" + + unique_groups = sorted(set((d.getVar("STANDARD_USER_GROUPS") or "").split())) + unique_system_groups = sorted(set((d.getVar("STANDARD_USER_SYSTEM_GROUPS") or "").split())) + + if unique_groups or unique_system_groups: + joined_groups = ','.join(unique_groups + unique_system_groups) + d.setVar(f"USERADD_PARAM:{pn}", f"{common_args} --groups {joined_groups} {user}") + + # make sure all the groups exist + groupadd_str = "" + for group in unique_groups: + groupadd_str += f" {group} ;" + for group in unique_system_groups: + groupadd_str += f" --system {group} ;" + d.setVar(f"GROUPADD_PARAM:{pn}", f"{groupadd_str}") +} + +# default case, and a requirement to satisfy the parser check +USERADD_PARAM:${PN} = "${COMMON_ARGS} ${STANDARD_USER_NAME}" +USERADD_PACKAGES = "${PN}" + +do_install () { + install -D -m 0644 ${UNPACKDIR}/system-user.conf ${D}${datadir}/dbus-1/system.d/system-user.conf + sed -i -e 's|@STANDARD_USER_NAME@|${STANDARD_USER_NAME}|g' ${D}${datadir}/dbus-1/system.d/system-user.conf +} diff --git a/meta/recipes-support/user-creation/xuser-account_0.1.bb b/meta/recipes-support/user-creation/xuser-account_0.1.bb deleted file mode 100644 index 04f506e7a3..0000000000 --- a/meta/recipes-support/user-creation/xuser-account_0.1.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Creates an 'xuser' account used for running X11" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://system-xuser.conf" - -inherit allarch useradd - -S = "${UNPACKDIR}" - -do_configure() { - : -} - -do_compile() { - : -} - -do_install() { - install -D -m 0644 ${UNPACKDIR}/system-xuser.conf ${D}${sysconfdir}/dbus-1/system.d/system-xuser.conf -} - -FILES:${PN} = "${sysconfdir}/dbus-1/system.d/system-xuser.conf" - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM:${PN} = "--create-home \ - --groups video,tty,audio,input,shutdown,disk \ - --user-group xuser" - -ALLOW_EMPTY:${PN} = "1" diff --git a/scripts/sstate-sysroot-cruft.sh b/scripts/sstate-sysroot-cruft.sh index b2002badfb..5e1ae9c535 100755 --- a/scripts/sstate-sysroot-cruft.sh +++ b/scripts/sstate-sysroot-cruft.sh @@ -127,9 +127,9 @@ WHITELIST="${WHITELIST} \ # generated by useradd.bbclass WHITELIST="${WHITELIST} \ [^/]*/home \ - [^/]*/home/xuser \ - [^/]*/home/xuser/.bashrc \ - [^/]*/home/xuser/.profile \ + [^/]*/home/user \ + [^/]*/home/user/.bashrc \ + [^/]*/home/user/.profile \ [^/]*/home/builder \ [^/]*/home/builder/.bashrc \ [^/]*/home/builder/.profile \ -- 2.54.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238180): https://lists.openembedded.org/g/openembedded-core/message/238180 Mute This Topic: https://lists.openembedded.org/mt/119666653/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
