[Re: [oe] [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir] On 13.12.02 (Mon 17:20) Rongqing Li wrote:
> Drop it, test shows it does not work since /bin/false is not valid > shell, even if set RequireValidShell to off Hmm, so, there's something else at play here, given: ------------------------------------------------------------------------ commit b613318e14a0038b4fc6d5a7378b1affb64fd471 Author: Robert Yang <[email protected]> Date: Wed Nov 13 05:24:24 2013 +0800 quagga: use /bin/false as the login shell Use /bin/false as the login shell, just like what Ubuntu does, otherwise there might be secure issue. Signed-off-by: Robert Yang <[email protected]> Signed-off-by: Joe MacDonald <[email protected]> diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 2106c9b..677b1c5 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -148,7 +148,7 @@ INITSCRIPT_PARAMS_${PN}-watchquagga = "defaults 90 10" # Add quagga's user and group USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system quagga ; --system quaggavty" -USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga quagga" +USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga --shell /bin/false quagga" pkg_postinst_${PN} () { if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then ------------------------------------------------------------------------ Is it that proftpd actually needs to spawn a shell somewhere or that /bin/false simply isn't listed as a valid shell? (If the latter, something should've shown up with the quagga commit, shouldn't it?) Can you guys sync and get back to me on this? Thanks, -J. > > On 12/02/2013 12:44 PM, [email protected] wrote: > >From: Roy Li <[email protected]> > > > >Use /bin/false as the login shell, just like what Ubuntu does, > >otherwise there might be secure issue; add /var/lib/ftp as user > >ftp home-dir. > > > >Signed-off-by: Roy Li <[email protected]> > >--- > > meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > >diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb > >b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb > >index 6537b77..0006a2a 100644 > >--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb > >+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb > >@@ -62,6 +62,7 @@ INITSCRIPT_PARAM = "defaults 85 15" > > > > USERADD_PACKAGES = "${PN}" > > GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}" > >-USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}" > >+USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir > >/var/lib/${FTPUSER} --no-create-home \ > >+ --shell /bin/false ${FTPUSER}" > > > > FILES_${PN} += "/home/${FTPUSER}" > > > -- -Joe MacDonald. :wq
signature.asc
Description: Digital signature
_______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
