summaryrefslogtreecommitdiffstats
path: root/meta/classes/useradd-staticids.bbclass
blob: 421a70a6abf425849dfbcbb1a045602bb1703953 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
# In order to support a deterministic set of 'dynamic' users/groups,
# we need a function to reformat the params based on a static file
def update_useradd_static_config(d):
    import argparse
    import re

    class myArgumentParser( argparse.ArgumentParser ):
        def _print_message(self, message, file=None):
            bb.warn("%s - %s: %s" % (d.getVar('PN', True), pkg, message))

        # This should never be called...
        def exit(self, status=0, message=None):
            message = message or ("%s - %s: useradd.bbclass: Argument parsing exited" % (d.getVar('PN', True), pkg))
            error(message)

        def error(self, message):
            raise bb.build.FuncFailed(message)

    # We parse and rewrite the useradd components
    def rewrite_useradd(params):
        # The following comes from --help on useradd from shadow
        parser = myArgumentParser(prog='useradd')
        parser.add_argument("-b", "--base-dir", metavar="BASE_DIR", help="base directory for the home directory of the new account")
        parser.add_argument("-c", "--comment", metavar="COMMENT", help="GECOS field of the new account")
        parser.add_argument("-d", "--home-dir", metavar="HOME_DIR", help="home directory of the new account")
        parser.add_argument("-D", "--defaults", help="print or change default useradd configuration", action="store_true")
        parser.add_argument("-e", "--expiredate", metavar="EXPIRE_DATE", help="expiration date of the new account")
        parser.add_argument("-f", "--inactive", metavar="INACTIVE", help="password inactivity period of the new account")
        parser.add_argument("-g", "--gid", metavar="GROUP", help="name or ID of the primary group of the new account")
        parser.add_argument("-G", "--groups", metavar="GROUPS", help="list of supplementary groups of the new account")
        parser.add_argument("-k", "--skel", metavar="SKEL_DIR", help="use this alternative skeleton directory")
        parser.add_argument("-K", "--key", metavar="KEY=VALUE", help="override /etc/login.defs defaults")
        parser.add_argument("-l", "--no-log-init", help="do not add the user to the lastlog and faillog databases", action="store_true")
        parser.add_argument("-m", "--create-home", help="create the user's home directory", action="store_true")
        parser.add_argument("-M", "--no-create-home", help="do not create the user's home directory", action="store_true")
        parser.add_argument("-N", "--no-user-group", help="do not create a group with the same name as the user", action="store_true")
        parser.add_argument("-o", "--non-unique", help="allow to create users with duplicate (non-unique UID)", action="store_true")
        parser.add_argument("-p", "--password", metavar="PASSWORD", help="encrypted password of the new account")
        parser.add_argument("-R", "--root", metavar="CHROOT_DIR", help="directory to chroot into")
        parser.add_argument("-r", "--system", help="create a system account", action="store_true")
        parser.add_argument("-s", "--shell", metavar="SHELL", help="login shell of the new account")
        parser.add_argument("-u", "--uid", metavar="UID", help="user ID of the new account")
        parser.add_argument("-U", "--user-group", help="create a group with the same name as the user", action="store_true")
        parser.add_argument("LOGIN", help="Login name of the new user")

        # Return a list of configuration files based on either the default
        # files/passwd or the contents of USERADD_UID_TABLES
        # paths are resulved via BBPATH
        def get_passwd_list(d):
            str = ""
            bbpath = d.getVar('BBPATH', True)
            passwd_tables = d.getVar('USERADD_UID_TABLES', True)
            if not passwd_tables:
                passwd_tables = 'files/passwd'
            for conf_file in passwd_tables.split():
                str += " %s" % bb.utils.which(bbpath, conf_file)
            return str

        newparams = []
        for param in re.split('''[ \t]*;[ \t]*(?=(?:[^'"]|'[^']*'|"[^"]*")*$)''', params):
            param = param.strip()
            if not param:
                continue
            try:
                uaargs = parser.parse_args(re.split('''[ \t]*(?=(?:[^'"]|'[^']*'|"[^"]*")*$)''', param))
            except:
                raise bb.build.FuncFailed("%s: Unable to parse arguments for USERADD_PARAM_%s: '%s'" % (d.getVar('PN', True), pkg, param))

            # files/passwd or the contents of USERADD_UID_TABLES
            # Use the standard passwd layout:
            #  username:password:user_id:group_id:comment:home_directory:login_shell
            # (we want to process in reverse order, as 'last found' in the list wins)
            #
            # If a field is left blank, the original value will be used.  The 'username'
            # field is required.
            #
            # Note: we ignore the password field, as including even the hashed password
            # in the useradd command may introduce a security hole.  It's assumed that
            # all new users get the default ('*' which prevents login) until the user is
            # specifically configured by the system admin.
            for conf in get_passwd_list(d).split()[::-1]:
                if os.path.exists(conf):
                    f = open(conf, "r")
                    for line in f:
                        if line.startswith('#'):
                            continue
                        field = line.rstrip().split(":")
                        if field[0] == uaargs.LOGIN:
                            if uaargs.uid and field[2] and (uaargs.uid != field[2]):
                                bb.warn("%s: Changing username %s's uid from (%s) to (%s), verify configuration files!" % (d.getVar('PN', True), uaargs.LOGIN, uaargs.uid, field[2]))
                            uaargs.uid = [field[2], uaargs.uid][not field[2]]

                            # Determine the possible groupname
                            # Unless the group name (or gid) is specified, we assume that the LOGIN is the groupname
                            #
                            # By default the system has creation of the matching groups enabled
                            # So if the implicit username-group creation is on, then the implicit groupname (LOGIN)
                            # is used, and we disable the user_group option.
                            #
                            uaargs.groupname = [uaargs.gid, uaargs.LOGIN][not uaargs.gid or uaargs.user_group]
                            uaargs.groupid = [uaargs.gid, uaargs.groupname][not uaargs.gid]
                            uaargs.groupid = [field[3], uaargs.groupid][not field[3]]

                            if not uaargs.gid or uaargs.gid != uaargs.groupid:
                                if (uaargs.groupid and uaargs.groupid.isdigit()) and (uaargs.groupname and uaargs.groupname.isdigit()) and (uaargs.groupid != uaargs.groupname):
                                    # We want to add a group, but we don't know it's name... so we can't add the group...
                                    # We have to assume the group has previously been added or we'll fail on the adduser...
                                    # Note: specifying the actual gid is very rare in OE, usually the group name is specified.
                                    bb.warn("%s: Changing gid for login %s from (%s) to (%s), verify configuration files!" % (d.getVar('PN', True), uaargs.LOGIN, uaargs.groupname, uaargs.gid))
                                elif (uaargs.groupid and not uaargs.groupid.isdigit()) and uaargs.groupid == uaargs.groupname:
                                    # We don't have a number, so we have to add a name
                                    bb.debug(1, "Adding group %s!" % (uaargs.groupname))
                                    uaargs.gid = uaargs.groupid
                                    uaargs.user_group = False
                                    groupadd = d.getVar("GROUPADD_PARAM_%s" % pkg, True)
                                    newgroup = "%s %s" % (['', ' --system'][uaargs.system], uaargs.groupname)
                                    if groupadd:
                                        d.setVar("GROUPADD_PARAM_%s" % pkg, "%s ; %s" % (groupadd, newgroup))
                                    else:
                                        d.setVar("GROUPADD_PARAM_%s" % pkg, newgroup)
                                elif uaargs.groupname and (uaargs.groupid and uaargs.groupid.isdigit()):
                                    # We have a group name and a group number to assign it to
                                    bb.debug(1, "Adding group %s  gid (%s)!" % (uaargs.groupname, uaargs.groupid))
                                    uaargs.gid = uaargs.groupid
                                    uaargs.user_group = False
                                    groupadd = d.getVar("GROUPADD_PARAM_%s" % pkg, True)
                                    newgroup = "-g %s %s" % (uaargs.gid, uaargs.groupname)
                                    if groupadd:
                                        d.setVar("GROUPADD_PARAM_%s" % pkg, "%s ; %s" % (groupadd, newgroup))
                                    else:
                                        d.setVar("GROUPADD_PARAM_%s" % pkg, newgroup)

                            uaargs.comment = ["'%s'" % field[4], uaargs.comment][not field[4]]
                            uaargs.home_dir = [field[5], uaargs.home_dir][not field[5]]
                            uaargs.shell = [field[6], uaargs.shell][not field[6]]
                            break

            # Should be an error if a specific option is set...
            if d.getVar('USERADD_ERROR_DYNAMIC', True) == '1' and not ((uaargs.uid and uaargs.uid.isdigit()) and uaargs.gid):
                #bb.error("Skipping recipe %s, package %s which adds username %s does not have a static uid defined." % (d.getVar('PN', True),  pkg, uaargs.LOGIN))
                raise bb.build.FuncFailed("%s - %s: Username %s does not have a static uid defined." % (d.getVar('PN', True), pkg, uaargs.LOGIN))

            # Reconstruct the args...
            newparam  = ['', ' --defaults'][uaargs.defaults]
            newparam += ['', ' --base-dir %s' % uaargs.base_dir][uaargs.base_dir != None]
            newparam += ['', ' --comment %s' % uaargs.comment][uaargs.comment != None]
            newparam += ['', ' --home-dir %s' % uaargs.home_dir][uaargs.home_dir != None]
            newparam += ['', ' --expiredata %s' % uaargs.expiredate][uaargs.expiredate != None]
            newparam += ['', ' --inactive %s' % uaargs.inactive][uaargs.inactive != None]
            newparam += ['', ' --gid %s' % uaargs.gid][uaargs.gid != None]
            newparam += ['', ' --groups %s' % uaargs.groups][uaargs.groups != None]
            newparam += ['', ' --skel %s' % uaargs.skel][uaargs.skel != None]
            newparam += ['', ' --key %s' % uaargs.key][uaargs.key != None]
            newparam += ['', ' --no-log-init'][uaargs.no_log_init]
            newparam += ['', ' --create-home'][uaargs.create_home]
            newparam += ['', ' --no-create-home'][uaargs.no_create_home]
            newparam += ['', ' --no-user-group'][uaargs.no_user_group]
            newparam += ['', ' --non-unique'][uaargs.non_unique]
            newparam += ['', ' --password %s' % uaargs.password][uaargs.password != None]
            newparam += ['', ' --root %s' % uaargs.root][uaargs.root != None]
            newparam += ['', ' --system'][uaargs.system]
            newparam += ['', ' --shell %s' % uaargs.shell][uaargs.shell != None]
            newparam += ['', ' --uid %s' % uaargs.uid][uaargs.uid != None]
            newparam += ['', ' --user-group'][uaargs.user_group]
            newparam += ' %s' % uaargs.LOGIN

            newparams.append(newparam)

        return " ;".join(newparams).strip()

    # We parse and rewrite the groupadd components
    def rewrite_groupadd(params):
        # The following comes from --help on groupadd from shadow
        parser = myArgumentParser(prog='groupadd')
        parser.add_argument("-f", "--force", help="exit successfully if the group already exists, and cancel -g if the GID is already used", action="store_true")
        parser.add_argument("-g", "--gid", metavar="GID", help="use GID for the new group")
        parser.add_argument("-K", "--key", metavar="KEY=VALUE", help="override /etc/login.defs defaults")
        parser.add_argument("-o", "--non-unique", help="allow to create groups with duplicate (non-unique) GID", action="store_true")
        parser.add_argument("-p", "--password", metavar="PASSWORD", help="use this encrypted password for the new group")
        parser.add_argument("-R", "--root", metavar="CHROOT_DIR", help="directory to chroot into")
        parser.add_argument("-r", "--system", help="create a system account", action="store_true")
        parser.add_argument("GROUP", help="Group name of the new group")

        # Return a list of configuration files based on either the default
        # files/group or the contents of USERADD_GID_TABLES
        # paths are resulved via BBPATH
        def get_group_list(d):
            str = ""
            bbpath = d.getVar('BBPATH', True)
            group_tables = d.getVar('USERADD_GID_TABLES', True)
            if not group_tables:
                group_tables = 'files/group'
            for conf_file in group_tables.split():
                str += " %s" % bb.utils.which(bbpath, conf_file)
            return str

        newparams = []
        for param in re.split('''[ \t]*;[ \t]*(?=(?:[^'"]|'[^']*'|"[^"]*")*$)''', params):
            param = param.strip()
            if not param:
                continue
            try:
                # If we're processing multiple lines, we could have left over values here...
                gaargs = parser.parse_args(re.split('''[ \t]*(?=(?:[^'"]|'[^']*'|"[^"]*")*$)''', param))
            except:
                raise bb.build.FuncFailed("%s: Unable to parse arguments for GROUPADD_PARAM_%s: '%s'" % (d.getVar('PN', True), pkg, param))

            # Need to iterate over layers and open the right file(s)
            # Use the standard group layout:
            #  groupname:password:group_id:group_members
            #
            # If a field is left blank, the original value will be used. The 'groupname' field
            # is required.
            #
            # Note: similar to the passwd file, the 'password' filed is ignored
            # Note: group_members is ignored, group members must be configured with the GROUPMEMS_PARAM
            for conf in get_group_list(d).split()[::-1]:
                if os.path.exists(conf):
                    f = open(conf, "r")
                    for line in f:
                        if line.startswith('#'):
                            continue
                        field = line.rstrip().split(":")
                        if field[0] == gaargs.GROUP and field[2]:
                            if gaargs.gid and (gaargs.gid != field[2]):
                                bb.warn("%s: Changing groupname %s's gid from (%s) to (%s), verify configuration files!" % (d.getVar('PN', True), gaargs.GROUP, gaargs.gid, field[2]))
                            gaargs.gid = field[2]
                            break

            if d.getVar('USERADD_ERROR_DYNAMIC', True) == '1' and not (gaargs.gid and gaargs.gid.isdigit()):
                #bb.error("Skipping recipe %s, package %s which adds groupname %s does not have a static gid defined." % (d.getVar('PN', True),  pkg, gaargs.GROUP))
                raise bb.build.FuncFailed("%s - %s: Groupname %s does not have a static gid defined." % (d.getVar('PN', True), pkg, gaargs.GROUP))

            # Reconstruct the args...
            newparam  = ['', ' --force'][gaargs.force]
            newparam += ['', ' --gid %s' % gaargs.gid][gaargs.gid != None]
            newparam += ['', ' --key %s' % gaargs.key][gaargs.key != None]
            newparam += ['', ' --non-unique'][gaargs.non_unique]
            newparam += ['', ' --password %s' % gaargs.password][gaargs.password != None]
            newparam += ['', ' --root %s' % gaargs.root][gaargs.root != None]
            newparam += ['', ' --system'][gaargs.system]
            newparam += ' %s' % gaargs.GROUP

            newparams.append(newparam)

        return " ;".join(newparams).strip()

    # Load and process the users and groups, rewriting the adduser/addgroup params
    useradd_packages = d.getVar('USERADD_PACKAGES', True)

    for pkg in useradd_packages.split():
        # Groupmems doesn't have anything we might want to change, so simply validating
        # is a bit of a waste -- only process useradd/groupadd
        useradd_param = d.getVar('USERADD_PARAM_%s' % pkg, True)
        if useradd_param:
            #bb.warn("Before: 'USERADD_PARAM_%s' - '%s'" % (pkg, useradd_param))
            d.setVar('USERADD_PARAM_%s' % pkg, rewrite_useradd(useradd_param))
            #bb.warn("After:  'USERADD_PARAM_%s' - '%s'" % (pkg, d.getVar('USERADD_PARAM_%s' % pkg, True)))

        groupadd_param = d.getVar('GROUPADD_PARAM_%s' % pkg, True)
        if groupadd_param:
            #bb.warn("Before: 'GROUPADD_PARAM_%s' - '%s'" % (pkg, groupadd_param))
            d.setVar('GROUPADD_PARAM_%s' % pkg, rewrite_groupadd(groupadd_param))
            #bb.warn("After:  'GROUPADD_PARAM_%s' - '%s'" % (pkg, d.getVar('GROUPADD_PARAM_%s' % pkg, True)))



python __anonymous() {
    if not bb.data.inherits_class('nativesdk', d) \
        and not bb.data.inherits_class('native', d):
        try:
            update_useradd_static_config(d)
        except bb.build.FuncFailed as f:
            bb.debug(1, "Skipping recipe %s: %s" % (d.getVar('PN', True), f))
            raise bb.parse.SkipPackage(f)
}