1# 2# Copyright OpenEmbedded Contributors 3# 4# SPDX-License-Identifier: MIT 5# 6 7# In order to support a deterministic set of 'dynamic' users/groups, 8# we need a function to reformat the params based on a static file 9def update_useradd_static_config(d): 10 import itertools 11 import re 12 import errno 13 import oe.useradd 14 15 def list_extend(iterable, length, obj = None): 16 """Ensure that iterable is the specified length by extending with obj 17 and return it as a list""" 18 return list(itertools.islice(itertools.chain(iterable, itertools.repeat(obj)), length)) 19 20 def merge_files(file_list, exp_fields): 21 """Read each passwd/group file in file_list, split each line and create 22 a dictionary with the user/group names as keys and the split lines as 23 values. If the user/group name already exists in the dictionary, then 24 update any fields in the list with the values from the new list (if they 25 are set).""" 26 id_table = dict() 27 for conf in file_list.split(): 28 try: 29 with open(conf, "r") as f: 30 for line in f: 31 if line.startswith('#'): 32 continue 33 # Make sure there always are at least exp_fields 34 # elements in the field list. This allows for leaving 35 # out trailing colons in the files. 36 fields = list_extend(line.rstrip().split(":"), exp_fields) 37 if fields[0] not in id_table: 38 id_table[fields[0]] = fields 39 else: 40 id_table[fields[0]] = list(map(lambda x, y: x or y, fields, id_table[fields[0]])) 41 except IOError as e: 42 if e.errno == errno.ENOENT: 43 pass 44 45 return id_table 46 47 def handle_missing_id(id, type, pkg, files, var, value): 48 # For backwards compatibility we accept "1" in addition to "error" 49 error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC') 50 msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id) 51 if files: 52 msg += " Add %s to one of these files: %s" % (id, files) 53 else: 54 msg += " %s file(s) not found in BBPATH: %s" % (var, value) 55 if error_dynamic == 'error' or error_dynamic == '1': 56 raise NotImplementedError(msg) 57 elif error_dynamic == 'warn': 58 bb.warn(msg) 59 elif error_dynamic == 'skip': 60 raise bb.parse.SkipRecipe(msg) 61 62 # Return a list of configuration files based on either the default 63 # files/group or the contents of USERADD_GID_TABLES, resp. 64 # files/passwd for USERADD_UID_TABLES. 65 # Paths are resolved via BBPATH. 66 def get_table_list(d, var, default): 67 files = [] 68 bbpath = d.getVar('BBPATH') 69 tables = d.getVar(var) 70 if not tables: 71 tables = default 72 for conf_file in tables.split(): 73 files.append(bb.utils.which(bbpath, conf_file)) 74 return (' '.join(files), var, default) 75 76 # We parse and rewrite the useradd components 77 def rewrite_useradd(params, is_pkg): 78 parser = oe.useradd.build_useradd_parser() 79 80 newparams = [] 81 users = None 82 for param in oe.useradd.split_commands(params): 83 try: 84 uaargs = parser.parse_args(oe.useradd.split_args(param)) 85 except Exception as e: 86 bb.fatal("%s: Unable to parse arguments for USERADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e)) 87 88 # Read all passwd files specified in USERADD_UID_TABLES or files/passwd 89 # Use the standard passwd layout: 90 # username:password:user_id:group_id:comment:home_directory:login_shell 91 # 92 # If a field is left blank, the original value will be used. The 'username' 93 # field is required. 94 # 95 # Note: we ignore the password field, as including even the hashed password 96 # in the useradd command may introduce a security hole. It's assumed that 97 # all new users get the default ('*' which prevents login) until the user is 98 # specifically configured by the system admin. 99 if not users: 100 files, table_var, table_value = get_table_list(d, 'USERADD_UID_TABLES', 'files/passwd') 101 users = merge_files(files, 7) 102 103 type = 'system user' if uaargs.system else 'normal user' 104 if uaargs.LOGIN not in users: 105 handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value) 106 newparams.append(param) 107 continue 108 109 field = users[uaargs.LOGIN] 110 111 if uaargs.uid and field[2] and (uaargs.uid != field[2]): 112 bb.warn("%s: Changing username %s's uid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.uid, field[2])) 113 uaargs.uid = field[2] or uaargs.uid 114 115 # Determine the possible groupname 116 # Unless the group name (or gid) is specified, we assume that the LOGIN is the groupname 117 # 118 # By default the system has creation of the matching groups enabled 119 # So if the implicit username-group creation is on, then the implicit groupname (LOGIN) 120 # is used, and we disable the user_group option. 121 # 122 if uaargs.gid: 123 uaargs.groupname = uaargs.gid 124 elif uaargs.user_group is not False: 125 uaargs.groupname = uaargs.LOGIN 126 else: 127 uaargs.groupname = 'users' 128 uaargs.groupid = field[3] or uaargs.groupname 129 130 if uaargs.groupid and uaargs.gid != uaargs.groupid: 131 newgroup = None 132 if not uaargs.groupid.isdigit(): 133 # We don't have a group number, so we have to add a name 134 bb.debug(1, "Adding group %s!" % uaargs.groupid) 135 newgroup = "%s %s" % (' --system' if uaargs.system else '', uaargs.groupid) 136 elif uaargs.groupname and not uaargs.groupname.isdigit(): 137 # We have a group name and a group number to assign it to 138 bb.debug(1, "Adding group %s (gid %s)!" % (uaargs.groupname, uaargs.groupid)) 139 newgroup = "-g %s %s" % (uaargs.groupid, uaargs.groupname) 140 else: 141 # We want to add a group, but we don't know it's name... so we can't add the group... 142 # We have to assume the group has previously been added or we'll fail on the adduser... 143 # Note: specifying the actual gid is very rare in OE, usually the group name is specified. 144 bb.warn("%s: Changing gid for login %s to %s, verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.groupid)) 145 146 uaargs.gid = uaargs.groupid 147 uaargs.user_group = None 148 if newgroup and is_pkg: 149 groupadd = d.getVar("GROUPADD_PARAM:%s" % pkg) 150 if groupadd: 151 # Only add the group if not already specified 152 if not uaargs.groupname in groupadd: 153 d.setVar("GROUPADD_PARAM:%s" % pkg, "%s; %s" % (groupadd, newgroup)) 154 else: 155 d.setVar("GROUPADD_PARAM:%s" % pkg, newgroup) 156 157 uaargs.comment = "'%s'" % field[4] if field[4] else uaargs.comment 158 uaargs.home_dir = field[5] or uaargs.home_dir 159 uaargs.shell = field[6] or uaargs.shell 160 161 # Should be an error if a specific option is set... 162 if not uaargs.uid or not uaargs.uid.isdigit() or not uaargs.gid: 163 handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value) 164 165 # Reconstruct the args... 166 newparam = ['', ' --defaults'][uaargs.defaults] 167 newparam += ['', ' --base-dir %s' % uaargs.base_dir][uaargs.base_dir != None] 168 newparam += ['', ' --comment %s' % uaargs.comment][uaargs.comment != None] 169 newparam += ['', ' --home-dir %s' % uaargs.home_dir][uaargs.home_dir != None] 170 newparam += ['', ' --expiredate %s' % uaargs.expiredate][uaargs.expiredate != None] 171 newparam += ['', ' --inactive %s' % uaargs.inactive][uaargs.inactive != None] 172 newparam += ['', ' --gid %s' % uaargs.gid][uaargs.gid != None] 173 newparam += ['', ' --groups %s' % uaargs.groups][uaargs.groups != None] 174 newparam += ['', ' --skel %s' % uaargs.skel][uaargs.skel != None] 175 newparam += ['', ' --key %s' % uaargs.key][uaargs.key != None] 176 newparam += ['', ' --no-log-init'][uaargs.no_log_init] 177 newparam += ['', ' --create-home'][uaargs.create_home is True] 178 newparam += ['', ' --no-create-home'][uaargs.create_home is False] 179 newparam += ['', ' --no-user-group'][uaargs.user_group is False] 180 newparam += ['', ' --non-unique'][uaargs.non_unique] 181 if uaargs.password != None: 182 newparam += ['', ' --password %s' % uaargs.password][uaargs.password != None] 183 newparam += ['', ' --root %s' % uaargs.root][uaargs.root != None] 184 newparam += ['', ' --system'][uaargs.system] 185 newparam += ['', ' --shell %s' % uaargs.shell][uaargs.shell != None] 186 newparam += ['', ' --uid %s' % uaargs.uid][uaargs.uid != None] 187 newparam += ['', ' --user-group'][uaargs.user_group is True] 188 newparam += ' %s' % uaargs.LOGIN 189 190 newparams.append(newparam) 191 192 return ";".join(newparams).strip() 193 194 # We parse and rewrite the groupadd components 195 def rewrite_groupadd(params, is_pkg): 196 parser = oe.useradd.build_groupadd_parser() 197 198 newparams = [] 199 groups = None 200 for param in oe.useradd.split_commands(params): 201 try: 202 # If we're processing multiple lines, we could have left over values here... 203 gaargs = parser.parse_args(oe.useradd.split_args(param)) 204 except Exception as e: 205 bb.fatal("%s: Unable to parse arguments for GROUPADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e)) 206 207 # Read all group files specified in USERADD_GID_TABLES or files/group 208 # Use the standard group layout: 209 # groupname:password:group_id:group_members 210 # 211 # If a field is left blank, the original value will be used. The 'groupname' field 212 # is required. 213 # 214 # Note: similar to the passwd file, the 'password' filed is ignored 215 # Note: group_members is ignored, group members must be configured with the GROUPMEMS_PARAM 216 if not groups: 217 files, table_var, table_value = get_table_list(d, 'USERADD_GID_TABLES', 'files/group') 218 groups = merge_files(files, 4) 219 220 type = 'system group' if gaargs.system else 'normal group' 221 if gaargs.GROUP not in groups: 222 handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value) 223 newparams.append(param) 224 continue 225 226 field = groups[gaargs.GROUP] 227 228 if field[2]: 229 if gaargs.gid and (gaargs.gid != field[2]): 230 bb.warn("%s: Changing groupname %s's gid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), gaargs.GROUP, gaargs.gid, field[2])) 231 gaargs.gid = field[2] 232 233 if not gaargs.gid or not gaargs.gid.isdigit(): 234 handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value) 235 236 # Reconstruct the args... 237 newparam = ['', ' --force'][gaargs.force] 238 newparam += ['', ' --gid %s' % gaargs.gid][gaargs.gid != None] 239 newparam += ['', ' --key %s' % gaargs.key][gaargs.key != None] 240 newparam += ['', ' --non-unique'][gaargs.non_unique] 241 if gaargs.password != None: 242 newparam += ['', ' --password %s' % gaargs.password][gaargs.password != None] 243 newparam += ['', ' --root %s' % gaargs.root][gaargs.root != None] 244 newparam += ['', ' --system'][gaargs.system] 245 newparam += ' %s' % gaargs.GROUP 246 247 newparams.append(newparam) 248 249 return ";".join(newparams).strip() 250 251 # The parsing of the current recipe depends on the content of 252 # the files listed in USERADD_UID/GID_TABLES. We need to tell bitbake 253 # about that explicitly to trigger re-parsing and thus re-execution of 254 # this code when the files change. 255 bbpath = d.getVar('BBPATH') 256 for varname, default in (('USERADD_UID_TABLES', 'files/passwd'), 257 ('USERADD_GID_TABLES', 'files/group')): 258 tables = d.getVar(varname) 259 if not tables: 260 tables = default 261 for conf_file in tables.split(): 262 bb.parse.mark_dependency(d, bb.utils.which(bbpath, conf_file)) 263 264 # Load and process the users and groups, rewriting the adduser/addgroup params 265 useradd_packages = d.getVar('USERADD_PACKAGES') or "" 266 267 for pkg in useradd_packages.split(): 268 # Groupmems doesn't have anything we might want to change, so simply validating 269 # is a bit of a waste -- only process useradd/groupadd 270 useradd_param = d.getVar('USERADD_PARAM:%s' % pkg) 271 if useradd_param: 272 #bb.warn("Before: 'USERADD_PARAM:%s' - '%s'" % (pkg, useradd_param)) 273 d.setVar('USERADD_PARAM:%s' % pkg, rewrite_useradd(useradd_param, True)) 274 #bb.warn("After: 'USERADD_PARAM:%s' - '%s'" % (pkg, d.getVar('USERADD_PARAM:%s' % pkg))) 275 276 groupadd_param = d.getVar('GROUPADD_PARAM:%s' % pkg) 277 if groupadd_param: 278 #bb.warn("Before: 'GROUPADD_PARAM:%s' - '%s'" % (pkg, groupadd_param)) 279 d.setVar('GROUPADD_PARAM:%s' % pkg, rewrite_groupadd(groupadd_param, True)) 280 #bb.warn("After: 'GROUPADD_PARAM:%s' - '%s'" % (pkg, d.getVar('GROUPADD_PARAM:%s' % pkg))) 281 282 # Load and process extra users and groups, rewriting only adduser/addgroup params 283 pkg = d.getVar('PN') 284 extrausers = d.getVar('EXTRA_USERS_PARAMS') or "" 285 286 #bb.warn("Before: 'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS'))) 287 new_extrausers = [] 288 for cmd in oe.useradd.split_commands(extrausers): 289 if re.match('''useradd (.*)''', cmd): 290 useradd_param = re.match('''useradd (.*)''', cmd).group(1) 291 useradd_param = rewrite_useradd(useradd_param, False) 292 cmd = 'useradd %s' % useradd_param 293 elif re.match('''groupadd (.*)''', cmd): 294 groupadd_param = re.match('''groupadd (.*)''', cmd).group(1) 295 groupadd_param = rewrite_groupadd(groupadd_param, False) 296 cmd = 'groupadd %s' % groupadd_param 297 298 new_extrausers.append(cmd) 299 300 new_extrausers.append('') 301 d.setVar('EXTRA_USERS_PARAMS', ';'.join(new_extrausers)) 302 #bb.warn("After: 'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS'))) 303 304 305python __anonymous() { 306 if not bb.data.inherits_class('nativesdk', d) \ 307 and not bb.data.inherits_class('native', d): 308 try: 309 update_useradd_static_config(d) 310 except NotImplementedError as f: 311 bb.debug(1, "Skipping recipe %s: %s" % (d.getVar('PN'), f)) 312 raise bb.parse.SkipRecipe(f) 313} 314