1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: MIT
5#
6
7# In order to support a deterministic set of 'dynamic' users/groups,
8# we need a function to reformat the params based on a static file
9def update_useradd_static_config(d):
10    import itertools
11    import re
12    import errno
13    import oe.useradd
14
15    def list_extend(iterable, length, obj = None):
16        """Ensure that iterable is the specified length by extending with obj
17        and return it as a list"""
18        return list(itertools.islice(itertools.chain(iterable, itertools.repeat(obj)), length))
19
20    def merge_files(file_list, exp_fields):
21        """Read each passwd/group file in file_list, split each line and create
22        a dictionary with the user/group names as keys and the split lines as
23        values. If the user/group name already exists in the dictionary, then
24        update any fields in the list with the values from the new list (if they
25        are set)."""
26        id_table = dict()
27        for conf in file_list.split():
28            try:
29                with open(conf, "r") as f:
30                    for line in f:
31                        if line.startswith('#'):
32                            continue
33                        # Make sure there always are at least exp_fields
34                        # elements in the field list. This allows for leaving
35                        # out trailing colons in the files.
36                        fields = list_extend(line.rstrip().split(":"), exp_fields)
37                        if fields[0] not in id_table:
38                            id_table[fields[0]] = fields
39                        else:
40                            id_table[fields[0]] = list(map(lambda x, y: x or y, fields, id_table[fields[0]]))
41            except IOError as e:
42                if e.errno == errno.ENOENT:
43                    pass
44
45        return id_table
46
47    def handle_missing_id(id, type, pkg, files, var, value):
48        # For backwards compatibility we accept "1" in addition to "error"
49        error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC')
50        msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id)
51        if files:
52            msg += " Add %s to one of these files: %s" % (id, files)
53        else:
54            msg += " %s file(s) not found in BBPATH: %s" % (var, value)
55        if error_dynamic == 'error' or error_dynamic == '1':
56            raise NotImplementedError(msg)
57        elif error_dynamic == 'warn':
58            bb.warn(msg)
59        elif error_dynamic == 'skip':
60            raise bb.parse.SkipRecipe(msg)
61
62    # Return a list of configuration files based on either the default
63    # files/group or the contents of USERADD_GID_TABLES, resp.
64    # files/passwd for USERADD_UID_TABLES.
65    # Paths are resolved via BBPATH.
66    def get_table_list(d, var, default):
67        files = []
68        bbpath = d.getVar('BBPATH')
69        tables = d.getVar(var)
70        if not tables:
71            tables = default
72        for conf_file in tables.split():
73            files.append(bb.utils.which(bbpath, conf_file))
74        return (' '.join(files), var, default)
75
76    # We parse and rewrite the useradd components
77    def rewrite_useradd(params, is_pkg):
78        parser = oe.useradd.build_useradd_parser()
79
80        newparams = []
81        users = None
82        for param in oe.useradd.split_commands(params):
83            try:
84                uaargs = parser.parse_args(oe.useradd.split_args(param))
85            except Exception as e:
86                bb.fatal("%s: Unable to parse arguments for USERADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e))
87
88            # Read all passwd files specified in USERADD_UID_TABLES or files/passwd
89            # Use the standard passwd layout:
90            #  username:password:user_id:group_id:comment:home_directory:login_shell
91            #
92            # If a field is left blank, the original value will be used.  The 'username'
93            # field is required.
94            #
95            # Note: we ignore the password field, as including even the hashed password
96            # in the useradd command may introduce a security hole.  It's assumed that
97            # all new users get the default ('*' which prevents login) until the user is
98            # specifically configured by the system admin.
99            if not users:
100                files, table_var, table_value = get_table_list(d, 'USERADD_UID_TABLES', 'files/passwd')
101                users = merge_files(files, 7)
102
103            type = 'system user' if uaargs.system else 'normal user'
104            if uaargs.LOGIN not in users:
105                handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value)
106                newparams.append(param)
107                continue
108
109            field = users[uaargs.LOGIN]
110
111            if uaargs.uid and field[2] and (uaargs.uid != field[2]):
112                bb.warn("%s: Changing username %s's uid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.uid, field[2]))
113            uaargs.uid = field[2] or uaargs.uid
114
115            # Determine the possible groupname
116            # Unless the group name (or gid) is specified, we assume that the LOGIN is the groupname
117            #
118            # By default the system has creation of the matching groups enabled
119            # So if the implicit username-group creation is on, then the implicit groupname (LOGIN)
120            # is used, and we disable the user_group option.
121            #
122            if uaargs.gid:
123                uaargs.groupname = uaargs.gid
124            elif uaargs.user_group is not False:
125                uaargs.groupname = uaargs.LOGIN
126            else:
127                uaargs.groupname = 'users'
128            uaargs.groupid = field[3] or uaargs.groupname
129
130            if uaargs.groupid and uaargs.gid != uaargs.groupid:
131                newgroup = None
132                if not uaargs.groupid.isdigit():
133                    # We don't have a group number, so we have to add a name
134                    bb.debug(1, "Adding group %s!" % uaargs.groupid)
135                    newgroup = "%s %s" % (' --system' if uaargs.system else '', uaargs.groupid)
136                elif uaargs.groupname and not uaargs.groupname.isdigit():
137                    # We have a group name and a group number to assign it to
138                    bb.debug(1, "Adding group %s (gid %s)!" % (uaargs.groupname, uaargs.groupid))
139                    newgroup = "-g %s %s" % (uaargs.groupid, uaargs.groupname)
140                else:
141                    # We want to add a group, but we don't know it's name... so we can't add the group...
142                    # We have to assume the group has previously been added or we'll fail on the adduser...
143                    # Note: specifying the actual gid is very rare in OE, usually the group name is specified.
144                    bb.warn("%s: Changing gid for login %s to %s, verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.groupid))
145
146                uaargs.gid = uaargs.groupid
147                uaargs.user_group = None
148                if newgroup and is_pkg:
149                    groupadd = d.getVar("GROUPADD_PARAM:%s" % pkg)
150                    if groupadd:
151                        # Only add the group if not already specified
152                        if not uaargs.groupname in groupadd:
153                            d.setVar("GROUPADD_PARAM:%s" % pkg, "%s; %s" % (groupadd, newgroup))
154                    else:
155                        d.setVar("GROUPADD_PARAM:%s" % pkg, newgroup)
156
157            uaargs.comment = "'%s'" % field[4] if field[4] else uaargs.comment
158            uaargs.home_dir = field[5] or uaargs.home_dir
159            uaargs.shell = field[6] or uaargs.shell
160
161            # Should be an error if a specific option is set...
162            if not uaargs.uid or not uaargs.uid.isdigit() or not uaargs.gid:
163                 handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value)
164
165            # Reconstruct the args...
166            newparam  = ['', ' --defaults'][uaargs.defaults]
167            newparam += ['', ' --base-dir %s' % uaargs.base_dir][uaargs.base_dir != None]
168            newparam += ['', ' --comment %s' % uaargs.comment][uaargs.comment != None]
169            newparam += ['', ' --home-dir %s' % uaargs.home_dir][uaargs.home_dir != None]
170            newparam += ['', ' --expiredate %s' % uaargs.expiredate][uaargs.expiredate != None]
171            newparam += ['', ' --inactive %s' % uaargs.inactive][uaargs.inactive != None]
172            newparam += ['', ' --gid %s' % uaargs.gid][uaargs.gid != None]
173            newparam += ['', ' --groups %s' % uaargs.groups][uaargs.groups != None]
174            newparam += ['', ' --skel %s' % uaargs.skel][uaargs.skel != None]
175            newparam += ['', ' --key %s' % uaargs.key][uaargs.key != None]
176            newparam += ['', ' --no-log-init'][uaargs.no_log_init]
177            newparam += ['', ' --create-home'][uaargs.create_home is True]
178            newparam += ['', ' --no-create-home'][uaargs.create_home is False]
179            newparam += ['', ' --no-user-group'][uaargs.user_group is False]
180            newparam += ['', ' --non-unique'][uaargs.non_unique]
181            if uaargs.password != None:
182                newparam += ['', ' --password %s' % uaargs.password][uaargs.password != None]
183            newparam += ['', ' --root %s' % uaargs.root][uaargs.root != None]
184            newparam += ['', ' --system'][uaargs.system]
185            newparam += ['', ' --shell %s' % uaargs.shell][uaargs.shell != None]
186            newparam += ['', ' --uid %s' % uaargs.uid][uaargs.uid != None]
187            newparam += ['', ' --user-group'][uaargs.user_group is True]
188            newparam += ' %s' % uaargs.LOGIN
189
190            newparams.append(newparam)
191
192        return ";".join(newparams).strip()
193
194    # We parse and rewrite the groupadd components
195    def rewrite_groupadd(params, is_pkg):
196        parser = oe.useradd.build_groupadd_parser()
197
198        newparams = []
199        groups = None
200        for param in oe.useradd.split_commands(params):
201            try:
202                # If we're processing multiple lines, we could have left over values here...
203                gaargs = parser.parse_args(oe.useradd.split_args(param))
204            except Exception as e:
205                bb.fatal("%s: Unable to parse arguments for GROUPADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e))
206
207            # Read all group files specified in USERADD_GID_TABLES or files/group
208            # Use the standard group layout:
209            #  groupname:password:group_id:group_members
210            #
211            # If a field is left blank, the original value will be used. The 'groupname' field
212            # is required.
213            #
214            # Note: similar to the passwd file, the 'password' filed is ignored
215            # Note: group_members is ignored, group members must be configured with the GROUPMEMS_PARAM
216            if not groups:
217                files, table_var, table_value = get_table_list(d, 'USERADD_GID_TABLES', 'files/group')
218                groups = merge_files(files, 4)
219
220            type = 'system group' if gaargs.system else 'normal group'
221            if gaargs.GROUP not in groups:
222                handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value)
223                newparams.append(param)
224                continue
225
226            field = groups[gaargs.GROUP]
227
228            if field[2]:
229                if gaargs.gid and (gaargs.gid != field[2]):
230                    bb.warn("%s: Changing groupname %s's gid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), gaargs.GROUP, gaargs.gid, field[2]))
231                gaargs.gid = field[2]
232
233            if not gaargs.gid or not gaargs.gid.isdigit():
234                handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value)
235
236            # Reconstruct the args...
237            newparam  = ['', ' --force'][gaargs.force]
238            newparam += ['', ' --gid %s' % gaargs.gid][gaargs.gid != None]
239            newparam += ['', ' --key %s' % gaargs.key][gaargs.key != None]
240            newparam += ['', ' --non-unique'][gaargs.non_unique]
241            if gaargs.password != None:
242                newparam += ['', ' --password %s' % gaargs.password][gaargs.password != None]
243            newparam += ['', ' --root %s' % gaargs.root][gaargs.root != None]
244            newparam += ['', ' --system'][gaargs.system]
245            newparam += ' %s' % gaargs.GROUP
246
247            newparams.append(newparam)
248
249        return ";".join(newparams).strip()
250
251    # The parsing of the current recipe depends on the content of
252    # the files listed in USERADD_UID/GID_TABLES. We need to tell bitbake
253    # about that explicitly to trigger re-parsing and thus re-execution of
254    # this code when the files change.
255    bbpath = d.getVar('BBPATH')
256    for varname, default in (('USERADD_UID_TABLES', 'files/passwd'),
257                             ('USERADD_GID_TABLES', 'files/group')):
258        tables = d.getVar(varname)
259        if not tables:
260            tables = default
261        for conf_file in tables.split():
262            bb.parse.mark_dependency(d, bb.utils.which(bbpath, conf_file))
263
264    # Load and process the users and groups, rewriting the adduser/addgroup params
265    useradd_packages = d.getVar('USERADD_PACKAGES') or ""
266
267    for pkg in useradd_packages.split():
268        # Groupmems doesn't have anything we might want to change, so simply validating
269        # is a bit of a waste -- only process useradd/groupadd
270        useradd_param = d.getVar('USERADD_PARAM:%s' % pkg)
271        if useradd_param:
272            #bb.warn("Before: 'USERADD_PARAM:%s' - '%s'" % (pkg, useradd_param))
273            d.setVar('USERADD_PARAM:%s' % pkg, rewrite_useradd(useradd_param, True))
274            #bb.warn("After:  'USERADD_PARAM:%s' - '%s'" % (pkg, d.getVar('USERADD_PARAM:%s' % pkg)))
275
276        groupadd_param = d.getVar('GROUPADD_PARAM:%s' % pkg)
277        if groupadd_param:
278            #bb.warn("Before: 'GROUPADD_PARAM:%s' - '%s'" % (pkg, groupadd_param))
279            d.setVar('GROUPADD_PARAM:%s' % pkg, rewrite_groupadd(groupadd_param, True))
280            #bb.warn("After:  'GROUPADD_PARAM:%s' - '%s'" % (pkg, d.getVar('GROUPADD_PARAM:%s' % pkg)))
281
282    # Load and process extra users and groups, rewriting only adduser/addgroup params
283    pkg = d.getVar('PN')
284    extrausers = d.getVar('EXTRA_USERS_PARAMS') or ""
285
286    #bb.warn("Before:  'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS')))
287    new_extrausers = []
288    for cmd in oe.useradd.split_commands(extrausers):
289        if re.match('''useradd (.*)''', cmd):
290            useradd_param = re.match('''useradd (.*)''', cmd).group(1)
291            useradd_param = rewrite_useradd(useradd_param, False)
292            cmd = 'useradd %s' % useradd_param
293        elif re.match('''groupadd (.*)''', cmd):
294            groupadd_param = re.match('''groupadd (.*)''', cmd).group(1)
295            groupadd_param = rewrite_groupadd(groupadd_param, False)
296            cmd = 'groupadd %s' % groupadd_param
297
298        new_extrausers.append(cmd)
299
300    new_extrausers.append('')
301    d.setVar('EXTRA_USERS_PARAMS', ';'.join(new_extrausers))
302    #bb.warn("After:  'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS')))
303
304
305python __anonymous() {
306    if not bb.data.inherits_class('nativesdk', d) \
307        and not bb.data.inherits_class('native', d):
308        try:
309            update_useradd_static_config(d)
310        except NotImplementedError as f:
311            bb.debug(1, "Skipping recipe %s: %s" % (d.getVar('PN'), f))
312            raise bb.parse.SkipRecipe(f)
313}
314