[PATCH 0/4] Allow xuser to shutdown

[PATCH 0/4] Allow xuser to shutdown

[Laurentiu Palcu]

The following changes since commit 8a186a6b3853fc1a7dcf342d421c8926c38949c9:

  bitbake: hob: save button from settings called a nonexisting method (2013-07-03 08:13:35 +0100)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib lpalcu/b4345_shutdown_icon_rootless_x
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=lpalcu/b4345_shutdown_icon_rootless_x

Laurentiu Palcu (4):
  sysvinit: allow users in shutdown group to perform halt/reboot
  connman: make xuser a member of 'shutdown' group
  xserver-nodm-init: make xuser a member of 'shutdown' group
  shutdown-desktop: give entire path in Exec field

 meta/recipes-connectivity/connman/connman.inc      |    2 +-
 meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb     |   12 +++++++++---
 .../x11-common/xserver-nodm-init.bb                |    2 +-
 .../shutdown-desktop/shutdown-desktop.bb           |    2 +-
 .../shutdown-desktop/shutdown.desktop              |    4 ++--
 5 files changed, 14 insertions(+), 8 deletions(-)

-- 
1.7.9.5

[PATCH 1/4] sysvinit: allow users in shutdown group to perform halt/reboot

[Laurentiu Palcu]

For this to happen:
 * 'shutdown' group has been created;
 * changed ownership group for /sbin/halt and /sbin/shutdown to 'shutdown';
 * deny execution rights to other users except 'root' and those belonging
   to 'shutdown' group;
 * set setuid bit to both apps;

So, basically, in order for a normal user to be able to shutdown/reboot
the machine, it must be a member of 'shutdown' group.

Other changes:
 * fixed identetion for 2 lines that used spaces instead of tabs;

[YOCTO #4345]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
index e64b67a..784d538 100644
--- a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
+++ b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
@@ -25,7 +25,7 @@ SRC_URI[sha256sum] = "60bbc8c1e1792056e23761d22960b30bb13eccc2cabff8c7310a01f4d5
 S = "${WORKDIR}/sysvinit-${PV}"
 B = "${S}/src"
 
-inherit update-alternatives
+inherit update-alternatives useradd
 DEPENDS_append = " update-rc.d-native"
 
 ALTERNATIVE_${PN} = "init mountpoint halt reboot runlevel shutdown poweroff last mesg utmpdump wall"
@@ -54,6 +54,9 @@ ALTERNATIVE_LINK_NAME[sulogin.8] = "${mandir}/man8/sulogin.8"
 ALTERNATIVE_LINK_NAME[utmpdump.1] = "${mandir}/man1/utmpdump.1"
 ALTERNATIVE_LINK_NAME[wall.1] = "${mandir}/man1/wall.1"
 
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system shutdown"
+
 PACKAGES =+ "sysvinit-pidof sysvinit-sulogin"
 FILES_${PN} += "${base_sbindir}/* ${base_bindir}/*"
 FILES_sysvinit-pidof = "${base_bindir}/pidof.sysvinit ${base_sbindir}/killall5"
@@ -87,6 +90,9 @@ do_install () {
 	install -m 0755    ${WORKDIR}/bootlogd.init     ${D}${sysconfdir}/init.d/bootlogd
 	ln -sf bootlogd ${D}${sysconfdir}/init.d/stop-bootlogd
 
-        update-rc.d -r ${D} bootlogd start 07 S .
-        update-rc.d -r ${D} stop-bootlogd start 99 2 3 4 5 .
+	update-rc.d -r ${D} bootlogd start 07 S .
+	update-rc.d -r ${D} stop-bootlogd start 99 2 3 4 5 .
+
+	chown root.shutdown ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
+	chmod o-x,u+s ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
 }
-- 
1.7.9.5

[PATCH 2/4] connman: make xuser a member of 'shutdown' group

[Laurentiu Palcu]

Additionaly, make it a member of 'input' group too. That's for aligning
the user creation with xserver-nodm-init.

[YOCTO #4345]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 meta/recipes-connectivity/connman/connman.inc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index e6584ff..728787f 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -64,7 +64,7 @@ SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
 # USERADD_PARAM is in sync with the one in xserver-nodm-init.bb
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM_${PN} = "--create-home \
-                       --groups video,tty,audio \
+                       --groups video,tty,audio,input,shutdown \
                        --user-group xuser"
 
 inherit autotools gtk-doc pkgconfig systemd update-rc.d useradd
-- 
1.7.9.5

[PATCH 3/4] xserver-nodm-init: make xuser a member of 'shutdown' group

[Laurentiu Palcu]

[YOCTO #4345]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 .../x11-common/xserver-nodm-init.bb                |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
index d2797a9..f4b622d 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init.bb
@@ -34,6 +34,6 @@ INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ."
 # USERADD_PARAM is in sync with the one in connman.inc
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM_${PN} = "--create-home \
-                       --groups video,tty,audio,input \
+                       --groups video,tty,audio,input,shutdown \
                        --user-group xuser"
 
-- 
1.7.9.5

[PATCH 4/4] shutdown-desktop: give entire path in Exec field

[Laurentiu Palcu]

A normal user does not have /sbin in its PATH, by default, so having the
entire path here allows the correct execution when run as regular user.

[YOCTO #4345]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
---
 .../shutdown-desktop/shutdown-desktop.bb           |    2 +-
 .../shutdown-desktop/shutdown.desktop              |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-sato/shutdown-desktop/shutdown-desktop.bb b/meta/recipes-sato/shutdown-desktop/shutdown-desktop.bb
index c5096c1..8287813 100644
--- a/meta/recipes-sato/shutdown-desktop/shutdown-desktop.bb
+++ b/meta/recipes-sato/shutdown-desktop/shutdown-desktop.bb
@@ -16,7 +16,7 @@ do_install() {
 
 pkg_postinst_${PN} () {
     grep -q qemuarm $D${sysconfdir}/hostname && \
-        sed -i $D${datadir}/applications/shutdown.desktop -e 's/^Exec=halt/Exec=reboot/' \
+        sed -i $D${datadir}/applications/shutdown.desktop -e 's#^Exec=/sbin/halt#Exec=/sbin/reboot#' \
         || true
 }
 
diff --git a/meta/recipes-sato/shutdown-desktop/shutdown-desktop/shutdown.desktop b/meta/recipes-sato/shutdown-desktop/shutdown-desktop/shutdown.desktop
index 2726889..23bd0f7 100644
--- a/meta/recipes-sato/shutdown-desktop/shutdown-desktop/shutdown.desktop
+++ b/meta/recipes-sato/shutdown-desktop/shutdown-desktop/shutdown.desktop
@@ -3,8 +3,8 @@ Encoding=UTF-8
 Type=Application
 Name=Shutdown
 Comment=Close down the machine safely
-Exec=halt
+Exec=/sbin/halt
 Icon=system-shutdown
 Terminal=false
 Categories=Utility;
-StartupNotify=true
\ No newline at end of file
+StartupNotify=true
-- 
1.7.9.5

Re: [PATCH 0/4] Allow xuser to shutdown

[Laurentiu Palcu]

Saul spotted an issue with the 4/4 regarding the usage of /sbin directly
in the .desktop file and I'm going to send a v2 to address that.

Laurentiu

On 07/03/2013 05:34 PM, Laurentiu Palcu wrote:
> The following changes since commit 8a186a6b3853fc1a7dcf342d421c8926c38949c9:
> 
>   bitbake: hob: save button from settings called a nonexisting method (2013-07-03 08:13:35 +0100)
> 
> are available in the git repository at:
> 
>   git://git.yoctoproject.org/poky-contrib lpalcu/b4345_shutdown_icon_rootless_x
>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=lpalcu/b4345_shutdown_icon_rootless_x
> 
> Laurentiu Palcu (4):
>   sysvinit: allow users in shutdown group to perform halt/reboot
>   connman: make xuser a member of 'shutdown' group
>   xserver-nodm-init: make xuser a member of 'shutdown' group
>   shutdown-desktop: give entire path in Exec field
> 
>  meta/recipes-connectivity/connman/connman.inc      |    2 +-
>  meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb     |   12 +++++++++---
>  .../x11-common/xserver-nodm-init.bb                |    2 +-
>  .../shutdown-desktop/shutdown-desktop.bb           |    2 +-
>  .../shutdown-desktop/shutdown.desktop              |    4 ++--
>  5 files changed, 14 insertions(+), 8 deletions(-)
> 

Re: [PATCH 0/4] Allow xuser to shutdown

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1778 bytes --]

On Wed, Jul 03, 2013 at 05:34:20PM +0300, Laurentiu Palcu wrote:
> The following changes since commit 8a186a6b3853fc1a7dcf342d421c8926c38949c9:
> 
>   bitbake: hob: save button from settings called a nonexisting method (2013-07-03 08:13:35 +0100)
> 
> are available in the git repository at:
> 
>   git://git.yoctoproject.org/poky-contrib lpalcu/b4345_shutdown_icon_rootless_x
>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=lpalcu/b4345_shutdown_icon_rootless_x
> 
> Laurentiu Palcu (4):
>   sysvinit: allow users in shutdown group to perform halt/reboot
>   connman: make xuser a member of 'shutdown' group
>   xserver-nodm-init: make xuser a member of 'shutdown' group
>   shutdown-desktop: give entire path in Exec field

Shouldn't we create separate recipe for xuser or any other default user
and add it to connman and xserver-nodm-init RDEPENDS?

I know there is some overhead from having one more package installed on
image, but it would be a bit easier if we later decide that xuser also
needs some file to be installed in his home or something like that.

>  meta/recipes-connectivity/connman/connman.inc      |    2 +-
>  meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb     |   12 +++++++++---
>  .../x11-common/xserver-nodm-init.bb                |    2 +-
>  .../shutdown-desktop/shutdown-desktop.bb           |    2 +-
>  .../shutdown-desktop/shutdown.desktop              |    4 ++--
>  5 files changed, 14 insertions(+), 8 deletions(-)
> 
> -- 
> 1.7.9.5
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [PATCH 0/4] Allow xuser to shutdown

[Laurentiu Palcu]

On 07/03/2013 07:19 PM, Martin Jansa wrote:
> On Wed, Jul 03, 2013 at 05:34:20PM +0300, Laurentiu Palcu wrote:
>> The following changes since commit 8a186a6b3853fc1a7dcf342d421c8926c38949c9:
>>
>>   bitbake: hob: save button from settings called a nonexisting method (2013-07-03 08:13:35 +0100)
>>
>> are available in the git repository at:
>>
>>   git://git.yoctoproject.org/poky-contrib lpalcu/b4345_shutdown_icon_rootless_x
>>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=lpalcu/b4345_shutdown_icon_rootless_x
>>
>> Laurentiu Palcu (4):
>>   sysvinit: allow users in shutdown group to perform halt/reboot
>>   connman: make xuser a member of 'shutdown' group
>>   xserver-nodm-init: make xuser a member of 'shutdown' group
>>   shutdown-desktop: give entire path in Exec field
> 
> Shouldn't we create separate recipe for xuser or any other default user
> and add it to connman and xserver-nodm-init RDEPENDS?
> 
> I know there is some overhead from having one more package installed on
> image, but it would be a bit easier if we later decide that xuser also
> needs some file to be installed in his home or something like that.
I can see one advantage of having a separate recipe for xuser: the user
creation would be done in one place and we souldn't have to change in
two places if we want to add the user to another group (for example).

It sounds a good change to me.

Laurentiu
> 
>>  meta/recipes-connectivity/connman/connman.inc      |    2 +-
>>  meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb     |   12 +++++++++---
>>  .../x11-common/xserver-nodm-init.bb                |    2 +-
>>  .../shutdown-desktop/shutdown-desktop.bb           |    2 +-
>>  .../shutdown-desktop/shutdown.desktop              |    4 ++--
>>  5 files changed, 14 insertions(+), 8 deletions(-)
>>
>> -- 
>> 1.7.9.5
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> 

Re: [PATCH 0/4] Allow xuser to shutdown

[Tomas Frydrych]

On 03/07/13 17:19, Martin Jansa wrote:
> Shouldn't we create separate recipe for xuser or any other default user
> and add it to connman and xserver-nodm-init RDEPENDS?
> 
> I know there is some overhead from having one more package installed on
> image, but it would be a bit easier if we later decide that xuser also
> needs some file to be installed in his home or something like that.

Yes, please; the current situation makes it rather awkward if you need
to tweak some of the xuser parameters in a distro specific way. But
perhaps it should be called something other than xuser?

Tomas

Re: [PATCH 0/4] Allow xuser to shutdown

[Burton, Ross]

On 4 July 2013 09:54, Tomas Frydrych <tf+lists.yocto@r-finger.com> wrote:
>> I know there is some overhead from having one more package installed on
>> image, but it would be a bit easier if we later decide that xuser also
>> needs some file to be installed in his home or something like that.
>
> Yes, please; the current situation makes it rather awkward if you need
> to tweak some of the xuser parameters in a distro specific way. But
> perhaps it should be called something other than xuser?

Wayland likes to have a non-root user start it up, so make that three
locations and another reason for it not being called "xuser".

Ross