Re: [Buildroot] [PATCH v3 1/1] package/shadow: new package

[Nicolas Carrier <Nicolas.Carrier@orolia.com>]

I tested it with a basic config (in fact, a draft unit test) and it compiles fine and the commands I tested worked fine.

Tested-by: Nicolas Carrier <nicolas.carrier@orolia.com>
Approved-by: Nicolas Carrier <nicolas.carrier@orolia.com>


Nicolas Carrier | Software Developer | nicolas.carrier@orolia.com


De : buildroot <buildroot-bounces@buildroot.org> de la part de Raphael Pavlidis <raphael.pavlidis@gmail.com>
Envoyé : jeudi 13 octobre 2022 18:34
À : buildroot@buildroot.org <buildroot@buildroot.org>
Cc : Raphael Pavlidis <raphael.pavlidis@gmail.com>; Yann E . MORIN <yann.morin.1998@free.fr>; Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Objet : [Buildroot] [PATCH v3 1/1] package/shadow: new package 
 
CAUTION: This email originated from outside of the organization.
Do not click links or open attachments unless you recognize the sender and know the content is safe.

shadow provides utilities to deal with user accounts.

The shadow package includes the necessary programs for converting UNIX
password files to the shadow password format, plus programs for managing
user and group accounts. Especially it is useful if rootless podman
container should be used, which requires newuidmap and newgidmap.

Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
---
Changes v2 -> v3:
- remove nscd support
- remove sssd support
- remove group name max length parameter
- remove su build
- improve help text of subordinate-ids
- use a define instead of variable for SHADOW_ACCOUNT_TOOLS_SETUID
  SHADOW_SUBORDINATE_IDS_PERMISSIONS and

Changes v1 -> v2:
- DEVELOPERS: add Raphael Pavlids for shadow

 DEVELOPERS                 |   3 +-
 package/Config.in          |   1 +
 package/shadow/Config.in   |  61 +++++++++++++++++
 package/shadow/shadow.hash |   3 +
 package/shadow/shadow.mk   | 133 +++++++++++++++++++++++++++++++++++++
 5 files changed, 200 insertions(+), 1 deletion(-)
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.hash
 create mode 100644 package/shadow/shadow.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 59121c6a54..0dad0ba0ba 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2474,7 +2474,8 @@ F:        support/testing/tests/package/test_python_jmespath.py
 F:     support/testing/tests/package/test_python_rsa.py
 F:     support/testing/tests/package/test_python_s3transfer.py

-N:     Raphael Pavlidis <raphael.pavlidis@googlemail.com>
+N:     Raphael Pavlidis <raphael.pavlidis@gmail.com>
+F:     package/shadow/
 F:     package/slirp4netns/

 N:     Refik Tuzakli <tuzakli.refik@gmail.com>
diff --git a/package/Config.in b/package/Config.in
index e3a34d6e97..d9ead48647 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2642,6 +2642,7 @@ menu "System tools"
        source "package/sdbus-cpp/Config.in"
        source "package/sdbusplus/Config.in"
        source "package/seatd/Config.in"
+       source "package/shadow/Config.in"
        source "package/smack/Config.in"
        source "package/start-stop-daemon/Config.in"
        source "package/supervisor/Config.in"
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000000..6b1fe0a61f
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,61 @@
+menuconfig BR2_PACKAGE_SHADOW
+       bool "shadow"
+       depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_14
+       help
+         Utilities to deal with user accounts.
+
+         https://github.com/shadow-maint/shadow
+
+if BR2_PACKAGE_SHADOW
+
+config BR2_PACKAGE_SHADOW_SHADOWGRP
+       bool "shadowgrp"
+       help
+         Enable shadow group support.
+
+config BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID
+       bool "account-tools-setuid"
+       depends on BR2_USE_MMU  # linux-pam
+       depends on BR2_ENABLE_LOCALE  # linux-pam
+       depends on BR2_USE_WCHAR  # linux-pam
+       depends on !BR2_STATIC_LIBS  # linux-pam
+       select BR2_PACKAGE_LINUX_PAM
+       help
+         Install the user and group management tools (e.g. groupadd) with setuid and
+         authenticate the callers via PAM.
+
+comment "account-tools-setuid needs a toolchain w/ shared libs, wchar, locale"
+       depends on BR2_USE_MMU
+       depends on BR2_STATIC_LIBS || !BR2_USE_WCHAR || !BR2_ENABLE_LOCALE
+
+config BR2_PACKAGE_SHADOW_UTMPX
+       bool "utmpx"
+       help
+         Enable loggin in utmpx / wtmpx.
+
+config BR2_PACKAGE_SHADOW_SUBORDINATE_IDS
+       bool "subordinate-ids"
+       help
+         Support subordinate ids. Helpful to use container solution like podman
+         without root.
+
+config BR2_PACKAGE_SHADOW_SHA_CRYPT
+       bool "sha-crypt"
+       default y
+       help
+         Allow the SHA256 and SHA512 password encryption algorithms.
+
+config BR2_PACKAGE_SHADOW_BCRYPT
+       bool "bcrypt"
+       help
+         Allow the bcrypt password encryption algorithm.
+
+config BR2_PACKAGE_SHADOW_YESCRYPT
+       bool "yescrypt"
+       help
+         Allow the yescrypt password encryption algorithm.
+
+endif # BR2_PACKAGE_SHADOW
+
+comment "shadow needs a toolchain w/ headers >= 4.14"
+       depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_14
diff --git a/package/shadow/shadow.hash b/package/shadow/shadow.hash
new file mode 100644
index 0000000000..6b9faac10f
--- /dev/null
+++ b/package/shadow/shadow.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  41f093ce58b2ae5f389a1c5553e0c18bc73e6fe27f66273891991198a7707c95  shadow-4.11.1.tar.xz
+sha256  3d25ab8f43fdc14624296a56ff8dc3e72e499ad35f32ae0c803f4959cfe17c0a  COPYING
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000000..261f28dd28
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,133 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.11.1
+SHADOW_SITE = https://github.com/shadow-maint/shadow/releases/download/v$(SHADOW_VERSION)
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.xz
+SHADOW_LICENSE = BSD-3-Clause
+SHADOW_LICENSE_FILES = COPYING
+
+SHADOW_CONF_OPTS = \
+       --disable-man \
+    --without-btrfs \
+    --without-nscd \
+    --without-skey \
+    --without-sssd \
+    --without-su \
+    --without-tcb
+
+ifeq ($(BR2_PACKAGE_SHADOW_SHADOWGRP),y)
+SHADOW_CONF_OPTS += --enable-shadowgrp
+else
+SHADOW_CONF_OPTS += --disable-shadowgrp
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID),y)
+SHADOW_CONF_OPTS += --enable-account-tools-setuid
+define SHADOW_ACCOUNT_TOOLS_SETUID_PERMISSIONS
+       /usr/sbin/chgpasswd f 4755 0 0 - - - - -
+       /usr/sbin/chpasswd f 4755 0 0 - - - - -
+       /usr/sbin/groupadd f 4755 0 0 - - - - -
+       /usr/sbin/groupdel f 4755 0 0 - - - - -
+       /usr/sbin/groupmod f 4755 0 0 - - - - -
+       /usr/sbin/newusers f 4755 0 0 - - - - -
+       /usr/sbin/useradd f 4755 0 0 - - - - -
+       /usr/sbin/usermod f 4755 0 0 - - - - -
+endef
+else
+SHADOW_CONF_OPTS += --disable-account-tools-setuid
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_UTMPX),y)
+SHADOW_CONF_OPTS += --enable-utmpx
+else
+SHADOW_CONF_OPTS += --disable-utmpx
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_SUBORDINATE_IDS),y)
+SHADOW_CONF_OPTS += --enable-subordinate-ids
+define SHADOW_SUBORDINATE_IDS_PERMISSIONS
+       /usr/bin/newuidmap f 4755 0 0 - - - - -
+       /usr/bin/newgidmap f 4755 0 0 - - - - -
+endef
+else
+SHADOW_CONF_OPTS += --disable-subordinate-ids
+endif
+
+ifeq ($(BR2_PACKAGE_ACL),y)
+SHADOW_CONF_OPTS += --with-acl
+SHADOW_DEPENDENCIES += acl
+else
+SHADOW_CONF_OPTS += --without-acl
+endif
+
+ifeq ($(BR2_PACKAGE_ATTR),y)
+SHADOW_CONF_OPTS += --with-attr
+SHADOW_DEPENDENCIES += attr
+else
+SHADOW_CONF_OPTS += --without-attr
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_CONF_OPTS += --with-audit
+SHADOW_DEPENDENCIES += audit
+else
+SHADOW_CONF_OPTS += --without-audit
+endif
+
+ifeq ($(BR2_PACKAGE_CRACKLIB),y)
+SHADOW_CONF_OPTS += --with-libcrack
+SHADOW_DEPENDENCIES += cracklib
+else
+SHADOW_CONF_OPTS += --without-libcrack
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_CONF_OPTS += --with-selinux
+SHADOW_DEPENDENCIES += libselinux libsemanage
+else
+SHADOW_CONF_OPTS += --without-selinux
+endif
+
+# linux-pam is also used without account-tools-setuid enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+SHADOW_CONF_OPTS += --with-libpam
+SHADOW_DEPENDENCIES += linux-pam
+else
+SHADOW_CONF_OPTS += --without-libpam
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_SHA_CRYPT),y)
+SHADOW_CONF_OPTS += --with-sha-crypt
+else
+SHADOW_CONF_OPTS += --without-sha-crypt
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_BCRYPT),y)
+SHADOW_CONF_OPTS += --with-bcrypt
+else
+SHADOW_CONF_OPTS += --without-bcrypt
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_YESCRYPT),y)
+SHADOW_CONF_OPTS += --with-yescrypt
+else
+SHADOW_CONF_OPTS += --without-yescrypt
+endif
+
+define SHADOW_PERMISSIONS
+       /usr/bin/chage f 4755 0 0 - - - - -
+       /usr/bin/chfn f 4755 0 0 - - - - -
+       /usr/bin/chsh f 4755 0 0 - - - - -
+       /usr/bin/expiry f 4755 0 0 - - - - -
+       /usr/bin/gpasswd f 4755 0 0 - - - - -
+       /usr/bin/newgrp f 4755 0 0 - - - - -
+       /usr/bin/passwd f 4755 0 0 - - - - -
+       $(SHADOW_ACCOUNT_TOOLS_SETUID)
+       $(SHADOW_SUBORDINATE_IDS_PERMISSIONS)
+endef
+
+$(eval $(autotools-package))
--
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot