[oe] [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
Joe MacDonald
joe at deserted.net
Wed Dec 4 13:56:59 UTC 2013
[Re: [oe] [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir] On 13.12.02 (Mon 17:20) Rongqing Li wrote:
> Drop it, test shows it does not work since /bin/false is not valid
> shell, even if set RequireValidShell to off
Hmm, so, there's something else at play here, given:
------------------------------------------------------------------------
commit b613318e14a0038b4fc6d5a7378b1affb64fd471
Author: Robert Yang <liezhi.yang at windriver.com>
Date: Wed Nov 13 05:24:24 2013 +0800
quagga: use /bin/false as the login shell
Use /bin/false as the login shell, just like what Ubuntu does,
otherwise there might be secure issue.
Signed-off-by: Robert Yang <liezhi.yang at windriver.com>
Signed-off-by: Joe MacDonald <joe at deserted.net>
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index 2106c9b..677b1c5 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -148,7 +148,7 @@ INITSCRIPT_PARAMS_${PN}-watchquagga = "defaults 90 10"
# Add quagga's user and group
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM_${PN} = "--system quagga ; --system quaggavty"
-USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga quagga"
+USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga --shell /bin/false quagga"
pkg_postinst_${PN} () {
if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then
------------------------------------------------------------------------
Is it that proftpd actually needs to spawn a shell somewhere or that
/bin/false simply isn't listed as a valid shell? (If the latter,
something should've shown up with the quagga commit, shouldn't it?)
Can you guys sync and get back to me on this?
Thanks,
-J.
>
> On 12/02/2013 12:44 PM, rongqing.li at windriver.com wrote:
> >From: Roy Li <rongqing.li at windriver.com>
> >
> >Use /bin/false as the login shell, just like what Ubuntu does,
> >otherwise there might be secure issue; add /var/lib/ftp as user
> >ftp home-dir.
> >
> >Signed-off-by: Roy Li <rongqing.li at windriver.com>
> >---
> > meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> >diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >index 6537b77..0006a2a 100644
> >--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >@@ -62,6 +62,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
> >
> > USERADD_PACKAGES = "${PN}"
> > GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
> >-USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
> >+USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
> >+ --shell /bin/false ${FTPUSER}"
> >
> > FILES_${PN} += "/home/${FTPUSER}"
> >
>
--
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20131204/03b427ea/attachment-0002.sig>
More information about the Openembedded-devel
mailing list