From 54609e4785eb9f35028cd558440aef437f407eab Mon Sep 17 00:00:00 2001 From: Michael Shigorin Date: Sat, 12 Apr 2014 18:32:40 +0400 Subject: [PATCH] deflogin: refactoring and fixup There have been several problems with this feature: - a typo; - non-existant GROUPS (even a single one) would block setting all of the supplementary groups but separately-set 'wheel'; - this feature isn't used much actually so sees no battle testing. The typo has been just fixed; GROUPS are now applied by iteration which is less effective but more reliable; an additional script hook to write down login invitation for the first passwordless account (if any) has been implemented; and several more group managing targets have been added (based on live feature's script). --- features.in/deflogin/config.mk | 32 +++++++++++++------ .../deflogin/rootfs/image-scripts.d/50-issue | 20 ++++++++++++ .../deflogin/rootfs/image-scripts.d/50-users | 10 +++--- 3 files changed, 48 insertions(+), 14 deletions(-) create mode 100755 features.in/deflogin/rootfs/image-scripts.d/50-issue diff --git a/features.in/deflogin/config.mk b/features.in/deflogin/config.mk index 4dcf5595..2ff6bf04 100644 --- a/features.in/deflogin/config.mk +++ b/features.in/deflogin/config.mk @@ -11,19 +11,31 @@ use/deflogin: # USERS variable chunk format is "login:passwd:admin:sudo" # GROUPS are just stashed there to include USERS logins created -# livecd: root and altlinux users with no password at all -use/deflogin/empty: use/deflogin use/deflogin/altlinux +# basic livecd: root and altlinux users with no password at all +use/deflogin/empty: use/deflogin @$(call set,ROOTPW_EMPTY,1) + @$(call add,USERS,altlinux::1:1) -# mostly used to allow access to videocard and desktop related hardware -use/deflogin/xgrp: use/deflogin - @$(call add,GROUPS,xgrp) - -# appliances: "root:altlinux"; "altlinux:root" in "xgrp" group -use/deflogin/altlinuxroot: use/deflogin/xgrp - @$(call try,ROOTPW,altlinux) - @$(call add,USERS,altlinux:root:1:1) +# real thing: some control added +use/deflogin/desktop: use/deflogin/empty \ + use/deflogin/hardware use/deflogin/xgrp use/deflogin/privileges; @: # could also be passed on the commandline use/deflogin/root: use/deflogin @$(call try,ROOTPW,altlinux) + +# appliances: "root:altlinux"; "altlinux:root" in "xgrp" group +use/deflogin/altlinuxroot: use/deflogin/root use/deflogin/xgrp + @$(call add,USERS,altlinux:root:1:1) + +# peripherals +use/deflogin/hardware: use/deflogin + @$(call add,GROUPS,cdwriter radio scanner) + +# videocard and desktop related hardware +use/deflogin/xgrp: use/deflogin + @$(call add,GROUPS,xgrp audio) + +# potentially elevated privileges (NB: _not_ wheel) +use/deflogin/privileges: use/deflogin + @$(call add,GROUPS,fuse netadmin proc users) diff --git a/features.in/deflogin/rootfs/image-scripts.d/50-issue b/features.in/deflogin/rootfs/image-scripts.d/50-issue new file mode 100755 index 00000000..d85722bb --- /dev/null +++ b/features.in/deflogin/rootfs/image-scripts.d/50-issue @@ -0,0 +1,20 @@ +#!/bin/sh +# issue welcome message if there's a guest user +# (the first one configured with empty password) + +[ -n "$GLOBAL_USERS" ] || exit 1 + +guest= +for u in $GLOBAL_USERS; do + login="${u%%:*}" + [ -n "$login" ] || continue + rest="${u#*:}" + pass="${rest%%:*}" + [ -z "$pass" ] || continue + guest="$login" + break +done + +[ -n "$guest" ] || exit 0 + +echo "Hello friend, say \`$guest' to log in at \\l" >> /etc/issue diff --git a/features.in/deflogin/rootfs/image-scripts.d/50-users b/features.in/deflogin/rootfs/image-scripts.d/50-users index cb7488d2..fe89be1d 100755 --- a/features.in/deflogin/rootfs/image-scripts.d/50-users +++ b/features.in/deflogin/rootfs/image-scripts.d/50-users @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # add regular user(s) assigning passwords and attributes of power # NB: care that the utilities exist; shadow-utils is warranted @@ -6,8 +6,10 @@ add_user() { useradd -m "$1" && usermod -p "" "$1" && - if [ -n "$GLOBAL_GROUPS" ]; then - usermod -a --groups "${GLOBAL_GROUPS// /,}" "$1" # bashism + if [ -n "$GLOBAL_GROUPS" ]; then # some of them might be missing + for group in $GLOBAL_GROUPS; do + usermod -a --groups "$group" "$1" ||: + done fi || echo "*** failed to add user '$1'" } @@ -21,7 +23,7 @@ set_sudo() { echo "$1 ALL=(ALL) ALL" >> "/etc/sudoers" } -# chpasswd is inteded for batch use but that would be less comprehensible +# chpasswd is intended for batch use but that would be less comprehensible [ -z "$GLOBAL_USERS" ] || echo "$GLOBAL_USERS" \ | tr ' ' '\n' \