Merge pull request #13102 from mbiebl/nologin-path

meson: make nologin path build time configurable

man/nss-mymachines.xml

@@ -98,8 +98,8 @@ MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
 rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
 
 $ getent passwd vu-rawhide-0 vu-rawhide-81
-vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/sbin/nologin
+vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
-vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/sbin/nologin
+vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
 
 $ getent group vg-rawhide-0 vg-rawhide-81
 vg-rawhide-0:*:20119552:

man/sysusers.d.xml

@@ -206,12 +206,12 @@ u     root     0              "Superuser"           /root          /bin/zsh</pro
       <title>Shell</title>
 
       <para>The login shell of the user. If not specified, this will be set to
-      <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
+      <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
       which case <filename>/bin/sh</filename> will be used.</para>
 
       <para>Only applies to lines of type <varname>u</varname> and should otherwise
       be left unset (or <literal>-</literal>). It is recommended to omit this, unless
-      a shell different <filename>/sbin/nologin</filename> must be used.</para>
+      a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
     </refsect2>
   </refsect1>
 

meson.build

@@ -558,6 +558,7 @@ progs = [['quotaon',    '/usr/sbin/quotaon'    ],
          ['umount',     '/usr/bin/umount',     'UMOUNT_PATH'],
          ['loadkeys',   '/usr/bin/loadkeys',   'KBD_LOADKEYS'],
          ['setfont',    '/usr/bin/setfont',    'KBD_SETFONT'],
+         ['nologin',    '/usr/sbin/nologin',   ],
         ]
 foreach prog : progs
         path = get_option(prog[0] + '-path')

meson_options.txt

@@ -41,6 +41,7 @@ option('mount-path', type : 'string', description : 'path to mount')
 option('umount-path', type : 'string', description : 'path to umount')
 option('loadkeys-path', type : 'string', description : 'path to loadkeys')
 option('setfont-path', type : 'string', description : 'path to setfont')
+option('nologin-path', type : 'string', description : 'path to nologin')
 
 option('debug-shell', type : 'string', value : '/bin/sh',
        description : 'path to debug shell binary')

src/basic/user-util.c

@@ -148,7 +148,7 @@ static int synthesize_user_creds(
                         *home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
 
                 if (shell)
-                        *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/sbin/nologin";
+                        *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
 
                 return 0;
         }
@@ -538,7 +538,7 @@ int get_shell(char **_s) {
         }
         if (synthesize_nobody() &&
             u == UID_NOBODY) {
-                s = strdup("/sbin/nologin");
+                s = strdup(NOLOGIN);
                 if (!s)
                         return -ENOMEM;
 

src/nss-mymachines/nss-mymachines.c

@@ -503,7 +503,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
         pwd->pw_gecos = buffer;
         pwd->pw_passwd = (char*) "*"; /* locked */
         pwd->pw_dir = (char*) "/";
-        pwd->pw_shell = (char*) "/sbin/nologin";
+        pwd->pw_shell = (char*) NOLOGIN;
 
         return NSS_STATUS_SUCCESS;
 
@@ -583,7 +583,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
         pwd->pw_gecos = buffer;
         pwd->pw_passwd = (char*) "*"; /* locked */
         pwd->pw_dir = (char*) "/";
-        pwd->pw_shell = (char*) "/sbin/nologin";
+        pwd->pw_shell = (char*) NOLOGIN;
 
         return NSS_STATUS_SUCCESS;
 

src/nss-systemd/nss-systemd.c

@@ -24,7 +24,7 @@
 #define DYNAMIC_USER_GECOS       "Dynamic User"
 #define DYNAMIC_USER_PASSWD      "*" /* locked */
 #define DYNAMIC_USER_DIR         "/"
-#define DYNAMIC_USER_SHELL       "/sbin/nologin"
+#define DYNAMIC_USER_SHELL       NOLOGIN
 
 static const struct passwd root_passwd = {
         .pw_name = (char*) "root",
@@ -43,7 +43,7 @@ static const struct passwd nobody_passwd = {
         .pw_gid = GID_NOBODY,
         .pw_gecos = (char*) "User Nobody",
         .pw_dir = (char*) "/",
-        .pw_shell = (char*) "/sbin/nologin",
+        .pw_shell = (char*) NOLOGIN,
 };
 
 static const struct group root_group = {

src/sysusers/sysusers.c

@@ -361,7 +361,7 @@ static int rename_and_apply_smack(const char *temp_path, const char *dest_path)
 }
 
 static const char* default_shell(uid_t uid) {
-        return uid == 0 ? "/bin/sh" : "/sbin/nologin";
+        return uid == 0 ? "/bin/sh" : NOLOGIN;
 }
 
 static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char **tmpfile_path) {

src/test/test-user-util.c

@@ -219,8 +219,8 @@ int main(int argc, char *argv[]) {
 
         test_get_user_creds_one("root", "root", 0, 0, "/root", "/bin/sh");
         test_get_user_creds_one("0", "root", 0, 0, "/root", "/bin/sh");
-        test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+        test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
-        test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+        test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
 
         test_get_group_creds_one("root", "root", 0);
         test_get_group_creds_one("0", "root", 0);

test/TEST-21-SYSUSERS/test-1.expected-passwd

@@ -1 +1 @@
-u1:x:222:222::/:/sbin/nologin
+u1:x:222:222::/:NOLOGIN

test/TEST-21-SYSUSERS/test-10.expected-passwd

@@ -1,2 +1,2 @@
-u1:x:300:300::/:/sbin/nologin
+u1:x:300:300::/:NOLOGIN
-u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN

test/TEST-21-SYSUSERS/test-11.expected-passwd

@@ -2,5 +2,5 @@ root:x:0:0:root:/root:/bin/bash
 systemd-network:x:492:492:Systemd Network Management:/:/usr/sbin/nologin
 systemd-resolve:x:491:491:Systemd Resolver:/:/usr/sbin/nologin
 systemd-timesync:x:493:493:Systemd Time Synchronization:/:/usr/sbin/nologin
-u1:x:222:222::/:/sbin/nologin
+u1:x:222:222::/:NOLOGIN
 +::::::

test/TEST-21-SYSUSERS/test-12.expected-passwd

@@ -1,2 +1,2 @@
 root:x:0:0:root:/root:/bin/bash
-systemd-coredump:x:1:1:systemd Core Dumper:/:/sbin/nologin
+systemd-coredump:x:1:1:systemd Core Dumper:/:NOLOGIN

test/TEST-21-SYSUSERS/test-2.expected-passwd

@@ -1,4 +1,4 @@
-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:/sbin/nologin
+u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:NOLOGIN
 u2:x:777:777:some gecos:/random/dir:/bin/zsh
 u3:x:778:778::/random/dir2:/bin/bash
 u4:x:779:779::/:/bin/csh

test/TEST-21-SYSUSERS/test-3.expected-passwd

@@ -1,4 +1,4 @@
-foo:x:301:301::/:/sbin/nologin
+foo:x:301:301::/:NOLOGIN
-aaa:x:303:302::/:/sbin/nologin
+aaa:x:303:302::/:NOLOGIN
-bbb:x:304:302::/:/sbin/nologin
+bbb:x:304:302::/:NOLOGIN
-ccc:x:305:305::/:/sbin/nologin
+ccc:x:305:305::/:NOLOGIN

test/TEST-21-SYSUSERS/test-4.expected-passwd

@@ -1,2 +1,2 @@
-yyy:x:311:310::/:/sbin/nologin
+yyy:x:311:310::/:NOLOGIN
-xxx:x:312:310::/:/sbin/nologin
+xxx:x:312:310::/:NOLOGIN

test/TEST-21-SYSUSERS/test-5.expected-passwd

@@ -1,18 +1,18 @@
 root:x:0:0::/root:/bin/sh
-daemon:x:1:1::/usr/sbin:/sbin/nologin
+daemon:x:1:1::/usr/sbin:NOLOGIN
-bin:x:2:2::/bin:/sbin/nologin
+bin:x:2:2::/bin:NOLOGIN
-sys:x:3:3::/dev:/sbin/nologin
+sys:x:3:3::/dev:NOLOGIN
-sync:x:4:65534::/bin:/sbin/nologin
+sync:x:4:65534::/bin:NOLOGIN
-games:x:5:60::/usr/games:/sbin/nologin
+games:x:5:60::/usr/games:NOLOGIN
-man:x:6:12::/var/cache/man:/sbin/nologin
+man:x:6:12::/var/cache/man:NOLOGIN
-lp:x:7:7::/var/spool/lpd:/sbin/nologin
+lp:x:7:7::/var/spool/lpd:NOLOGIN
-mail:x:8:8::/var/mail:/sbin/nologin
+mail:x:8:8::/var/mail:NOLOGIN
-news:x:9:9::/var/spool/news:/sbin/nologin
+news:x:9:9::/var/spool/news:NOLOGIN
-uucp:x:10:10::/var/spool/uucp:/sbin/nologin
+uucp:x:10:10::/var/spool/uucp:NOLOGIN
-proxy:x:13:13::/bin:/sbin/nologin
+proxy:x:13:13::/bin:NOLOGIN
-www-data:x:33:33::/var/www:/sbin/nologin
+www-data:x:33:33::/var/www:NOLOGIN
-backup:x:34:34::/var/backups:/sbin/nologin
+backup:x:34:34::/var/backups:NOLOGIN
-list:x:38:38::/var/list:/sbin/nologin
+list:x:38:38::/var/list:NOLOGIN
-irc:x:39:39::/var/run/ircd:/sbin/nologin
+irc:x:39:39::/var/run/ircd:NOLOGIN
-gnats:x:41:41::/var/lib/gnats:/sbin/nologin
+gnats:x:41:41::/var/lib/gnats:NOLOGIN
-nobody:x:65534:65534::/nonexistent:/sbin/nologin
+nobody:x:65534:65534::/nonexistent:NOLOGIN

test/TEST-21-SYSUSERS/test-6.expected-passwd

@@ -1 +1 @@
-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN

test/TEST-21-SYSUSERS/test-7.expected-passwd

@@ -1,5 +1,5 @@
-bin:x:1:1::/:/sbin/nologin
+bin:x:1:1::/:NOLOGIN
-daemon:x:2:2::/:/sbin/nologin
+daemon:x:2:2::/:NOLOGIN
-mail:x:8:12::/var/spool/mail:/sbin/nologin
+mail:x:8:12::/var/spool/mail:NOLOGIN
-ftp:x:14:11::/srv/ftp:/sbin/nologin
+ftp:x:14:11::/srv/ftp:NOLOGIN
-http:x:33:33::/srv/http:/sbin/nologin
+http:x:33:33::/srv/http:NOLOGIN

test/TEST-21-SYSUSERS/test-8.expected-passwd

@@ -1 +1 @@
-username:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+username:x:SYSTEM_UID_MAX:300::/:NOLOGIN

test/TEST-21-SYSUSERS/test-9.expected-passwd

@@ -1,2 +1,2 @@
-user1:x:300:300::/:/sbin/nologin
+user1:x:300:300::/:NOLOGIN
-user2:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+user2:x:SYSTEM_UID_MAX:300::/:NOLOGIN

test/TEST-21-SYSUSERS/test.sh

@@ -23,7 +23,14 @@ preprocess() {
     # get this value from config.h, however the autopkgtest fails with
     # it
     SYSTEM_UID_MAX=$(awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs)
-    sed "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" "$in"
+
+    # we can't rely on config.h to get the nologin path, as autopkgtest
+    # uses pre-compiled binaries, so extract it from the systemd-sysusers
+    # binary which we are about to execute
+    NOLOGIN=$(strings $(type -p systemd-sysusers) | grep nologin)
+
+    sed -e "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" \
+        -e "s#NOLOGIN#${NOLOGIN}#g" "$in"
 }
 
 compare() {

test/TEST-28-PERCENTJ-WANTEDBY/Makefile

@@ -1,9 +0,0 @@
-BUILD_DIR=$(shell ../../tools/find-build-dir.sh)
-
-all setup run:
-	@basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --$@
-
-clean clean-again:
-	@basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --clean
-
-.PHONY: all setup run clean clean-again

test/TEST-28-PERCENTJ-WANTEDBY/Makefile

@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile