1*4882a593Smuzhiyun# In order to support a deterministic set of 'dynamic' users/groups, 2*4882a593Smuzhiyun# we need a function to reformat the params based on a static file 3*4882a593Smuzhiyundef update_useradd_static_config(d): 4*4882a593Smuzhiyun import itertools 5*4882a593Smuzhiyun import re 6*4882a593Smuzhiyun import errno 7*4882a593Smuzhiyun import oe.useradd 8*4882a593Smuzhiyun 9*4882a593Smuzhiyun def list_extend(iterable, length, obj = None): 10*4882a593Smuzhiyun """Ensure that iterable is the specified length by extending with obj 11*4882a593Smuzhiyun and return it as a list""" 12*4882a593Smuzhiyun return list(itertools.islice(itertools.chain(iterable, itertools.repeat(obj)), length)) 13*4882a593Smuzhiyun 14*4882a593Smuzhiyun def merge_files(file_list, exp_fields): 15*4882a593Smuzhiyun """Read each passwd/group file in file_list, split each line and create 16*4882a593Smuzhiyun a dictionary with the user/group names as keys and the split lines as 17*4882a593Smuzhiyun values. If the user/group name already exists in the dictionary, then 18*4882a593Smuzhiyun update any fields in the list with the values from the new list (if they 19*4882a593Smuzhiyun are set).""" 20*4882a593Smuzhiyun id_table = dict() 21*4882a593Smuzhiyun for conf in file_list.split(): 22*4882a593Smuzhiyun try: 23*4882a593Smuzhiyun with open(conf, "r") as f: 24*4882a593Smuzhiyun for line in f: 25*4882a593Smuzhiyun if line.startswith('#'): 26*4882a593Smuzhiyun continue 27*4882a593Smuzhiyun # Make sure there always are at least exp_fields 28*4882a593Smuzhiyun # elements in the field list. This allows for leaving 29*4882a593Smuzhiyun # out trailing colons in the files. 30*4882a593Smuzhiyun fields = list_extend(line.rstrip().split(":"), exp_fields) 31*4882a593Smuzhiyun if fields[0] not in id_table: 32*4882a593Smuzhiyun id_table[fields[0]] = fields 33*4882a593Smuzhiyun else: 34*4882a593Smuzhiyun id_table[fields[0]] = list(map(lambda x, y: x or y, fields, id_table[fields[0]])) 35*4882a593Smuzhiyun except IOError as e: 36*4882a593Smuzhiyun if e.errno == errno.ENOENT: 37*4882a593Smuzhiyun pass 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun return id_table 40*4882a593Smuzhiyun 41*4882a593Smuzhiyun def handle_missing_id(id, type, pkg, files, var, value): 42*4882a593Smuzhiyun # For backwards compatibility we accept "1" in addition to "error" 43*4882a593Smuzhiyun error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC') 44*4882a593Smuzhiyun msg = "%s - %s: %sname %s does not have a static ID defined." % (d.getVar('PN'), pkg, type, id) 45*4882a593Smuzhiyun if files: 46*4882a593Smuzhiyun msg += " Add %s to one of these files: %s" % (id, files) 47*4882a593Smuzhiyun else: 48*4882a593Smuzhiyun msg += " %s file(s) not found in BBPATH: %s" % (var, value) 49*4882a593Smuzhiyun if error_dynamic == 'error' or error_dynamic == '1': 50*4882a593Smuzhiyun raise NotImplementedError(msg) 51*4882a593Smuzhiyun elif error_dynamic == 'warn': 52*4882a593Smuzhiyun bb.warn(msg) 53*4882a593Smuzhiyun elif error_dynamic == 'skip': 54*4882a593Smuzhiyun raise bb.parse.SkipRecipe(msg) 55*4882a593Smuzhiyun 56*4882a593Smuzhiyun # Return a list of configuration files based on either the default 57*4882a593Smuzhiyun # files/group or the contents of USERADD_GID_TABLES, resp. 58*4882a593Smuzhiyun # files/passwd for USERADD_UID_TABLES. 59*4882a593Smuzhiyun # Paths are resolved via BBPATH. 60*4882a593Smuzhiyun def get_table_list(d, var, default): 61*4882a593Smuzhiyun files = [] 62*4882a593Smuzhiyun bbpath = d.getVar('BBPATH') 63*4882a593Smuzhiyun tables = d.getVar(var) 64*4882a593Smuzhiyun if not tables: 65*4882a593Smuzhiyun tables = default 66*4882a593Smuzhiyun for conf_file in tables.split(): 67*4882a593Smuzhiyun files.append(bb.utils.which(bbpath, conf_file)) 68*4882a593Smuzhiyun return (' '.join(files), var, default) 69*4882a593Smuzhiyun 70*4882a593Smuzhiyun # We parse and rewrite the useradd components 71*4882a593Smuzhiyun def rewrite_useradd(params, is_pkg): 72*4882a593Smuzhiyun parser = oe.useradd.build_useradd_parser() 73*4882a593Smuzhiyun 74*4882a593Smuzhiyun newparams = [] 75*4882a593Smuzhiyun users = None 76*4882a593Smuzhiyun for param in oe.useradd.split_commands(params): 77*4882a593Smuzhiyun try: 78*4882a593Smuzhiyun uaargs = parser.parse_args(oe.useradd.split_args(param)) 79*4882a593Smuzhiyun except Exception as e: 80*4882a593Smuzhiyun bb.fatal("%s: Unable to parse arguments for USERADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e)) 81*4882a593Smuzhiyun 82*4882a593Smuzhiyun # Read all passwd files specified in USERADD_UID_TABLES or files/passwd 83*4882a593Smuzhiyun # Use the standard passwd layout: 84*4882a593Smuzhiyun # username:password:user_id:group_id:comment:home_directory:login_shell 85*4882a593Smuzhiyun # 86*4882a593Smuzhiyun # If a field is left blank, the original value will be used. The 'username' 87*4882a593Smuzhiyun # field is required. 88*4882a593Smuzhiyun # 89*4882a593Smuzhiyun # Note: we ignore the password field, as including even the hashed password 90*4882a593Smuzhiyun # in the useradd command may introduce a security hole. It's assumed that 91*4882a593Smuzhiyun # all new users get the default ('*' which prevents login) until the user is 92*4882a593Smuzhiyun # specifically configured by the system admin. 93*4882a593Smuzhiyun if not users: 94*4882a593Smuzhiyun files, table_var, table_value = get_table_list(d, 'USERADD_UID_TABLES', 'files/passwd') 95*4882a593Smuzhiyun users = merge_files(files, 7) 96*4882a593Smuzhiyun 97*4882a593Smuzhiyun type = 'system user' if uaargs.system else 'normal user' 98*4882a593Smuzhiyun if uaargs.LOGIN not in users: 99*4882a593Smuzhiyun handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value) 100*4882a593Smuzhiyun newparams.append(param) 101*4882a593Smuzhiyun continue 102*4882a593Smuzhiyun 103*4882a593Smuzhiyun field = users[uaargs.LOGIN] 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun if uaargs.uid and field[2] and (uaargs.uid != field[2]): 106*4882a593Smuzhiyun bb.warn("%s: Changing username %s's uid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.uid, field[2])) 107*4882a593Smuzhiyun uaargs.uid = field[2] or uaargs.uid 108*4882a593Smuzhiyun 109*4882a593Smuzhiyun # Determine the possible groupname 110*4882a593Smuzhiyun # Unless the group name (or gid) is specified, we assume that the LOGIN is the groupname 111*4882a593Smuzhiyun # 112*4882a593Smuzhiyun # By default the system has creation of the matching groups enabled 113*4882a593Smuzhiyun # So if the implicit username-group creation is on, then the implicit groupname (LOGIN) 114*4882a593Smuzhiyun # is used, and we disable the user_group option. 115*4882a593Smuzhiyun # 116*4882a593Smuzhiyun if uaargs.gid: 117*4882a593Smuzhiyun uaargs.groupname = uaargs.gid 118*4882a593Smuzhiyun elif uaargs.user_group is not False: 119*4882a593Smuzhiyun uaargs.groupname = uaargs.LOGIN 120*4882a593Smuzhiyun else: 121*4882a593Smuzhiyun uaargs.groupname = 'users' 122*4882a593Smuzhiyun uaargs.groupid = field[3] or uaargs.groupname 123*4882a593Smuzhiyun 124*4882a593Smuzhiyun if uaargs.groupid and uaargs.gid != uaargs.groupid: 125*4882a593Smuzhiyun newgroup = None 126*4882a593Smuzhiyun if not uaargs.groupid.isdigit(): 127*4882a593Smuzhiyun # We don't have a group number, so we have to add a name 128*4882a593Smuzhiyun bb.debug(1, "Adding group %s!" % uaargs.groupid) 129*4882a593Smuzhiyun newgroup = "%s %s" % (' --system' if uaargs.system else '', uaargs.groupid) 130*4882a593Smuzhiyun elif uaargs.groupname and not uaargs.groupname.isdigit(): 131*4882a593Smuzhiyun # We have a group name and a group number to assign it to 132*4882a593Smuzhiyun bb.debug(1, "Adding group %s (gid %s)!" % (uaargs.groupname, uaargs.groupid)) 133*4882a593Smuzhiyun newgroup = "-g %s %s" % (uaargs.groupid, uaargs.groupname) 134*4882a593Smuzhiyun else: 135*4882a593Smuzhiyun # We want to add a group, but we don't know it's name... so we can't add the group... 136*4882a593Smuzhiyun # We have to assume the group has previously been added or we'll fail on the adduser... 137*4882a593Smuzhiyun # Note: specifying the actual gid is very rare in OE, usually the group name is specified. 138*4882a593Smuzhiyun bb.warn("%s: Changing gid for login %s to %s, verify configuration files!" % (d.getVar('PN'), uaargs.LOGIN, uaargs.groupid)) 139*4882a593Smuzhiyun 140*4882a593Smuzhiyun uaargs.gid = uaargs.groupid 141*4882a593Smuzhiyun uaargs.user_group = None 142*4882a593Smuzhiyun if newgroup and is_pkg: 143*4882a593Smuzhiyun groupadd = d.getVar("GROUPADD_PARAM:%s" % pkg) 144*4882a593Smuzhiyun if groupadd: 145*4882a593Smuzhiyun # Only add the group if not already specified 146*4882a593Smuzhiyun if not uaargs.groupname in groupadd: 147*4882a593Smuzhiyun d.setVar("GROUPADD_PARAM:%s" % pkg, "%s; %s" % (groupadd, newgroup)) 148*4882a593Smuzhiyun else: 149*4882a593Smuzhiyun d.setVar("GROUPADD_PARAM:%s" % pkg, newgroup) 150*4882a593Smuzhiyun 151*4882a593Smuzhiyun uaargs.comment = "'%s'" % field[4] if field[4] else uaargs.comment 152*4882a593Smuzhiyun uaargs.home_dir = field[5] or uaargs.home_dir 153*4882a593Smuzhiyun uaargs.shell = field[6] or uaargs.shell 154*4882a593Smuzhiyun 155*4882a593Smuzhiyun # Should be an error if a specific option is set... 156*4882a593Smuzhiyun if not uaargs.uid or not uaargs.uid.isdigit() or not uaargs.gid: 157*4882a593Smuzhiyun handle_missing_id(uaargs.LOGIN, type, pkg, files, table_var, table_value) 158*4882a593Smuzhiyun 159*4882a593Smuzhiyun # Reconstruct the args... 160*4882a593Smuzhiyun newparam = ['', ' --defaults'][uaargs.defaults] 161*4882a593Smuzhiyun newparam += ['', ' --base-dir %s' % uaargs.base_dir][uaargs.base_dir != None] 162*4882a593Smuzhiyun newparam += ['', ' --comment %s' % uaargs.comment][uaargs.comment != None] 163*4882a593Smuzhiyun newparam += ['', ' --home-dir %s' % uaargs.home_dir][uaargs.home_dir != None] 164*4882a593Smuzhiyun newparam += ['', ' --expiredate %s' % uaargs.expiredate][uaargs.expiredate != None] 165*4882a593Smuzhiyun newparam += ['', ' --inactive %s' % uaargs.inactive][uaargs.inactive != None] 166*4882a593Smuzhiyun newparam += ['', ' --gid %s' % uaargs.gid][uaargs.gid != None] 167*4882a593Smuzhiyun newparam += ['', ' --groups %s' % uaargs.groups][uaargs.groups != None] 168*4882a593Smuzhiyun newparam += ['', ' --skel %s' % uaargs.skel][uaargs.skel != None] 169*4882a593Smuzhiyun newparam += ['', ' --key %s' % uaargs.key][uaargs.key != None] 170*4882a593Smuzhiyun newparam += ['', ' --no-log-init'][uaargs.no_log_init] 171*4882a593Smuzhiyun newparam += ['', ' --create-home'][uaargs.create_home is True] 172*4882a593Smuzhiyun newparam += ['', ' --no-create-home'][uaargs.create_home is False] 173*4882a593Smuzhiyun newparam += ['', ' --no-user-group'][uaargs.user_group is False] 174*4882a593Smuzhiyun newparam += ['', ' --non-unique'][uaargs.non_unique] 175*4882a593Smuzhiyun if uaargs.password != None: 176*4882a593Smuzhiyun newparam += ['', ' --password %s' % uaargs.password][uaargs.password != None] 177*4882a593Smuzhiyun newparam += ['', ' --root %s' % uaargs.root][uaargs.root != None] 178*4882a593Smuzhiyun newparam += ['', ' --system'][uaargs.system] 179*4882a593Smuzhiyun newparam += ['', ' --shell %s' % uaargs.shell][uaargs.shell != None] 180*4882a593Smuzhiyun newparam += ['', ' --uid %s' % uaargs.uid][uaargs.uid != None] 181*4882a593Smuzhiyun newparam += ['', ' --user-group'][uaargs.user_group is True] 182*4882a593Smuzhiyun newparam += ' %s' % uaargs.LOGIN 183*4882a593Smuzhiyun 184*4882a593Smuzhiyun newparams.append(newparam) 185*4882a593Smuzhiyun 186*4882a593Smuzhiyun return ";".join(newparams).strip() 187*4882a593Smuzhiyun 188*4882a593Smuzhiyun # We parse and rewrite the groupadd components 189*4882a593Smuzhiyun def rewrite_groupadd(params, is_pkg): 190*4882a593Smuzhiyun parser = oe.useradd.build_groupadd_parser() 191*4882a593Smuzhiyun 192*4882a593Smuzhiyun newparams = [] 193*4882a593Smuzhiyun groups = None 194*4882a593Smuzhiyun for param in oe.useradd.split_commands(params): 195*4882a593Smuzhiyun try: 196*4882a593Smuzhiyun # If we're processing multiple lines, we could have left over values here... 197*4882a593Smuzhiyun gaargs = parser.parse_args(oe.useradd.split_args(param)) 198*4882a593Smuzhiyun except Exception as e: 199*4882a593Smuzhiyun bb.fatal("%s: Unable to parse arguments for GROUPADD_PARAM:%s '%s': %s" % (d.getVar('PN'), pkg, param, e)) 200*4882a593Smuzhiyun 201*4882a593Smuzhiyun # Read all group files specified in USERADD_GID_TABLES or files/group 202*4882a593Smuzhiyun # Use the standard group layout: 203*4882a593Smuzhiyun # groupname:password:group_id:group_members 204*4882a593Smuzhiyun # 205*4882a593Smuzhiyun # If a field is left blank, the original value will be used. The 'groupname' field 206*4882a593Smuzhiyun # is required. 207*4882a593Smuzhiyun # 208*4882a593Smuzhiyun # Note: similar to the passwd file, the 'password' filed is ignored 209*4882a593Smuzhiyun # Note: group_members is ignored, group members must be configured with the GROUPMEMS_PARAM 210*4882a593Smuzhiyun if not groups: 211*4882a593Smuzhiyun files, table_var, table_value = get_table_list(d, 'USERADD_GID_TABLES', 'files/group') 212*4882a593Smuzhiyun groups = merge_files(files, 4) 213*4882a593Smuzhiyun 214*4882a593Smuzhiyun type = 'system group' if gaargs.system else 'normal group' 215*4882a593Smuzhiyun if gaargs.GROUP not in groups: 216*4882a593Smuzhiyun handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value) 217*4882a593Smuzhiyun newparams.append(param) 218*4882a593Smuzhiyun continue 219*4882a593Smuzhiyun 220*4882a593Smuzhiyun field = groups[gaargs.GROUP] 221*4882a593Smuzhiyun 222*4882a593Smuzhiyun if field[2]: 223*4882a593Smuzhiyun if gaargs.gid and (gaargs.gid != field[2]): 224*4882a593Smuzhiyun bb.warn("%s: Changing groupname %s's gid from (%s) to (%s), verify configuration files!" % (d.getVar('PN'), gaargs.GROUP, gaargs.gid, field[2])) 225*4882a593Smuzhiyun gaargs.gid = field[2] 226*4882a593Smuzhiyun 227*4882a593Smuzhiyun if not gaargs.gid or not gaargs.gid.isdigit(): 228*4882a593Smuzhiyun handle_missing_id(gaargs.GROUP, type, pkg, files, table_var, table_value) 229*4882a593Smuzhiyun 230*4882a593Smuzhiyun # Reconstruct the args... 231*4882a593Smuzhiyun newparam = ['', ' --force'][gaargs.force] 232*4882a593Smuzhiyun newparam += ['', ' --gid %s' % gaargs.gid][gaargs.gid != None] 233*4882a593Smuzhiyun newparam += ['', ' --key %s' % gaargs.key][gaargs.key != None] 234*4882a593Smuzhiyun newparam += ['', ' --non-unique'][gaargs.non_unique] 235*4882a593Smuzhiyun if gaargs.password != None: 236*4882a593Smuzhiyun newparam += ['', ' --password %s' % gaargs.password][gaargs.password != None] 237*4882a593Smuzhiyun newparam += ['', ' --root %s' % gaargs.root][gaargs.root != None] 238*4882a593Smuzhiyun newparam += ['', ' --system'][gaargs.system] 239*4882a593Smuzhiyun newparam += ' %s' % gaargs.GROUP 240*4882a593Smuzhiyun 241*4882a593Smuzhiyun newparams.append(newparam) 242*4882a593Smuzhiyun 243*4882a593Smuzhiyun return ";".join(newparams).strip() 244*4882a593Smuzhiyun 245*4882a593Smuzhiyun # The parsing of the current recipe depends on the content of 246*4882a593Smuzhiyun # the files listed in USERADD_UID/GID_TABLES. We need to tell bitbake 247*4882a593Smuzhiyun # about that explicitly to trigger re-parsing and thus re-execution of 248*4882a593Smuzhiyun # this code when the files change. 249*4882a593Smuzhiyun bbpath = d.getVar('BBPATH') 250*4882a593Smuzhiyun for varname, default in (('USERADD_UID_TABLES', 'files/passwd'), 251*4882a593Smuzhiyun ('USERADD_GID_TABLES', 'files/group')): 252*4882a593Smuzhiyun tables = d.getVar(varname) 253*4882a593Smuzhiyun if not tables: 254*4882a593Smuzhiyun tables = default 255*4882a593Smuzhiyun for conf_file in tables.split(): 256*4882a593Smuzhiyun bb.parse.mark_dependency(d, bb.utils.which(bbpath, conf_file)) 257*4882a593Smuzhiyun 258*4882a593Smuzhiyun # Load and process the users and groups, rewriting the adduser/addgroup params 259*4882a593Smuzhiyun useradd_packages = d.getVar('USERADD_PACKAGES') or "" 260*4882a593Smuzhiyun 261*4882a593Smuzhiyun for pkg in useradd_packages.split(): 262*4882a593Smuzhiyun # Groupmems doesn't have anything we might want to change, so simply validating 263*4882a593Smuzhiyun # is a bit of a waste -- only process useradd/groupadd 264*4882a593Smuzhiyun useradd_param = d.getVar('USERADD_PARAM:%s' % pkg) 265*4882a593Smuzhiyun if useradd_param: 266*4882a593Smuzhiyun #bb.warn("Before: 'USERADD_PARAM:%s' - '%s'" % (pkg, useradd_param)) 267*4882a593Smuzhiyun d.setVar('USERADD_PARAM:%s' % pkg, rewrite_useradd(useradd_param, True)) 268*4882a593Smuzhiyun #bb.warn("After: 'USERADD_PARAM:%s' - '%s'" % (pkg, d.getVar('USERADD_PARAM:%s' % pkg))) 269*4882a593Smuzhiyun 270*4882a593Smuzhiyun groupadd_param = d.getVar('GROUPADD_PARAM:%s' % pkg) 271*4882a593Smuzhiyun if groupadd_param: 272*4882a593Smuzhiyun #bb.warn("Before: 'GROUPADD_PARAM:%s' - '%s'" % (pkg, groupadd_param)) 273*4882a593Smuzhiyun d.setVar('GROUPADD_PARAM:%s' % pkg, rewrite_groupadd(groupadd_param, True)) 274*4882a593Smuzhiyun #bb.warn("After: 'GROUPADD_PARAM:%s' - '%s'" % (pkg, d.getVar('GROUPADD_PARAM:%s' % pkg))) 275*4882a593Smuzhiyun 276*4882a593Smuzhiyun # Load and process extra users and groups, rewriting only adduser/addgroup params 277*4882a593Smuzhiyun pkg = d.getVar('PN') 278*4882a593Smuzhiyun extrausers = d.getVar('EXTRA_USERS_PARAMS') or "" 279*4882a593Smuzhiyun 280*4882a593Smuzhiyun #bb.warn("Before: 'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS'))) 281*4882a593Smuzhiyun new_extrausers = [] 282*4882a593Smuzhiyun for cmd in oe.useradd.split_commands(extrausers): 283*4882a593Smuzhiyun if re.match('''useradd (.*)''', cmd): 284*4882a593Smuzhiyun useradd_param = re.match('''useradd (.*)''', cmd).group(1) 285*4882a593Smuzhiyun useradd_param = rewrite_useradd(useradd_param, False) 286*4882a593Smuzhiyun cmd = 'useradd %s' % useradd_param 287*4882a593Smuzhiyun elif re.match('''groupadd (.*)''', cmd): 288*4882a593Smuzhiyun groupadd_param = re.match('''groupadd (.*)''', cmd).group(1) 289*4882a593Smuzhiyun groupadd_param = rewrite_groupadd(groupadd_param, False) 290*4882a593Smuzhiyun cmd = 'groupadd %s' % groupadd_param 291*4882a593Smuzhiyun 292*4882a593Smuzhiyun new_extrausers.append(cmd) 293*4882a593Smuzhiyun 294*4882a593Smuzhiyun new_extrausers.append('') 295*4882a593Smuzhiyun d.setVar('EXTRA_USERS_PARAMS', ';'.join(new_extrausers)) 296*4882a593Smuzhiyun #bb.warn("After: 'EXTRA_USERS_PARAMS' - '%s'" % (d.getVar('EXTRA_USERS_PARAMS'))) 297*4882a593Smuzhiyun 298*4882a593Smuzhiyun 299*4882a593Smuzhiyunpython __anonymous() { 300*4882a593Smuzhiyun if not bb.data.inherits_class('nativesdk', d) \ 301*4882a593Smuzhiyun and not bb.data.inherits_class('native', d): 302*4882a593Smuzhiyun try: 303*4882a593Smuzhiyun update_useradd_static_config(d) 304*4882a593Smuzhiyun except NotImplementedError as f: 305*4882a593Smuzhiyun bb.debug(1, "Skipping recipe %s: %s" % (d.getVar('PN'), f)) 306*4882a593Smuzhiyun raise bb.parse.SkipRecipe(f) 307*4882a593Smuzhiyun} 308