Bugzilla – Attachment 534543 Details for
Bug 809812
plymouth breaks initrd emergency shell
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
mkinitrd-2.7.2-sulogin.patch
mkinitrd-2.7.2-sulogin.patch (text/plain), 8.29 KB, created by
Dr. Werner Fink
on 2013-04-10 11:08:43 UTC
(
hide
)
Description:
mkinitrd-2.7.2-sulogin.patch
Filename:
MIME Type:
Creator:
Dr. Werner Fink
Created:
2013-04-10 11:08:43 UTC
Size:
8.29 KB
patch
obsolete
>From a258757bce1debd35eba6f4e5b3f1f38f799b7c4 Mon Sep 17 00:00:00 2001 >From: Werner Fink <werner@suse.de> >Date: Wed, 10 Apr 2013 12:57:27 +0200 >Subject: [PATCH] Switch plymouth and/or splash off before escaping to > emergency shell > >As well as use sulogin to have a emergency shell on all consoles and >to enable a password check. For this check the initrd should be set >to be readable only by root to avoid that users can to spy on the >confidential data stored within the initrd. > >Signed-off-by: Werner Fink <werner@suse.de> >--- > man/mkinitrd.8.txt | 3 +++ > sbin/mkinitrd | 7 ++++--- > scripts/boot-mount.sh | 12 +++--------- > scripts/boot-network.sh | 4 +--- > scripts/boot-start.sh | 25 ++++++++++++++++++++++--- > scripts/setup-done.sh | 11 +++++++---- > scripts/setup-prepare.sh | 42 +++++++++++++++++++++++++++++++++--------- > 7 files changed, 73 insertions(+), 31 deletions(-) > >diff --git man/mkinitrd.8.txt man/mkinitrd.8.txt >index 88014be..03014e6 100644 >--- man/mkinitrd.8.txt >+++ man/mkinitrd.8.txt >@@ -142,6 +142,9 @@ created. This is useful if you call mkinitrd(8) not for the running system > but for example in a spec file to pre-generate an initrd or to generate a > special kdump initrd (which *mkdumprd*(8) does). > >+*-P*:: >+Do not include the password of the super user (root). >+ > *-A*:: > Create a so called "monster initrd" which includes all available features and > modules. >diff --git sbin/mkinitrd sbin/mkinitrd >index 42d5974..09db0e3 100755 >--- sbin/mkinitrd >+++ sbin/mkinitrd >@@ -279,7 +279,7 @@ find_tmpdir() > { > local dir st size last_size=0 > >- for dir in "$TMPDIR" /dev/shm /tmp /var/tmp; do >+ for dir in ${TMPDIR:-/tmp} /dev/shm /tmp /var/tmp; do > if test ! -w "$dir"; then > continue > fi >@@ -306,12 +306,13 @@ find_tmpdir() > } > find_tmpdir > >-work_dir=$(mktemp -qd $tmp_dir/${mkinit_name}.XXXXXX) >+work_dir=$(mktemp -qd $tmp_dir/${mkinit_name}.XXXXXXXX) > if [ $? -ne 0 ]; then > echo "$0: Can't create temp dir, exiting." >&2 > exit 1 > fi >- >+TMPDIR=$work_dir >+export TMPDIR > > saved_args=$@ > read_options >diff --git scripts/boot-mount.sh scripts/boot-mount.sh >index 8347303..7440e94 100644 >--- scripts/boot-mount.sh >+++ scripts/boot-mount.sh >@@ -67,9 +67,7 @@ read_only=${cmd_ro} > > # And now for the real thing > if ! discover_root ; then >- echo "not found -- exiting to /bin/sh" >- cd / >- PATH=$PATH PS1='$ ' sh -i >+ emergency "not found" > fi > > sysdev=$(udevadm info -q path -n $rootdev) >@@ -95,9 +93,7 @@ fi > oacp=$(type -p on_ac_power) > # check filesystem if possible > if [ -z "$rootfstype" ]; then >- echo "invalid root filesystem -- exiting to /bin/sh" >- cd / >- PATH=$PATH PS1='$ ' sh -i >+ emergency "invalid root filesystem" > # skip fsck if running on battery > elif [ -n "${oacp}" ] && ! ${oacp} -q ; then > echo skipping fsck because running on batteries >@@ -159,9 +155,7 @@ fi > echo mount $opt $rootdev /root > mount $opt $rootdev /root > if [ $? -ne 0 ] ; then >- echo "could not mount root filesystem -- exiting to /bin/sh" >- cd / >- PATH=$PATH PS1='$ ' sh -i >+ emergency "could not mount root filesystem" > fi > > unset discover_root >diff --git scripts/boot-network.sh scripts/boot-network.sh >index 33cb8ed..3c12bb3 100644 >--- scripts/boot-network.sh >+++ scripts/boot-network.sh >@@ -59,9 +59,7 @@ configure_dynamic() > if [ -s /var/lib/dhcpcd/dhcpcd-$interface.info ] ; then > . /var/lib/dhcpcd/dhcpcd-$interface.info > else >- echo "no response from dhcp server -- exiting to /bin/sh" >- cd / >- PATH=$PATH PS1='$ ' sh -i >+ emergency "no response from dhcp server" > fi > [ -e "/var/run/dhcpcd-$interface.pid" ] && kill -9 $(cat /var/run/dhcpcd-$interface.pid) > if [ -n "$DNS" ]; then >diff --git scripts/boot-start.sh scripts/boot-start.sh >index 9587d0d..cd87a14 100644 >--- scripts/boot-start.sh >+++ scripts/boot-start.sh >@@ -14,6 +14,7 @@ > #%programs: showconsole > #%programs: sleep > #%programs: umount >+#%programs: sulogin > > # tools used by linuxrc/init > #%programs: insmod >@@ -45,13 +46,31 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin > die() { > umount /proc > umount /sys >- if [ "$devpts" = "yes" ]; then >- umount -t devpts /dev/pts >- fi >+ umount /dev/pts > umount /dev > exit $1 > } > >+emergency() { >+ local plymouth sulogin >+ if plymouth=$(type -p plymouth 2> /dev/null) ; then >+ $plymouth quit >+ $plymouth --wait >+ fi >+ if test -w /proc/splash ; then >+ echo verbose >| /proc/splash >+ fi >+ cd / >+ echo -n "${1+$@} -- " >+ if sulogin=$(type -p sulogin 2> /dev/null); then >+ echo "exiting to $sulogin" >+ PATH=$PATH PS1='$ ' $sulogin /dev/console >+ else >+ echo "exiting to /bin/sh" >+ PATH=$PATH PS1='$ ' /bin/sh -i >+ fi >+} >+ > mount -t proc proc /proc > mount -t sysfs sysfs /sys > if mount -t devtmpfs -o mode=0755,nr_inodes=0 devtmpfs /dev; then >diff --git scripts/setup-done.sh scripts/setup-done.sh >index b2127ea..c6c50e9 100644 >--- scripts/setup-done.sh >+++ scripts/setup-done.sh >@@ -13,8 +13,12 @@ fi > pushd . > /dev/null 2>&1 > cd $tmp_mnt > # suid mount will fail if mkinitrd was called as user >-find . -type f \( -perm -4000 -o -perm -2000 \) -exec chmod 755 {} \; >-find *bin usr/*bin -type f -exec chmod 755 {} \; >+find . -type f -and \( -perm -4000 -or -perm -2000 \) -exec chmod 755 {} \+ >+find *bin usr/*bin -type f -exec chmod 755 {} \+ >+# find any files which are only readable by owner and/or group >+# if so make initrd only radable by the (super) user >+secure=$(find /etc \( -type f -or -type d \) -and \! -perm -004 2>/dev/null | wc -l) >+(($secure == 0)) || umask 0066 > if ! find . ! -name "*~" | cpio --quiet -H newc --create | $COMPRESS > $tmp_initrd > then > oops 8 "Failed to build initrd" >@@ -28,8 +32,7 @@ if [[ $kernel_image =~ uImage ]]; then > tmp_initrd=$tmp_initrd.uboot > fi > popd > /dev/null 2>&1 >-if ! cp -f $tmp_initrd $initrd_image ; then >+if ! cp -pf $tmp_initrd $initrd_image ; then > oops 8 "Failed to install initrd" > fi > rm -rf $tmp_mnt >- >diff --git scripts/setup-prepare.sh scripts/setup-prepare.sh >index 71ef225..5391bf3 100644 >--- scripts/setup-prepare.sh >+++ scripts/setup-prepare.sh >@@ -9,6 +9,7 @@ > #%param_M: "System.map file to use." map sysmap > #%param_A: "Create a so called \"monster initrd\" which includes all features and modules possible." > #%param_B: "Do not update bootloader configuration." >+#%param_P: "Do not include the password of the super user (root)." > #%param_v: "Verbose mode." > #%param_R: "Print release (version)." > #%param_L: "Disable logging." >@@ -215,21 +216,44 @@ for mod in $root_dir/etc/modprobe.conf $root_dir/etc/modprobe.conf.local \ > $root_dir/etc/modprobe.d ; do > test -e $mod && cp -r $mod $tmp_mnt/etc > done >-cat > $tmp_mnt/bin/true <<-EOF >-#! /bin/sh >-: >-EOF >+cat > $tmp_mnt/bin/true <<-'EOF' >+ #! /bin/sh >+ : >+ EOF > chmod +x $tmp_mnt/bin/true > > mkdir -p $tmp_mnt/var/log > >+# password support only if initrd is created by super user >+(($(id -u) == 0)) || param_P=yes >+if [ -z "$param_P" ]; then >+ pw=x >+else >+ pw= >+fi >+ > # all dev nodes belong to root, but some may be > # owned by a group other than root >-# getent passwd | sed '/^root:/s/^\([^:]\+\):[^:]*:\([^:]\+\):\([^:]\+\):.*/\1::\2:\3:::/p;d' > $tmp_mnt/etc/passwd >-echo 'root::0:0:::' > $tmp_mnt/etc/passwd >-echo 'nobody::65534:65533:::' >> $tmp_mnt/etc/passwd >-getent group | sed 's/^\([^:]\+\):[^:]*:\([^:]\+\):.*/\1::\2:/' > $tmp_mnt/etc/group >-(echo 'passwd: files';echo 'group: files') > $tmp_mnt/etc/nsswitch.conf >+# getent --service=files passwd | \ >+# sed -n "/^\(nobody\|root\):/s/^\([^:]\+\):[^:]*:\([^:]\+\):\([^:]\+\):.*/\1:${pw}:\2:\3::\/:/p" > $tmp_mnt/etc/passwd >+cat > $tmp_mnt/etc/passwd <<-EOF >+ root:${pw}:0:0::/: >+ nobody:${pw}:65534:65533::/: >+ EOF >+getent --service=files group | sed -n 's/^\([^:+]\+\):[^:]*:\([^:]\+\):.*/\1::\2:/p' > $tmp_mnt/etc/group >+cat > $tmp_mnt/etc/nsswitch.conf <<-'EOF' >+ passwd: files >+ shadow: files >+ group: files >+ EOF >+if [ -z "$param_P" ]; then >+ oumask=$(umask) >+ umask 0026 >+ getent --service=files shadow | \ >+ sed -n '/^\(nobody\|root\):/s/^\([^:]\+\):\([^:]\+\):\([0-9]*\):.*/\1:\2:\3::::::/p' > $tmp_mnt/etc/shadow >+ chgrp shadow $tmp_mnt/etc/shadow >+ umask $oumask >+fi > > # scsi_id config file > f=/etc/scsi_id.config >-- >1.7.10.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=534543">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 809812
:
534543