[Buildroot] [PATCH v3 1/1] package/shadow: new package
Raphael Pavlidis
raphael.pavlidis at gmail.com
Thu Oct 13 16:34:32 UTC 2022
shadow provides utilities to deal with user accounts.
The shadow package includes the necessary programs for converting UNIX
password files to the shadow password format, plus programs for managing
user and group accounts. Especially it is useful if rootless podman
container should be used, which requires newuidmap and newgidmap.
Signed-off-by: Raphael Pavlidis <raphael.pavlidis at gmail.com>
---
Changes v2 -> v3:
- remove nscd support
- remove sssd support
- remove group name max length parameter
- remove su build
- improve help text of subordinate-ids
- use a define instead of variable for SHADOW_ACCOUNT_TOOLS_SETUID
SHADOW_SUBORDINATE_IDS_PERMISSIONS and
Changes v1 -> v2:
- DEVELOPERS: add Raphael Pavlids for shadow
DEVELOPERS | 3 +-
package/Config.in | 1 +
package/shadow/Config.in | 61 +++++++++++++++++
package/shadow/shadow.hash | 3 +
package/shadow/shadow.mk | 133 +++++++++++++++++++++++++++++++++++++
5 files changed, 200 insertions(+), 1 deletion(-)
create mode 100644 package/shadow/Config.in
create mode 100644 package/shadow/shadow.hash
create mode 100644 package/shadow/shadow.mk
diff --git a/DEVELOPERS b/DEVELOPERS
index 59121c6a54..0dad0ba0ba 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2474,7 +2474,8 @@ F: support/testing/tests/package/test_python_jmespath.py
F: support/testing/tests/package/test_python_rsa.py
F: support/testing/tests/package/test_python_s3transfer.py
-N: Raphael Pavlidis <raphael.pavlidis at googlemail.com>
+N: Raphael Pavlidis <raphael.pavlidis at gmail.com>
+F: package/shadow/
F: package/slirp4netns/
N: Refik Tuzakli <tuzakli.refik at gmail.com>
diff --git a/package/Config.in b/package/Config.in
index e3a34d6e97..d9ead48647 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2642,6 +2642,7 @@ menu "System tools"
source "package/sdbus-cpp/Config.in"
source "package/sdbusplus/Config.in"
source "package/seatd/Config.in"
+ source "package/shadow/Config.in"
source "package/smack/Config.in"
source "package/start-stop-daemon/Config.in"
source "package/supervisor/Config.in"
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000000..6b1fe0a61f
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,61 @@
+menuconfig BR2_PACKAGE_SHADOW
+ bool "shadow"
+ depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_14
+ help
+ Utilities to deal with user accounts.
+
+ https://github.com/shadow-maint/shadow
+
+if BR2_PACKAGE_SHADOW
+
+config BR2_PACKAGE_SHADOW_SHADOWGRP
+ bool "shadowgrp"
+ help
+ Enable shadow group support.
+
+config BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID
+ bool "account-tools-setuid"
+ depends on BR2_USE_MMU # linux-pam
+ depends on BR2_ENABLE_LOCALE # linux-pam
+ depends on BR2_USE_WCHAR # linux-pam
+ depends on !BR2_STATIC_LIBS # linux-pam
+ select BR2_PACKAGE_LINUX_PAM
+ help
+ Install the user and group management tools (e.g. groupadd) with setuid and
+ authenticate the callers via PAM.
+
+comment "account-tools-setuid needs a toolchain w/ shared libs, wchar, locale"
+ depends on BR2_USE_MMU
+ depends on BR2_STATIC_LIBS || !BR2_USE_WCHAR || !BR2_ENABLE_LOCALE
+
+config BR2_PACKAGE_SHADOW_UTMPX
+ bool "utmpx"
+ help
+ Enable loggin in utmpx / wtmpx.
+
+config BR2_PACKAGE_SHADOW_SUBORDINATE_IDS
+ bool "subordinate-ids"
+ help
+ Support subordinate ids. Helpful to use container solution like podman
+ without root.
+
+config BR2_PACKAGE_SHADOW_SHA_CRYPT
+ bool "sha-crypt"
+ default y
+ help
+ Allow the SHA256 and SHA512 password encryption algorithms.
+
+config BR2_PACKAGE_SHADOW_BCRYPT
+ bool "bcrypt"
+ help
+ Allow the bcrypt password encryption algorithm.
+
+config BR2_PACKAGE_SHADOW_YESCRYPT
+ bool "yescrypt"
+ help
+ Allow the yescrypt password encryption algorithm.
+
+endif # BR2_PACKAGE_SHADOW
+
+comment "shadow needs a toolchain w/ headers >= 4.14"
+ depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_14
diff --git a/package/shadow/shadow.hash b/package/shadow/shadow.hash
new file mode 100644
index 0000000000..6b9faac10f
--- /dev/null
+++ b/package/shadow/shadow.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256 41f093ce58b2ae5f389a1c5553e0c18bc73e6fe27f66273891991198a7707c95 shadow-4.11.1.tar.xz
+sha256 3d25ab8f43fdc14624296a56ff8dc3e72e499ad35f32ae0c803f4959cfe17c0a COPYING
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000000..261f28dd28
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,133 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.11.1
+SHADOW_SITE = https://github.com/shadow-maint/shadow/releases/download/v$(SHADOW_VERSION)
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.xz
+SHADOW_LICENSE = BSD-3-Clause
+SHADOW_LICENSE_FILES = COPYING
+
+SHADOW_CONF_OPTS = \
+ --disable-man \
+ --without-btrfs \
+ --without-nscd \
+ --without-skey \
+ --without-sssd \
+ --without-su \
+ --without-tcb
+
+ifeq ($(BR2_PACKAGE_SHADOW_SHADOWGRP),y)
+SHADOW_CONF_OPTS += --enable-shadowgrp
+else
+SHADOW_CONF_OPTS += --disable-shadowgrp
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID),y)
+SHADOW_CONF_OPTS += --enable-account-tools-setuid
+define SHADOW_ACCOUNT_TOOLS_SETUID_PERMISSIONS
+ /usr/sbin/chgpasswd f 4755 0 0 - - - - -
+ /usr/sbin/chpasswd f 4755 0 0 - - - - -
+ /usr/sbin/groupadd f 4755 0 0 - - - - -
+ /usr/sbin/groupdel f 4755 0 0 - - - - -
+ /usr/sbin/groupmod f 4755 0 0 - - - - -
+ /usr/sbin/newusers f 4755 0 0 - - - - -
+ /usr/sbin/useradd f 4755 0 0 - - - - -
+ /usr/sbin/usermod f 4755 0 0 - - - - -
+endef
+else
+SHADOW_CONF_OPTS += --disable-account-tools-setuid
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_UTMPX),y)
+SHADOW_CONF_OPTS += --enable-utmpx
+else
+SHADOW_CONF_OPTS += --disable-utmpx
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_SUBORDINATE_IDS),y)
+SHADOW_CONF_OPTS += --enable-subordinate-ids
+define SHADOW_SUBORDINATE_IDS_PERMISSIONS
+ /usr/bin/newuidmap f 4755 0 0 - - - - -
+ /usr/bin/newgidmap f 4755 0 0 - - - - -
+endef
+else
+SHADOW_CONF_OPTS += --disable-subordinate-ids
+endif
+
+ifeq ($(BR2_PACKAGE_ACL),y)
+SHADOW_CONF_OPTS += --with-acl
+SHADOW_DEPENDENCIES += acl
+else
+SHADOW_CONF_OPTS += --without-acl
+endif
+
+ifeq ($(BR2_PACKAGE_ATTR),y)
+SHADOW_CONF_OPTS += --with-attr
+SHADOW_DEPENDENCIES += attr
+else
+SHADOW_CONF_OPTS += --without-attr
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_CONF_OPTS += --with-audit
+SHADOW_DEPENDENCIES += audit
+else
+SHADOW_CONF_OPTS += --without-audit
+endif
+
+ifeq ($(BR2_PACKAGE_CRACKLIB),y)
+SHADOW_CONF_OPTS += --with-libcrack
+SHADOW_DEPENDENCIES += cracklib
+else
+SHADOW_CONF_OPTS += --without-libcrack
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_CONF_OPTS += --with-selinux
+SHADOW_DEPENDENCIES += libselinux libsemanage
+else
+SHADOW_CONF_OPTS += --without-selinux
+endif
+
+# linux-pam is also used without account-tools-setuid enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+SHADOW_CONF_OPTS += --with-libpam
+SHADOW_DEPENDENCIES += linux-pam
+else
+SHADOW_CONF_OPTS += --without-libpam
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_SHA_CRYPT),y)
+SHADOW_CONF_OPTS += --with-sha-crypt
+else
+SHADOW_CONF_OPTS += --without-sha-crypt
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_BCRYPT),y)
+SHADOW_CONF_OPTS += --with-bcrypt
+else
+SHADOW_CONF_OPTS += --without-bcrypt
+endif
+
+ifeq ($(BR2_PACKAGE_SHADOW_YESCRYPT),y)
+SHADOW_CONF_OPTS += --with-yescrypt
+else
+SHADOW_CONF_OPTS += --without-yescrypt
+endif
+
+define SHADOW_PERMISSIONS
+ /usr/bin/chage f 4755 0 0 - - - - -
+ /usr/bin/chfn f 4755 0 0 - - - - -
+ /usr/bin/chsh f 4755 0 0 - - - - -
+ /usr/bin/expiry f 4755 0 0 - - - - -
+ /usr/bin/gpasswd f 4755 0 0 - - - - -
+ /usr/bin/newgrp f 4755 0 0 - - - - -
+ /usr/bin/passwd f 4755 0 0 - - - - -
+ $(SHADOW_ACCOUNT_TOOLS_SETUID)
+ $(SHADOW_SUBORDINATE_IDS_PERMISSIONS)
+endef
+
+$(eval $(autotools-package))
--
2.35.1
More information about the buildroot
mailing list