diff --git a/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb b/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb index b678db1..bf620dc 100644 --- a/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb +++ b/meta-citadel/recipes-citadel/citadel-config/citadel-config.bb @@ -37,7 +37,9 @@ SRC_URI = "\ file://locale.conf \ file://environment.sh \ file://fstab \ + file://sudo-citadel \ file://citadel-ifconfig.sh \ + file://citadel-setpassword.sh \ file://00-storage-tmpfiles.conf \ file://NetworkManager.conf \ file://share/dot.bashrc \ @@ -48,6 +50,7 @@ SRC_URI = "\ file://systemd/zram-swap.service \ file://systemd/iptables.service \ file://systemd/session-switcher.service \ + file://systemd/citadel-setpassword.service \ file://skel/profile \ file://skel/bashrc \ file://skel/vimrc \ @@ -64,12 +67,12 @@ USERADD_PACKAGES = "${PN}" USERADD_PARAM_${PN} = "-m -u 1000 -s /bin/bash citadel" INHIBIT_PACKAGE_DEBUG_SPLIT = "1" -# for citadel-ifconfig.sh +# for citadel-ifconfig.sh citadel-setpassword.sh RDEPENDS_${PN} = "bash" inherit allarch systemd useradd -SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path iptables.service session-switcher.service" +SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path iptables.service session-switcher.service citadel-setpassword.service" do_install() { install -m 0755 -d ${D}/storage @@ -83,14 +86,17 @@ do_install() { install -m 0755 -d ${D}${sysconfdir}/NetworkManager install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d install -m 0755 -d ${D}${sysconfdir}/modprobe.d + install -m 0755 -d ${D}${sysconfdir}/sudoers.d install -m 0755 -d ${D}${datadir}/iptables install -m 0755 -d ${D}${datadir}/factory/skel install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections + install -m 0755 -d ${D}${datadir}/citadel install -m 0644 ${WORKDIR}/locale.conf ${D}${sysconfdir}/locale.conf install -m 0644 ${WORKDIR}/environment.sh ${D}${sysconfdir}/profile.d/environment.sh install -m 0644 ${WORKDIR}/fstab ${D}${sysconfdir}/fstab + install -m 0440 ${WORKDIR}/sudo-citadel ${D}${sysconfdir}/sudoers.d/citadel install -m 0644 ${WORKDIR}/00-storage-tmpfiles.conf ${D}${sysconfdir}/tmpfiles.d install -m 0644 ${WORKDIR}/NetworkManager.conf ${D}${sysconfdir}/NetworkManager @@ -99,6 +105,7 @@ do_install() { install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/session-switcher.service ${D}${systemd_system_unitdir} + install -m 644 ${WORKDIR}/systemd/citadel-setpassword.service ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir} install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir} @@ -114,6 +121,7 @@ do_install() { install -m 0644 ${WORKDIR}/udev/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/ install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir} + install -m 0754 ${WORKDIR}/citadel-setpassword.sh ${D}${libexecdir} install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/ install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/ diff --git a/meta-citadel/recipes-citadel/citadel-config/files/citadel-setpassword.sh b/meta-citadel/recipes-citadel/citadel-config/files/citadel-setpassword.sh new file mode 100755 index 0000000..1be7e40 --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/citadel-setpassword.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +PF="/storage/citadel-state/passwd" +if [ -e "${PF}" ]; then + exit 0 +fi + +success= +for ((I = 0; I < 3; I++)); do + P1= + P2= + /usr/bin/plymouth display-message --text='Set new user password...' + /usr/bin/plymouth pause-progress + P1="$(/usr/bin/plymouth ask-for-password --prompt='Password')" + /usr/bin/plymouth unpause-progress + /usr/bin/plymouth pause-progress + P2="$(/usr/bin/plymouth ask-for-password --prompt='Confirm')" + + if [ -n "${P1}" -a "${P1}" == "${P2}" ]; then + /usr/bin/plymouth unpause-progress + success=true + break; + fi + /usr/bin/plymouth display-message --text='Passwords do not match, try again...' + /usr/bin/plymouth unpause-progress + sleep 3 +done +if [ -n "${success}" ]; then + crypt=$(echo -n "${P1}" | /usr/bin/mkpasswd -s -m sha-512) + echo "citadel:${crypt}" > ${PF} + chmod 444 "${PF}" + /usr/bin/plymouth display-message --text='Password set succesfully...' +else + /usr/bin/plymouth display-message --text='Failed to set password...' +fi +exit 0; diff --git a/meta-citadel/recipes-citadel/citadel-config/files/sudo-citadel b/meta-citadel/recipes-citadel/citadel-config/files/sudo-citadel new file mode 100644 index 0000000..16a0b1e --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/sudo-citadel @@ -0,0 +1,2 @@ +# Citadel sudo +citadel ALL=(ALL:ALL) ALL diff --git a/meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-setpassword.service b/meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-setpassword.service new file mode 100644 index 0000000..a37f57f --- /dev/null +++ b/meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-setpassword.service @@ -0,0 +1,14 @@ +[Unit] +Description=Citadel Set Password +After=storage.mount +Requires=storage.mount +Before=gdm.service + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/usr/libexec/citadel-setpassword.sh + +[Install] +WantedBy=multi-user.target +RequiredBy=graphical.target diff --git a/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb b/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb index 51d5869..4355050 100644 --- a/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb +++ b/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" SYSTEMD_DEFAULT_TARGET = "graphical.target" -ROOTFS_POSTPROCESS_COMMAND += "set_citadel_user_password; symlink_lib64; setup_var; append_os_release;" +ROOTFS_POSTPROCESS_COMMAND += "set_disable_root_password; symlink_lib64; setup_var; append_os_release;" IMAGE_INSTALL += "\ packagegroup-citadel-base \ @@ -18,7 +18,7 @@ require citadel-image.inc inherit citadel-image set_blank_user_password() { - sed -i 's%^citadel:!:%citadel::%' ${IMAGE_ROOTFS}/etc/shadow + sed -i 's%^citadel::%citadel:!:%' ${IMAGE_ROOTFS}/etc/shadow } set_citadel_user_password() { @@ -26,6 +26,10 @@ set_citadel_user_password() { sed -i 's%^citadel:!:%citadel:aadg8rGtZzOY6:%' ${IMAGE_ROOTFS}/etc/shadow } +set_disable_root_password() { + sed -i 's%^root::%root:!:%' ${IMAGE_ROOTFS}/etc/shadow +} + setup_var() { install -m 0755 -d ${IMAGE_ROOTFS}/usr/share/factory/var install -m 0755 -d ${IMAGE_ROOTFS}/usr/share/factory/home diff --git a/meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel-base.bb b/meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel-base.bb index 3e6c69e..1238729 100644 --- a/meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel-base.bb +++ b/meta-citadel/recipes-citadel/packagegroups/packagegroup-citadel-base.bb @@ -70,10 +70,13 @@ RDEPENDS_${PN} = "\ e2fsprogs-resize2fs \ dosfstools \ libpam \ + libpam-pwdfile \ + mkpasswd \ wireguard-tools \ resolvconf \ udisks2 \ efivar \ efibootmgr \ iw \ + sudo \ " diff --git a/meta-citadel/recipes-support/libidn2/libidn2_2.0.5.bb b/meta-citadel/recipes-support/libidn2/libidn2_2.0.5.bb new file mode 100644 index 0000000..2d81a4e --- /dev/null +++ b/meta-citadel/recipes-support/libidn2/libidn2_2.0.5.bb @@ -0,0 +1,29 @@ +SUMMARY = "Internationalized Domain Name support library" +DESCRIPTION = "Implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names (IDN) working group." +HOMEPAGE = "http://www.gnu.org/software/libidn/" +SECTION = "libs" +LICENSE = "(GPLv2+ | LGPLv3) & GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=ab90e75ef97cc6318ce4f2fbda62fe4d \ + file://COPYING.LESSERv3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ + file://COPYINGv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://src/idn2.c;endline=16;md5=0283aec28e049f5bcaaeee52aa865874 \ + file://lib/idn2.h.in;endline=27;md5=c2cd28d3f87260f157f022eabb83714f" + +SRC_URI = "${GNU_MIRROR}/libidn/${BPN}-${PV}.tar.gz" + +SRC_URI[md5sum] = "eaf9a5b9d03b0cce3760f34b3124eb36" +SRC_URI[sha256sum] = "53f69170886f1fa6fa5b332439c7a77a7d22626a82ef17e2c1224858bb4ca2b8" + +DEPENDS = "virtual/libiconv libunistring" + +inherit pkgconfig autotools gettext texinfo gtk-doc lib_package + +EXTRA_OECONF += "--disable-rpath \ + --with-libunistring-prefix=${STAGING_EXECPREFIXDIR} \ + " + +LICENSE_${PN} = "(GPLv2+ | LGPLv3)" +LICENSE_${PN}-bin = "GPLv3+" + +BBCLASSEXTEND = "native nativesdk" + diff --git a/meta-citadel/recipes-support/libpam-pwdfile/libpam-pwdfile_1.0.bb b/meta-citadel/recipes-support/libpam-pwdfile/libpam-pwdfile_1.0.bb new file mode 100644 index 0000000..0fbccce --- /dev/null +++ b/meta-citadel/recipes-support/libpam-pwdfile/libpam-pwdfile_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "PAM pwdfile library" +SECTION = "libs" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9" + +SRC_URI = "https://github.com/tiwe-de/libpam-pwdfile/archive/v${PV}.tar.gz" +SRC_URI[md5sum] = "1546a57bfe50800175f7cbc88ade4a15" +SRC_URI[sha256sum] = "5b8db1397cff9cadfd1bb96f53c134b787ab0e6a0fbedb71040541d340313ba2" + +S = "${WORKDIR}/libpam-pwdfile-${PV}" + +DEPENDS = "libpam libxcrypt" +inherit lib_package pkgconfig + +FILES_${PN} += "${libdir}/security/pam_pwdfile.so" + +do_compile_class() { + oe_runmake CC_FOR_BUILD="${BUILD_CC}" PAM_LIB_DIR=${libdir}/security +} + +do_install() { + oe_runmake install DESTDIR=${D} PAM_LIB_DIR=${libdir}/security +} diff --git a/meta-citadel/recipes-support/mkpasswd/mkpasswd_5.4.2.bb b/meta-citadel/recipes-support/mkpasswd/mkpasswd_5.4.2.bb new file mode 100644 index 0000000..5e5b2f4 --- /dev/null +++ b/meta-citadel/recipes-support/mkpasswd/mkpasswd_5.4.2.bb @@ -0,0 +1,19 @@ +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = "http://ftp.debian.org/debian/pool/main/w/whois/whois_${PV}.tar.xz" +SRC_URI[md5sum] = "8bbf1105702b9a03445211f45bd53efe" +SRC_URI[sha256sum] = "eee33a3b3a56912fbf115a7dd24ed60314e2707a3ad6aa604ca2752c1ed01f57" +S = "${WORKDIR}/whois-${PV}" + +DEPENDS = "libxcrypt libidn2" +RDEPENDS_${PN} = "libxcrypt libidn2" +inherit pkgconfig gettext + +do_compile() { + oe_runmake CC_FOR_BUILD="${BUILD_CC}" BASEDIR=${D} +} + +do_install() { + oe_runmake install-mkpasswd DESTDIR=${D} BASEDIR=${D} +} diff --git a/meta-citadel/recipes-support/pam/files/pam.d/common-auth b/meta-citadel/recipes-support/pam/files/pam.d/common-auth new file mode 100644 index 0000000..ff89aef --- /dev/null +++ b/meta-citadel/recipes-support/pam/files/pam.d/common-auth @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +# citadel pwdfile support +auth [success=2 authinfo_unavail=reset new_authtok_reqd=ok ignore=ignore default=bad] pam_pwdfile.so pwdfile=/storage/citadel-state/passwd +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/meta-citadel/recipes-support/pam/libpam_%.bbappend b/meta-citadel/recipes-support/pam/libpam_%.bbappend new file mode 100644 index 0000000..7592210 --- /dev/null +++ b/meta-citadel/recipes-support/pam/libpam_%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "file://pam.d/common-auth"