Hi NXP team,
I try to create a custom layer to change su permission.
The folder structure as shown below.
meta-custom/
├── conf
│ └── layer.conf
├── recipes-core
│ └── change-su-permissions
│ ├── change-su-permissions.bb
│ └── files
The content of change-su-permissions.bb is as follows.
SUMMARY = "Change permissions for su command"
LICENSE = "CLOSED"
PR = "r0"
do_install() {
install -d ${D}${bindir}
install -m 4750 ${WORKDIR}/rootfs/bin/su.shadow ${D}/bin/su.shadow
}
FILES_${PN} = "${bindir}/su"
The content of layer.conf is as follows.
# We have a conf and classes directory, add to BBPATH
BBPATH := "${BBPATH}:${LAYERDIR}"
# We have recipes-* directories, add to BBFILES
BBFILES := "${BBFILES} ${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
BBFILE_COLLECTIONS += "change-su-permissions"
BBFILE_PATTERN_change-su-permissions := "^${LAYERDIR}/"
BBFILE_PRIORITY_change-su-permissions = "6"
The custom layer is also included in build/conf/bblayers.conf file.
LCONF_VERSION = "7"
BBPATH = "${TOPDIR}"
BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}"
BBFILES ?= ""
BBLAYERS = " \
${BSPDIR}/sources/poky/meta \
${BSPDIR}/sources/poky/meta-poky \
\
${BSPDIR}/sources/meta-openembedded/meta-oe \
${BSPDIR}/sources/meta-openembedded/meta-multimedia \
\
${BSPDIR}/sources/meta-freescale \
${BSPDIR}/sources/meta-freescale-3rdparty \
${BSPDIR}/sources/meta-freescale-distro \
${BSPDIR}/sources/meta-example \
${BSPDIR}/sources/meta-adduser \
${BSPDIR}/sources/meta-custom \
"
# i.MX Yocto Project Release layers
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-bsp "
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-sdk "
BBLAYERS += " ${BSPDIR}/sources/meta-browser "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-gnome "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-networking "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-python "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-filesystems "
BBLAYERS += " ${BSPDIR}/sources/meta-qt5 "
Update build/conf/local.conf.
IMAGE_INSTALL_append = ' change-su-permissions'
Some errors occured while performing "bitbake core-image-base" to create image .
Please see the attached file "core-image-base_error_log.txt" for more details.
The log shows the path of su.shadow is not correct.
| DEBUG: Executing shell function do_install
| install: cannot stat '/home/west/yocto/build/tmp/work/cortexa7hf-neon-poky-linux-gnueabi/change-su-permissions/1.0-r0/rootfs/bin/su.shadow': No such file or directory
My su.shadow is in the directory "/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0/rootfs/bin".
I run the following command and find out the ${WORKDIR} variable.
$ bitbake -e core-image-base > build-env.txt
$ grep "^WORKDIR=" build-env.txt
WORKDIR="/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0"
Why the path in the error message is not match ${WORKDIR}/rootfs/bin/su.shadow in the change-su-permissions.bb?
How to solve this problem?
If the way of creating a custom layer can't change su permission, please help me how to achieve this requirement.
Thanks.
解決済! 解決策の投稿を見る。
I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.
chmod 4750 ${D}${bindir}/su
No normal user can use “su” after the above modification.
I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.
chmod 4750 ${D}${bindir}/su
No normal user can use “su” after the above modification.
I can try the below commands to deny normal user su to root.
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 21 18:47 /bin/su -> /bin/su.shadow
-rwsr-xr-x 1 root root 43628 May 6 2020 /bin/su.shadowroot@imx6ulevk:~# chmod 0750 /bin/su
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 20 15:43 su -> /bin/su.shadow
-rwxr-x--- 1 root root 43628 May 6 2020 su.shadowroot@imx6ulevk:~# su ap
ap@imx6ulevk:/bin$ su
-sh: su: Permission denied
I want to set the permission of su in the same way under core-image-base image instead of console mode.
Hello @Alejandro_Salas ,
Thanks for your reply.
There is no /etc/sudoers file in my i.MX6UL project.
I can't use sudo but only su.
How to set the permission of su?
Best regards,
Tammy
Hello,
You can look this post, there is explained how to add users and manage the privileges in a Yocto environment using layers.
Best regards,
--... ...--
Salas.