Hi NXP team,
I try to create a custom layer to change su permission.
The folder structure as shown below.
meta-custom/
├── conf
│ └── layer.conf
├── recipes-core
│ └── change-su-permissions
│ ├── change-su-permissions.bb
│ └── files
The content of change-su-permissions.bb is as follows.
SUMMARY = "Change permissions for su command"
LICENSE = "CLOSED"
PR = "r0"
do_install() {
install -d ${D}${bindir}
install -m 4750 ${WORKDIR}/rootfs/bin/su.shadow ${D}/bin/su.shadow
}
FILES_${PN} = "${bindir}/su"
The content of layer.conf is as follows.
# We have a conf and classes directory, add to BBPATH
BBPATH := "${BBPATH}:${LAYERDIR}"
# We have recipes-* directories, add to BBFILES
BBFILES := "${BBFILES} ${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
BBFILE_COLLECTIONS += "change-su-permissions"
BBFILE_PATTERN_change-su-permissions := "^${LAYERDIR}/"
BBFILE_PRIORITY_change-su-permissions = "6"
The custom layer is also included in build/conf/bblayers.conf file.
LCONF_VERSION = "7"
BBPATH = "${TOPDIR}"
BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}"
BBFILES ?= ""
BBLAYERS = " \
${BSPDIR}/sources/poky/meta \
${BSPDIR}/sources/poky/meta-poky \
\
${BSPDIR}/sources/meta-openembedded/meta-oe \
${BSPDIR}/sources/meta-openembedded/meta-multimedia \
\
${BSPDIR}/sources/meta-freescale \
${BSPDIR}/sources/meta-freescale-3rdparty \
${BSPDIR}/sources/meta-freescale-distro \
${BSPDIR}/sources/meta-example \
${BSPDIR}/sources/meta-adduser \
${BSPDIR}/sources/meta-custom \
"
# i.MX Yocto Project Release layers
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-bsp "
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-sdk "
BBLAYERS += " ${BSPDIR}/sources/meta-browser "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-gnome "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-networking "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-python "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-filesystems "
BBLAYERS += " ${BSPDIR}/sources/meta-qt5 "
Update build/conf/local.conf.
IMAGE_INSTALL_append = ' change-su-permissions'
Some errors occured while performing "bitbake core-image-base" to create image .
Please see the attached file "core-image-base_error_log.txt" for more details.
The log shows the path of su.shadow is not correct.
| DEBUG: Executing shell function do_install
| install: cannot stat '/home/west/yocto/build/tmp/work/cortexa7hf-neon-poky-linux-gnueabi/change-su-permissions/1.0-r0/rootfs/bin/su.shadow': No such file or directory
My su.shadow is in the directory "/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0/rootfs/bin".
I run the following command and find out the ${WORKDIR} variable.
$ bitbake -e core-image-base > build-env.txt
$ grep "^WORKDIR=" build-env.txt
WORKDIR="/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0"
Why the path in the error message is not match ${WORKDIR}/rootfs/bin/su.shadow in the change-su-permissions.bb?
How to solve this problem?
If the way of creating a custom layer can't change su permission, please help me how to achieve this requirement.
Thanks.
已解决! 转到解答。
I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.
chmod 4750 ${D}${bindir}/su
No normal user can use “su” after the above modification.
I can try the below commands to deny normal user su to root.
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 21 18:47 /bin/su -> /bin/su.shadow
-rwsr-xr-x 1 root root 43628 May 6 2020 /bin/su.shadowroot@imx6ulevk:~# chmod 0750 /bin/su
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 20 15:43 su -> /bin/su.shadow
-rwxr-x--- 1 root root 43628 May 6 2020 su.shadowroot@imx6ulevk:~# su ap
ap@imx6ulevk:/bin$ su
-sh: su: Permission denied
I want to set the permission of su in the same way under core-image-base image instead of console mode.