From 8dfaa0d4beef76ec33d27f8042376cd96395691c Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 17 Sep 2018 17:32:13 +0200 Subject: [PATCH] move everything configurable to /cfg and try selinux --- clonedisk.sh | 2 +- excludelist.txt | 2 - mkimage.sh | 9 ++-- mkrelease.sh | 31 ++++++------ pkglist.txt | 3 ++ pre-pivot.sh | 31 +++++++----- prepare-root.sh | 128 +++++++++++++++++++++++++++++------------------- quirks/nss.sh | 74 +++++++++++++++------------- update.sh | 12 +++-- 9 files changed, 172 insertions(+), 120 deletions(-) diff --git a/clonedisk.sh b/clonedisk.sh index 7ba8575..9e5ea74 100755 --- a/clonedisk.sh +++ b/clonedisk.sh @@ -158,7 +158,7 @@ fi mkdir -p boot mount ${OUT}1 boot mkdir -p boot/EFI/FedoraBook -cp /efi/EFI/FedoraBook/bootx64.efi boot/EFI/FedoraBook/1.efi +cp /efi/EFI/FedoraBook/1.efi boot/EFI/FedoraBook/1.efi [[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot [[ -e /efi/Shell.efi ]] && cp /efi/Lockdown.efi boot/EFI/Boot/bootx64.efi diff --git a/excludelist.txt b/excludelist.txt index f6381a3..c0cba5e 100644 --- a/excludelist.txt +++ b/excludelist.txt @@ -3,7 +3,5 @@ systemd-bootchart grubby grub* plymouth -selinux-policy-targeted -libselinux-utils httpd gnome-boxes diff --git a/mkimage.sh b/mkimage.sh index 73307d4..57e2a0a 100755 --- a/mkimage.sh +++ b/mkimage.sh @@ -169,12 +169,13 @@ mkdir -p "$MY_TMPDIR"/boot/EFI/Boot mkdir -p "$MY_TMPDIR"/boot/EFI/FedoraBook if [[ $USE_EFISHELL ]]; then - [[ -e "${SOURCE}"/startup.nsh ]] && cp "${SOURCE}"/startup.nsh "$MY_TMPDIR"/boot/ - [[ -e "${SOURCE}"/LockDown.efi ]] && cp "${SOURCE}"/LockDown.efi "$MY_TMPDIR"/boot/ - cp "${SOURCE}"/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi - cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/bootx64.efi + [[ -e "${SOURCE}"/efi/startup.nsh ]] && cp "${SOURCE}"/efi/startup.nsh "$MY_TMPDIR"/boot/ + [[ -e "${SOURCE}"/efi/LockDown.efi ]] && cp "${SOURCE}"/efi/LockDown.efi "$MY_TMPDIR"/boot/ + cp "${SOURCE}"/efi/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi + cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi else cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi + cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi fi umount "$MY_TMPDIR"/boot diff --git a/mkrelease.sh b/mkrelease.sh index 8412a6b..616e7c0 100755 --- a/mkrelease.sh +++ b/mkrelease.sh @@ -66,21 +66,24 @@ JSON="$(realpath -e $1)" BASEDIR="${JSON%/*}" IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})" -( - cd "$IMAGE" - if ! [[ $NOSIGN ]]; then - if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then - echo "Need --dbkey KEY --dbcrt CRT options" - exit 1 - fi - if ! sbverify --cert "$DBCRT" bootx64.efi &>/dev/null ; then - sbsign --key "$DBKEY" --cert "$DBCRT" --output bootx64-signed.efi bootx64.efi - mv bootx64-signed.efi bootx64.efi - fi +pushd "$IMAGE" +if ! [[ $NOSIGN ]]; then + if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then + echo "Need --dbkey KEY --dbcrt CRT options" + exit 1 fi - [[ -f sha512sum.txt ]] || sha512sum * > sha512sum.txt - [[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt -) + for i in $(find . -type f -name '*.efi'); do + [[ -f "$i" ]] || continue + if ! sbverify --cert "$DBCRT" "$i" &>/dev/null ; then + sbsign --key "$DBKEY" --cert "$DBCRT" --output "${i}signed" "$i" + mv "${i}signed" "$i" + fi + done +fi +[[ -f sha512sum.txt ]] || sha512sum $(find . -type f) > sha512sum.txt +[[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt + +popd if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "$IMAGE".tgz diff --git a/pkglist.txt b/pkglist.txt index 264e0e9..96a361f 100644 --- a/pkglist.txt +++ b/pkglist.txt @@ -48,6 +48,7 @@ gobject-introspection-devel gperf help2man iptables-devel +iputils ipw2100-firmware ipw2200-firmware iscan-firmware @@ -84,6 +85,8 @@ libseccomp-devel libselinux-devel libvirt-daemon-config-network libvirt-daemon-kvm +libvirt-client +libvirt-bash-completion libxkbcommon-devel libxslt linux-firmware diff --git a/pre-pivot.sh b/pre-pivot.sh index 8a64011..bb9c97f 100644 --- a/pre-pivot.sh +++ b/pre-pivot.sh @@ -21,7 +21,7 @@ get_disk() { udevadm settle -BOOTDISK=$(get_disk $(bootdisk)) +BOOTDISK=$(get_disk $(bootdisk)) [[ $BOOTDISK ]] || die "No boot disk found" unset FOUND @@ -107,17 +107,24 @@ if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then mkfs.xfs -f -L data "$datadev" fi -mount -o discard $datadev /sysroot/data || die "Failed to mount $datadev" +mount -o discard $datadev /sysroot/mnt || die "Failed to mount $datadev" -[[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var -[[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home - -mount -o bind /sysroot/data/var /sysroot/var -mount -o bind /sysroot/data/home /sysroot/home - -for i in passwd shadow group gshadow subuid subgid; do - [[ -f /sysroot/var/$i ]] && continue - cp -a /sysroot/usr/share/factory/var/$i /sysroot/var/$i +for i in var home cfg; do + if ! [[ -d /sysroot/mnt/$i ]]; then + mkdir /sysroot/mnt/$i + FIRST_TIME=1 + fi done -chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo +mount -o bind /sysroot/mnt/var /sysroot/var +mount -o bind /sysroot/mnt/home /sysroot/home +mount -o bind /sysroot/mnt/cfg /sysroot/cfg +umount -l /sysroot/mnt + +#for i in passwd shadow group gshadow subuid subgid; do +# [[ -f /sysroot/cfg/$i ]] && continue +# cp -a /sysroot/usr/share/factory/cfg/$i /sysroot/cfg/$i +#done +if [[ $FIRST_TIME ]]; then + chroot /sysroot bash -c '/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1; restorecon -R -v /cfg /var 2>&1'| vinfo +fi diff --git a/prepare-root.sh b/prepare-root.sh index 8b916bc..769a119 100755 --- a/prepare-root.sh +++ b/prepare-root.sh @@ -220,6 +220,11 @@ dnf -v --nogpgcheck \ jq \ gnupg2 \ veritysetup \ + policycoreutils \ + selinux-policy-targeted \ + selinux-policy-devel \ + libselinux-utils \ + audit \ $PKGLIST for i in passwd shadow group gshadow subuid subgid; do @@ -241,6 +246,8 @@ for i in passwd shadow group gshadow subuid subgid; do chmod u+r "${BASEDIR}/${NAME}/$i" done +# chroot "$sysroot" bash -i + cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update @@ -267,7 +274,8 @@ chroot "$sysroot" \ dracut -N --kver $KVER --force \ --filesystems "squashfs vfat xfs" \ --add-drivers "=drivers/char/tpm" \ - -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \ + -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \ + -m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity selinux" \ --install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \ --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ --install "cryptsetup tail sort pwmake mktemp swapon" \ @@ -289,7 +297,7 @@ rm -fr "$sysroot"/overlay umount "$sysroot"/var/cache/dnf -mkdir -p "$sysroot"/usr/share/factory/{var/etc,home} +mkdir -p "$sysroot"/usr/share/factory/{var,cfg} chroot "$sysroot" update-ca-trust @@ -319,21 +327,21 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/sy #--------------- # ssh if [[ -d "$sysroot"/etc/ssh ]]; then - mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/var/etc/ssh - ln -sfnr "$sysroot"/var/etc/ssh "$sysroot"/etc/ssh + mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/cfg/ssh + ln -sfnr "$sysroot"/cfg/ssh "$sysroot"/etc/ssh cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <> "$sysroot"/usr/lib/tmpfiles.d/NetworkManager.conf <> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf -#--------------- -# hostname -ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname -echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname #--------------- # vconsole.conf -ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf -echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf +ln -fsnr "$sysroot"/cfg/vconsole.conf "$sysroot"/etc/vconsole.conf +echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/cfg/vconsole.conf #--------------- # locale.conf -ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf -echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf +ln -fsnr "$sysroot"/cfg/locale.conf "$sysroot"/etc/locale.conf +echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/cfg/locale.conf #--------------- # localtime -mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime -ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime +mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/cfg/localtime +ln -fsnr "$sysroot"/cfg/localtime "$sysroot"/etc/localtime #--------------- # machine-id rm -f "$sysroot"/etc/machine-id -ln -fsnr "$sysroot"/var/machine-id "$sysroot"/etc/machine-id +ln -fsnr "$sysroot"/cfg/machine-id "$sysroot"/etc/machine-id #--------------- # adjtime -mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime -ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime +mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/cfg/adjtime +ln -fsnr "$sysroot"/cfg/adjtime "$sysroot"/etc/adjtime -sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed -sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' \ +sed -i -e 's#/etc/locale.conf#/cfg/locale.conf#g;s#/etc/vconsole.conf#/cfg/vconsole.conf#g;s#/etc/X11/xorg.conf.d#/cfg/X11/xorg.conf.d#g' \ + "$sysroot"/usr/lib/systemd/systemd-localed + +sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g' \ "$sysroot"/usr/lib/systemd/systemd-timedated \ "$sysroot"/usr/lib/systemd/libsystemd-shared*.so \ "$sysroot"/lib*/libc.so.* -sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-localed.service -sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-timedated.service +sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \ + "$sysroot"/lib/systemd/system/systemd-localed.service \ + "$sysroot"/lib/systemd/system/systemd-timedated.service \ + "$sysroot"/lib/systemd/system/systemd-hostnamed.service cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <> "$sysroot"/usr/lib/tmpfiles.d/X11.conf < "$sysroot"/etc/sysctl.d/inotify.conf <"$sysroot"/etc/fstab < "$sysroot"/usr/share/gnome-initial-setup/vendor.conf + + +# ------------------------------------------------------------------------------ +# selinux +sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config +chroot "$sysroot" semanage fcontext -a -e /etc /cfg +chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/etc +chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var +chroot "$sysroot" fixfiles -v -F -f relabel || : +chroot "$sysroot" restorecon -v -R /usr/share/factory/ || : +rm -fr "$sysroot"/var/lib/selinux #--------------- # var rm -fr "$sysroot"/var/lib/rpm -rm -fr "$sysroot"/var/lib/selinux rm -fr "$sysroot"/var/log/dnf* rm -fr "$sysroot"/var/cache/*/* rm -fr "$sysroot"/var/tmp/* @@ -461,7 +478,9 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/ rm -fr "$sysroot"/usr/share/factory/var/{run,lock} -chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :' +chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :' +echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf + mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release @@ -470,6 +489,11 @@ sed -i -e "s#NAME=.*#NAME=$NAME#" "$sysroot"/etc/os-release mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/ cp "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux +if [[ -d "$sysroot"/boot/efi/EFI/fedora ]]; then + mkdir -p "$MY_TMPDIR"/efi/EFI + mv "$sysroot"/boot/efi/EFI/fedora "$MY_TMPDIR"/efi/EFI +fi + rm -fr "$sysroot"/{boot,root} ln -sfnr "$sysroot"/var/root "$sysroot"/root mkdir "$sysroot"/efi @@ -477,13 +501,12 @@ rm -fr "$sysroot"/var/* rm -fr "$sysroot"/home/* rm -f "$sysroot"/etc/yum.repos.d/* mkdir -p "$sysroot"/home -rm -fr "$sysroot"/etc/selinux -mkdir "$sysroot"/data +mkdir -p "$sysroot"/cfg + for i in "$sysroot"/{dev,sys,proc,run}; do [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" done - # ------------------------------------------------------------------------------ # sysroot mksquashfs "$MY_TMPDIR"/sysroot "$MY_TMPDIR"/root.squashfs.img \ @@ -504,7 +527,10 @@ IMAGE_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.img) # ------------------------------------------------------------------------------ # make bootx64.efi -echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt +echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt "\ + "verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID " \ + "verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt + echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt objcopy \ --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \ @@ -525,9 +551,11 @@ mv "$MY_TMPDIR"/root-hash.txt \ "$MY_TMPDIR"/initrd \ "$OUTDIR" +[[ -d "$MY_TMPDIR"/efi ]] && mv "$MY_TMPDIR"/efi "$OUTDIR"/efi + for i in LockDown.efi Shell.efi startup.nsh; do [[ -e "${BASEDIR}"/$i ]] || continue - cp "$i" "$OUTDIR" + cp "$i" "$OUTDIR"/efi done chown -R "$USER" "$OUTDIR" diff --git a/quirks/nss.sh b/quirks/nss.sh index 1b7458d..581ed56 100644 --- a/quirks/nss.sh +++ b/quirks/nss.sh @@ -1,65 +1,73 @@ -chroot "$sysroot" bash -c 'useradd -M -G wheel admin' +#!/usr/bin/bash -ex sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \ "$sysroot"/etc/nsswitch.conf mkdir -p "$sysroot"/usr/db -sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile +sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile -egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin -egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin +egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm +egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow -sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow' -mv "$sysroot"/etc/group.admin "$sysroot"/etc/group -mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow -chmod 0000 "$sysroot"/etc/gshadow +mv "$sysroot"/etc/group.adm "$sysroot"/etc/group +mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow +chmod 0000 "$sysroot"/etc/gshadow "$sysroot"/etc/shadow -chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin' -chroot "$sysroot" bash -c 'passwd -e admin' - -mkdir -p "$sysroot"/usr/share/factory/var -mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var/ +mkdir -p "$sysroot"/usr/share/factory/cfg +mv "$sysroot"/etc/passwd \ + "$sysroot"/etc/sub{u,g}id \ + "$sysroot"/etc/shadow \ + "$sysroot"/etc/group \ + "$sysroot"/etc/gshadow \ + "$sysroot"/usr/share/factory/cfg/ rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow- sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf for i in passwd shadow group gshadow .pwd.lock subuid subgid; do - ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i" + ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i" done -sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so -sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so -sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so -sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del} -sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \ +sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \ + "$sysroot"/usr/lib*/security/pam_unix.so + +sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \ + "$sysroot"/usr/lib*/security/pam_unix.so + +sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \ + "$sysroot"/usr/lib*/security/pam_unix.so + +sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \ + "$sysroot"/usr/sbin/user{add,mod,del} \ + "$sysroot"/usr/sbin/group{add,mod,del} \ + "$sysroot"/usr/bin/newgidmap \ + "$sysroot"/usr/bin/newuidmap \ + "$sysroot"/usr/sbin/newusers + +sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \ "$sysroot"/lib*/libc.so.* \ "$sysroot"/usr/lib/systemd/libsystemd-shared*.so [[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \ - && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \ + && sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \ "$sysroot"/usr/lib*/librpmostree-1.so.1 -mkdir -p "$sysroot"/usr/share/factory/home -cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin -chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin - mkdir -p "$sysroot"/usr/share/factory/var/root -cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/var/root -chown -R +0.+0 "$sysroot"/usr/share/factory/var/root +chown +0.+0 "$sysroot"/usr/share/factory/var/root cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <