harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

cleanup

Browse source 
move quirks/nss.sh to prepare-root.sh

remove old non-working quirks

only mount selinux when needed

don't install new selinux rules
This commit is contained in:
Harald Hoyer 2018-09-21 12:02:43 +02:00
parent 28a4cd5054
commit 9ae10e7ad7
7 changed files with 141 additions and 265 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

163
prepare-root.sh
View file

@ -172,7 +172,6 @@ mkdir -p "$sysroot"/{dev,proc,sys,run}
mount -o bind /proc "$sysroot/proc" mount -o bind /proc "$sysroot/proc"
mount -o bind /run "$sysroot/run" mount -o bind /run "$sysroot/run"
mount -o bind /sys "$sysroot/sys" mount -o bind /sys "$sysroot/sys"
mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
mount -t devtmpfs devtmpfs "$sysroot/dev" mount -t devtmpfs devtmpfs "$sysroot/dev"
mkdir -p "$sysroot"/var/cache/dnf mkdir -p "$sysroot"/var/cache/dnf
@ -250,7 +249,18 @@ for i in passwd shadow group gshadow subuid subgid; do
chmod u+r "${BASEDIR}/${NAME}/$i" chmod u+r "${BASEDIR}/${NAME}/$i"
done done
# chroot "$sysroot" bash -i # ------------------------------------------------------------------------------
# selinux
#sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
mount -t selinuxfs none "$sysroot/sys/fs/selinux"
chroot "$sysroot" semanage fcontext --noreload -a -e /etc /cfg
cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp
chroot "$sysroot" bash -c '
cd /var/tmp
make -f /usr/share/selinux/devel/Makefile
semodule --noreload -i FedoraBook.pp
'
umount "$sysroot/sys/fs/selinux"
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
@ -311,12 +321,107 @@ if [[ -f "$sysroot"/usr/lib/udev/rules.d/60-tpm-udev.rules ]]; then
echo 'tss:!::' >> "$sysroot"/etc/gshadow echo 'tss:!::' >> "$sysroot"/etc/gshadow
fi fi
. "${BASEDIR}"/quirks/nss.sh #---------------
# quirks
for q in "${QUIRKS[@]}"; do for q in "${QUIRKS[@]}"; do
. "${BASEDIR}"/quirks/"$q".sh . "${BASEDIR}"/quirks/"$q".sh
done done
#---------------
# nss / passwd /shadow etc..
#chroot "$sysroot" bash -c 'echo -n admin | passwd --stdin root'
# rpcbind only accepts "files altfiles"
# altfiles has no shadow/gshadow support, therefore we need db
sed -i -e 's#^\(passwd:.*\) files#\1 files altfiles db#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
"$sysroot"/etc/nsswitch.conf
mkdir -p "$sysroot"/usr/db
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm
chmod --reference="$sysroot"/etc/group "$sysroot"/etc/group.adm
chmod --reference="$sysroot"/etc/gshadow "$sysroot"/etc/gshadow.adm
sed -i -e 's#:/root:#:/var/roothome:#g' "$sysroot"/etc/passwd
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c '
make -C \
/var/db \
/usr/db/passwd.db \
/usr/db/shadow.db \
/usr/db/gshadow.db \
/usr/db/group.db \
&& mv /etc/{passwd,shadow,group,gshadow} /lib \
&& >/etc/passwd \
&& > /etc/shadow \
&& >/etc/group \
&& >/etc/gshadow
'
mv "$sysroot"/etc/group.adm "$sysroot"/etc/group
mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow
chmod --reference="$sysroot"/lib/shadow "$sysroot"/etc/shadow
chmod --reference="$sysroot"/lib/passwd "$sysroot"/etc/passwd
mkdir -p "$sysroot"/usr/share/factory/cfg
mv "$sysroot"/etc/passwd \
"$sysroot"/etc/sub{u,g}id \
"$sysroot"/etc/shadow \
"$sysroot"/etc/group \
"$sysroot"/etc/gshadow \
"$sysroot"/usr/share/factory/cfg/
rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i"
done
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \
"$sysroot"/usr/sbin/user{add,mod,del} \
"$sysroot"/usr/sbin/group{add,mod,del} \
"$sysroot"/usr/bin/newgidmap \
"$sysroot"/usr/bin/newuidmap \
"$sysroot"/usr/sbin/newusers
sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
&& sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/usr/lib*/librpmostree-1.so.1
mkdir -p "$sysroot"/usr/share/factory/var/roothome
chown +0.+0 "$sysroot"/usr/share/factory/var/roothome
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /var/roothome - - - - -
C /cfg/passwd - - - - -
C /cfg/shadow - - - - -
C /cfg/group - - - - -
C /cfg/gshadow - - - - -
C /cfg/subuid - - - - -
C /cfg/subgid - - - - -
EOF
#--------------- #---------------
# timesync # timesync
ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
@ -424,11 +529,10 @@ EOF
#--------------- #---------------
# X11 # X11
if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
mkdir -p "$sysroot"/usr/share/factory/cfg mkdir -p "$sysroot"/usr/share/factory/cfg/X11/xorg.conf.d
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/cfg/X11 ln -fsnr "$sysroot"/cfg/X11/xorg.conf.d/00-keyboard.conf "$sysroot"/etc/X11/xorg.conf.d/00-keyboard.conf
ln -fsnr "$sysroot"/cfg/X11 "$sysroot"/etc/X11
cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
C /cfg/X11 - - - - - C /cfg/X11/xorg.conf.d - - - - -
EOF EOF
fi fi
@ -450,7 +554,7 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-udev-settle-dri.service \
if [[ -d "$sysroot"/usr/share/flatpak ]]; then if [[ -d "$sysroot"/usr/share/flatpak ]]; then
mkdir -p "$sysroot"/usr/share/factory/var/lib/ mkdir -p "$sysroot"/usr/share/factory/var/lib/
curl https://flathub.org/repo/flathub.flatpakrepo -o "$sysroot"/usr/share/flatpak/flathub.flatpakrepo curl https://flathub.org/repo/flathub.flatpakrepo -o "$sysroot"/usr/share/flatpak/flathub.flatpakrepo
chroot "$sysroot" bash -c '/usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo' chroot "$sysroot" /usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo
fi fi
#--------------- #---------------
@ -483,16 +587,15 @@ rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants
# rsyslog link # rsyslog link
rm -fr "$sysroot"/etc/systemd/system/syslog.service rm -fr "$sysroot"/etc/systemd/system/syslog.service
# ------------------------------------------------------------------------------ #---------------
# selinux # nested kvm
#sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config if [[ -f "$sysroot"/etc/modprobe.d/kvm.conf ]]; then
chroot "$sysroot" semanage fcontext -a -e /etc /cfg sed -i -e 's/#options/options/g' "$sysroot"/etc/modprobe.d/kvm.conf
cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp fi
chroot "$sysroot" bash -c "cd /var/tmp; make -f /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp"
rm -fr "$sysroot"/var/lib/selinux
#--------------- #---------------
# var # var
rm -fr "$sysroot"/var/lib/selinux
rm -fr "$sysroot"//usr/lib/fontconfig/cache rm -fr "$sysroot"//usr/lib/fontconfig/cache
rm -fr "$sysroot"/var/lib/rpm rm -fr "$sysroot"/var/lib/rpm
rm -fr "$sysroot"/var/lib/sepolgen rm -fr "$sysroot"/var/lib/sepolgen
@ -502,11 +605,23 @@ rm -fr "$sysroot"/var/log/dnf*
rm -fr "$sysroot"/var/cache/*/* rm -fr "$sysroot"/var/cache/*/*
rm -fr "$sysroot"/var/tmp/* rm -fr "$sysroot"/var/tmp/*
mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :' chroot "$sysroot" bash -c '
for i in $(find -H /var -xdev -type d); do
grep " $i " -r -q /lib/tmpfiles.d && \
! grep " $i " -q /lib/tmpfiles.d-var.conf \
&& rm -vfr --one-file-system "$i"
done
:
'
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/ cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
rm -f "$sysroot"/usr/share/factory/var/{run,lock} rm -f "$sysroot"/usr/share/factory/var/{run,lock}
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :' chroot "$sysroot" bash -c '
for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do
echo "C $i - - - - -"
done >> /usr/lib/tmpfiles.d/var-quirk.conf
:
'
echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
@ -528,12 +643,16 @@ rm -fr "$sysroot"/var
rm -fr "$sysroot"/home rm -fr "$sysroot"/home
rm -f "$sysroot"/etc/yum.repos.d/* rm -f "$sysroot"/etc/yum.repos.d/*
mkdir -p "$sysroot"/{var,home,cfg,net,efi} mkdir -p "$sysroot"/{var,home,cfg,net,efi}
ln -sfnr "$sysroot"/run "$sysroot"/var/run
ln -sfnr "$sysroot"/run/lock "$sysroot"/var/lock
chroot "$sysroot" restorecon -m -v -F -R /usr /etc /var # ------------------------------------------------------------------------------
chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /net /root # SELinux relabel all the files
mount -t selinuxfs none "$sysroot/sys/fs/selinux"
chroot "$sysroot" restorecon -m -v -F -R /usr /etc
chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /var /net /root
umount "$sysroot/sys/fs/selinux"
# ------------------------------------------------------------------------------
# umount everything
for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
done done

50
quirks/nss-altfiles.sh
View file

@ -1,50 +0,0 @@
sed -i -e 's#^\(passwd:.*\) files#\1 altfiles files#g;s#^\(shadow:.*\) files#\1 altfiles files#g;s#^\(group:.*\) files#\1 altfiles files#g' \
"$sysroot"/etc/nsswitch.conf
chroot "$sysroot" bash -c 'useradd -G wheel admin'
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
chroot "$sysroot" bash -c 'passwd -e admin'
mkdir -p "$sysroot"/usr/share/factory/var
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
done
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' "$sysroot"/usr/lib*/librpmostree-1.so.1
mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /home/admin - - - - -
C /var/passwd - - - - -
C /var/shadow - - - - -
C /var/group - - - - -
C /var/gshadow - - - - -
C /var/subuid - - - - -
C /var/subgid - - - - -
C /var/etc - - - - -
EOF

82
quirks/nss.sh
View file

@ -1,82 +0,0 @@
#!/usr/bin/bash -ex
#chroot "$sysroot" bash -c 'echo -n admin | passwd --stdin root'
# rpcbind only accepts "files altfiles"
# altfiles has no shadow/gshadow support, therefore we need db
sed -i -e 's#^\(passwd:.*\) files#\1 files altfiles db#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
"$sysroot"/etc/nsswitch.conf
mkdir -p "$sysroot"/usr/db
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm
chmod --reference="$sysroot"/etc/group "$sysroot"/etc/group.adm
chmod --reference="$sysroot"/etc/gshadow "$sysroot"/etc/gshadow.adm
sed -i -e 's#:/root:#:/var/roothome:#g' "$sysroot"/etc/passwd
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
mv "$sysroot"/etc/group.adm "$sysroot"/etc/group
mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow
chmod --reference="$sysroot"/lib/shadow "$sysroot"/etc/shadow
chmod --reference="$sysroot"/lib/passwd "$sysroot"/etc/passwd
mkdir -p "$sysroot"/usr/share/factory/cfg
mv "$sysroot"/etc/passwd \
"$sysroot"/etc/sub{u,g}id \
"$sysroot"/etc/shadow \
"$sysroot"/etc/group \
"$sysroot"/etc/gshadow \
"$sysroot"/usr/share/factory/cfg/
rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i"
done
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \
"$sysroot"/usr/sbin/user{add,mod,del} \
"$sysroot"/usr/sbin/group{add,mod,del} \
"$sysroot"/usr/bin/newgidmap \
"$sysroot"/usr/bin/newuidmap \
"$sysroot"/usr/sbin/newusers
sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
&& sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/usr/lib*/librpmostree-1.so.1
mkdir -p "$sysroot"/usr/share/factory/var/roothome
chown +0.+0 "$sysroot"/usr/share/factory/var/roothome
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /var/roothome - - - - -
C /cfg/passwd - - - - -
C /cfg/shadow - - - - -
C /cfg/group - - - - -
C /cfg/gshadow - - - - -
C /cfg/subuid - - - - -
C /cfg/subgid - - - - -
EOF

52
quirks/nss_db.sh
View file

@ -1,52 +0,0 @@
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
"$sysroot"/etc/nsswitch.conf
mkdir -p "$sysroot"/usr/db
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
chroot "$sysroot" bash -c 'useradd -G wheel admin'
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
chroot "$sysroot" bash -c 'passwd -e admin'
mkdir -p "$sysroot"/usr/share/factory/var
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
done
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib*/librpmostree-1.so.1 \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /home/admin - - - - -
C /var/passwd - - - - -
C /var/shadow - - - - -
C /var/group - - - - -
C /var/gshadow - - - - -
C /var/subuid - - - - -
C /var/subgid - - - - -
C /var/etc - - - - -
EOF

31
quirks/passwd.sh
View file

@ -1,31 +0,0 @@
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
#chroot "$sysroot" bash -c 'passwd -e admin'
mkdir -p "$sysroot"/usr/share/factory/var
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
done
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /home/admin - - - - -
C /var/passwd - - - - -
C /var/shadow - - - - -
C /var/group - - - - -
C /var/gshadow - - - - -
C /var/subuid - - - - -
C /var/subgid - - - - -
C /var/etc - - - - -
EOF

24
quirks/sssd.sh
View file

@ -1,24 +0,0 @@
#---------------
# admin user
cat > "$sysroot"/etc/sssd/sssd.conf <<EOF
[sssd]
domains=local
config_file_version=2
services=nss,pam
[domain/local]
id_provider=local
EOF
chmod 0600 "$sysroot"/etc/sssd/sssd.conf
chroot "$sysroot"
chroot "$sysroot" bash -c 'authselect select sssd with-sudo with-fingerprint with-mkhomedir -f ; sssd -i & sleep 2; sss_useradd admin ; echo -n admin | passwd --stdin admin; echo -n root | passwd --stdin root; usermod -a -G wheel admin; kill %1; wait; :'
systemctl --root="$sysroot" enable sssd.service oddjobd.service
mkdir -p "$sysroot"/usr/share/factory/var/lib
mv "$sysroot"/var/lib/sss "$sysroot"/usr/share/factory/var/lib/
cat >> "$sysroot"/usr/lib/tmpfiles.d/sssd.conf <<EOF
C /var/lib/sss - - - - -
d /var/log/sssd 0750 root root - -
EOF

4
quirks/yubikey.sh
View file

@ -1,4 +0,0 @@
#!/bin/bash
mkdir -p "$sysroot"/etc/udev/rules.d
cp "$CURDIR/69-yubikey.rules" "$sysroot"/etc/udev/rules.d