From 00ce6692fd0287c15b7f6e5aa25fa66eb2221971 Mon Sep 17 00:00:00 2001
From: John Klug <john.klug@multitech.com>
Date: Fri, 21 Apr 2017 10:35:44 -0500
Subject: mtadm user, root password removed, sudo

---
 classes/mlinux-image.bbclass                      |  8 ++--
 recipes-core/images/mlinux-factory-image.bb       |  2 +-
 recipes-core/images/mlinux-minimal-image.bb       |  2 +
 recipes-core/initscripts/initscripts-1.0/umountfs | 11 ++++--
 recipes-core/useradd/useradd.bb                   | 47 +++++++++++++++++++++++
 5 files changed, 63 insertions(+), 7 deletions(-)
 create mode 100644 recipes-core/useradd/useradd.bb

diff --git a/classes/mlinux-image.bbclass b/classes/mlinux-image.bbclass
index 785160e..3c3bcaa 100644
--- a/classes/mlinux-image.bbclass
+++ b/classes/mlinux-image.bbclass
@@ -2,12 +2,14 @@
 # having file mod times of zero confuses cron
 IMAGE_CMD_jffs2 = "mkfs.jffs2 --root=${IMAGE_ROOTFS} --output=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.jffs2 ${EXTRA_IMAGECMD}"
 
-# set specified root password in image using ROOT_PASSWORD_HASH
+# set specified mtadm password in image using ROOT_PASSWORD_HASH
 mlinux_set_root_password () {
+    echo IMAGE_ROOTFS is ${IMAGE_ROOTFS} >/tmp/m_set_root_pwd.txt
+    ls ${IMAGE_ROOTFS} >/tmp/ls_pwd.txt
     if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
-        sed -i 's%^root:[^:]*:%root:${ROOT_PASSWORD_HASH}:%' ${IMAGE_ROOTFS}/etc/shadow
+        sed -i 's%^mtadm:[^:]*:%mtadm:${ROOT_PASSWORD_HASH}:%' ${IMAGE_ROOTFS}/etc/shadow
     elif [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
-        sed -i 's%^root:[^:]*:%root:${ROOT_PASSWORD_HASH}:%' ${IMAGE_ROOTFS}/etc/passwd
+        sed -i 's%^mtadm:[^:]*:%mtadm:${ROOT_PASSWORD_HASH}:%' ${IMAGE_ROOTFS}/etc/passwd
     fi
 }
 ROOTFS_POSTPROCESS_COMMAND += "mlinux_set_root_password;"
diff --git a/recipes-core/images/mlinux-factory-image.bb b/recipes-core/images/mlinux-factory-image.bb
index cc8401b..9e59bfb 100644
--- a/recipes-core/images/mlinux-factory-image.bb
+++ b/recipes-core/images/mlinux-factory-image.bb
@@ -70,7 +70,7 @@ IMAGE_INSTALL += "ruby"
 IMAGE_INSTALL += "ruby-serialport"
 
 # OpenJDK Java runtime
-IMAGE_INSTALL += "openjdk-8"
+# IMAGE_INSTALL += "openjdk-8"
 # OpenJDK with JamVM VM (Multi-Tech default)
 # IMAGE_INSTALL += "jamvm"
 # OpenJDK with CACAO VM (run with 'java -cacao')
diff --git a/recipes-core/images/mlinux-minimal-image.bb b/recipes-core/images/mlinux-minimal-image.bb
index 2f2d61b..1a92e8e 100644
--- a/recipes-core/images/mlinux-minimal-image.bb
+++ b/recipes-core/images/mlinux-minimal-image.bb
@@ -16,8 +16,10 @@ CORE_FEATURES = "packagegroup-core-boot packagegroup-distro-base \
                  openssh-sftp-server \
                  util-linux-mount util-linux-umount \
                  start-stop-daemon \
+		 sudo \
                  ${CORE_IMAGE_EXTRA_INSTALL} \
                  mlinux-feed-configs \
+		 useradd \
                  "
 
 NETWORKING_FEATURES = "ppp curl iproute2 \
diff --git a/recipes-core/initscripts/initscripts-1.0/umountfs b/recipes-core/initscripts/initscripts-1.0/umountfs
index 8c12ebe..bfd4d47 100644
--- a/recipes-core/initscripts/initscripts-1.0/umountfs
+++ b/recipes-core/initscripts/initscripts-1.0/umountfs
@@ -10,6 +10,7 @@
 ### END INIT INFO
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
+upgrade_fname="/var/volatile/do_flash_upgrade"
 
 umount_all() {
   echo "Deactivating swap..."
@@ -256,9 +257,13 @@ flash_upgrade() {
 }
 
 # do flash on reboot if do_flash_upgrade exists
-if [ -f /var/volatile/do_flash_upgrade ]; then
-    flash_upgrade /var/volatile
-    flash_upgrade /media/card
+# and is owned by root
+if [[ -f ${upgrade_fname} ]] ; then
+    owner=$(stat -c%u "${upgrade_fname}")
+    if ((${#owner} > 0)) && ((owner == 0)) ; then
+      flash_upgrade /var/volatile
+      flash_upgrade /media/card
+    fi
 fi
 
 umount_all
diff --git a/recipes-core/useradd/useradd.bb b/recipes-core/useradd/useradd.bb
new file mode 100644
index 0000000..0afa3b1
--- /dev/null
+++ b/recipes-core/useradd/useradd.bb
@@ -0,0 +1,47 @@
+SUMMARY = "Add mtadm user"
+DESCRIPTION = "Add mtadm user for security purposes"
+SECTION = "mtadm"
+PR = "r1"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+S = "${WORKDIR}"
+
+inherit useradd
+
+# You must set USERADD_PACKAGES when you inherit useradd. This
+# lists which output packages will include the user/group
+# creation code.
+#USERADD_PACKAGES = "${PN} ${PN}-user3"
+USERADD_PACKAGES = "${PN}"
+
+# You must also set USERADD_PARAM and/or GROUPADD_PARAM when
+# you inherit useradd.
+
+# GROUPADD_PARAM works the same way, which you set to the options
+# you'd normally pass to the groupadd command. This will create
+# groups group1 and group2:
+GROUPADD_PARAM_${PN} = "-r  -g 27 sudo"
+
+# USERADD_PARAM specifies command line options to pass to the
+# useradd command. Multiple users can be created by separating
+# the commands with a semicolon. Here we'll create two users,
+# user1 and user2:
+USERADD_PARAM_${PN} = "-u 50 -G sudo -m -r -s /bin/bash mtadm"
+
+do_install () {
+        # If the recipe doesn't have a file, the ipk
+        # is deleted, and it does nothing.
+        # Create a .ssh directory for mtadm.
+        install -d 0700 ${D}/home/mtadm/.ssh
+	chown mtadm:mtadm ${D}/home/mtadm
+	chown mtadm:mtadm ${D}/home/mtadm/.ssh
+}
+
+FILES_${PN} = "/home/mtadm/.ssh"
+
+# Prevents do_package failures with:
+# debugsources.list: No such file or directory:
+INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
+
-- 
cgit v1.2.3