mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-06-17 11:10:23 +00:00
9abe624265
sysusers.d/tmpfiles.d config files allow a package to use declarative configuration instead of manually written maintainer scripts. This also allows image-based systems to be created with /usr/ only, and also allows for factory resetting a system and recreating /etc/ on boot. https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html Tests: - /var/lib/plinth and /var/lib/plinth/sessions/ are created on package install. Ownership is plinth:plinth. 0755 is permissions. - /var/lib/plinth/firstboot-wizard-secret file is created on package install. Ownership is plinth:plinth. 0400 is permissions. During first wizard, providing the secret works. - /var/lib/plinth/backups-data is owned by root:root. - When upgrading from old package to new the permissions don't change. - When reinstalling the new package, the permissions do not change. - User is created same as before. plinth❌987:987:FreedomBox service:/var/lib/plinth:/usr/sbin/nologin - Group is created same as before. plinth❌987: - id plinth uid=987(plinth) gid=987(plinth) groups=987(plinth) - Upgrading from old package to new does not change user and group records. - Reinstalling new version does not change user and group records. [sunil: Don't recursively change ownership for /var/lib/plinth/] [sunil: Change ownership specifically for /var/lib/plinth/firstboot-wizard-secret] Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org> Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
29 lines
970 B
Bash
Executable File
29 lines
970 B
Bash
Executable File
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
# Source debconf library.
|
|
. /usr/share/debconf/confmodule
|
|
|
|
# Due to a change in sudo, now it runs PAM modules even on password-less
|
|
# invocations. This leads to plinth not being able to run root privileges. This
|
|
# is because of our own restrictions in /etc/security/access.conf. Since Plinth
|
|
# is locked out after upgrade, we need to do this in postinst.
|
|
sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL+' /etc/security/access.conf
|
|
|
|
case "$1" in
|
|
configure)
|
|
if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then
|
|
umask 377
|
|
base64 < /dev/urandom | head -c 16 | sed -e 's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret
|
|
db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret)
|
|
db_input high plinth/firstboot_wizard_secret || true
|
|
db_go
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
#DEBHELPER#
|
|
|
|
exit 0
|