From 54305a4169eb91b7a15774625bd00a1068f7ffa9ca358b84e2d5b6486be3c988 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 20 Mar 2020 11:31:21 +0000
Subject: [PATCH] Accepting request 786819 from home:favogt:nobash

- Clean up sysusers2shadow and make it use only /bin/sh
- Don't let busybox adduser create the home directory, it breaks
  permissions of e.g. /sbin (home of daemon)
- Use only /bin/sh in sysusers-generate-pre and the generated code

OBS-URL: https://build.opensuse.org/request/show/786819
OBS-URL: https://build.opensuse.org/package/show/Base:System/sysuser-tools?expand=0&rev=23
---
 sysuser-tools.changes |   8 +++
 sysusers-generate-pre |   8 +--
 sysusers2shadow.sh    | 157 +++++++++++++++++++-----------------------
 3 files changed, 84 insertions(+), 89 deletions(-)

diff --git a/sysuser-tools.changes b/sysuser-tools.changes
index 5435114..2c65dd1 100644
--- a/sysuser-tools.changes
+++ b/sysuser-tools.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Mar 20 10:08:43 UTC 2020 - Fabian Vogt <fvogt@suse.com>
+
+- Clean up sysusers2shadow and make it use only /bin/sh
+- Don't let busybox adduser create the home directory, it breaks
+  permissions of e.g. /sbin (home of daemon)
+- Use only /bin/sh in sysusers-generate-pre and the generated code
+
 -------------------------------------------------------------------
 Tue Mar 17 10:12:15 UTC 2020 - Fabian Vogt <fvogt@suse.com>
 
diff --git a/sysusers-generate-pre b/sysusers-generate-pre
index ff32446..3a37819 100644
--- a/sysusers-generate-pre
+++ b/sysusers-generate-pre
@@ -1,8 +1,8 @@
-#!/bin/bash
-# pass systemd sysusers config files a as argument to this script.
+#!/bin/sh
+# pass systemd sysusers config paths as argument to this script.
 
-echo '#!/bin/bash'
+echo '#!/bin/sh'
 echo 'cat <<"EOF" |'
 grep -he '^[ugmr]' "$@"
 echo 'EOF'
-echo '/usr/sbin/sysusers2shadow || [[ -f /.buildenv ]]'
\ No newline at end of file
+echo '/usr/sbin/sysusers2shadow || [ -f /.buildenv ]'
diff --git a/sysusers2shadow.sh b/sysusers2shadow.sh
index f51297e..cc25eff 100644
--- a/sysusers2shadow.sh
+++ b/sysusers2shadow.sh
@@ -1,96 +1,83 @@
-#!/bin/bash
+#!/bin/sh
+set -eu
 
-while read LINE
+# Print the command and run it
+run() {
+	echo "$@"
+	"$@"
+}
+
+# Absolute path to busybox, if found
+busybox=
+for i in /bin/busybox /usr/bin/busybox; do [ -x "$i" ] && busybox=$i; done
+
+while read arg0 arg1 arg2 arg3 arg4
 do
-    case "$LINE" in
-	\#*|"")
-	    ;;
-	g*)
-            eval arr=( $LINE )
-            ARGUMENTS="${arr[1]}"
-            if [ ! -z "${arr[2]}" -a "${arr[2]}" != "-" ]; then
-                ARGUMENTS="-g ${arr[2]} $ARGUMENTS"
-	    fi
-	    if [ -x /usr/sbin/groupadd ]; then
-		echo "groupadd -r $ARGUMENTS"
-		/usr/bin/getent group "${arr[1]}" >> /dev/null || /usr/sbin/groupadd -r $ARGUMENTS || exit $?
-	    elif [ -x /usr/bin/busybox ]; then
-		echo "addgroup -S $ARGUMENTS"
-		/usr/bin/getent group "${arr[1]}" >> /dev/null || /usr/bin/busybox addgroup -S $ARGUMENTS || exit $?
-	    elif [ -x /bin/busybox ]; then
-		echo "addgroup -S $ARGUMENTS"
-		/usr/bin/getent group "${arr[1]}" >> /dev/null || /bin/busybox addgroup -S $ARGUMENTS || exit $?
-	    else
-		echo "ERROR: neither groupadd nor busybox found!"
-		exit 1
-	    fi
-	    ;;
-	u*)
-            eval arr=( $LINE )
-	    ARGUMENTS="${arr[1]}"
-	    if [ ! -z "${arr[2]}" -a "${arr[2]}" != "-" ]; then
-		ARGUMENTS="-u ${arr[2]} $ARGUMENTS"
-	    fi
-	    if [ ! -z "${arr[4]}" -a "${arr[4]}" != "-" ]; then
-		ARGUMENTS="-d ${arr[4]} $ARGUMENTS"
-	    else
-		ARGUMENTS="-d / $ARGUMENTS"
-	    fi
-	    if [ -x /usr/sbin/useradd ]; then
-		# this is useradd/shadow specific
-		/usr/bin/getent group ${arr[1]} >> /dev/null
-		if [ $? -eq 0 ]; then
-              	    ARGUMENTS="-g ${arr[1]} $ARGUMENTS"
+	case "$arg0" in
+	g)
+		ARGUMENTS="${arg1}"
+		if [ -n "${arg2}" -a "${arg2}" != "-" ]; then
+			ARGUMENTS="-g ${arg2} $ARGUMENTS"
+		fi
+
+		if ! /usr/bin/getent group "${arg1}" >> /dev/null; then
+			if [ -x "/usr/sbin/groupadd" ]; then
+				run /usr/sbin/groupadd -r $ARGUMENTS
+			elif [ -x "$busybox" ]; then
+				run $busybox addgroup -S $ARGUMENTS
+			else
+				echo "ERROR: neither groupadd nor busybox found!"
+				exit 1
+			fi
+		fi
+		;;
+	u)
+		ARGUMENTS="${arg1}"
+		if [ -n "${arg2}" ] && [ "${arg2}" != "-" ]; then
+			ARGUMENTS="-u ${arg2} $ARGUMENTS"
+		fi
+		if [ -n "${arg4}" ] && [ "${arg4}" != "-" ]; then
+			ARGUMENTS="-d ${arg4} $ARGUMENTS"
 		else
-		    ARGUMENTS="-U $ARGUMENTS"
+			ARGUMENTS="-d / $ARGUMENTS"
 		fi
-		echo "useradd -r -s /sbin/nologin -c \"${arr[3]}\" $ARGUMENTS"
-		/usr/bin/getent passwd ${arr[1]} >> /dev/null || /usr/sbin/useradd -r -s /sbin/nologin -c "${arr[3]}" $ARGUMENTS || exit $?
-	    elif [ -x /usr/bin/busybox ]; then
-		/usr/bin/getent group ${arr[1]} >> /dev/null
-		if [ $? -ne 0 ]; then
-		    /usr/bin/busybox addgroup ${arr[1]}
+
+		if [ -x /usr/sbin/useradd ]; then
+			if ! /usr/bin/getent passwd "${arg1}" >> /dev/null; then
+				# this is useradd/shadow specific
+				ARGUMENTS="-g ${arg1} $ARGUMENTS"
+				/usr/bin/getent group "${arg1}" >> /dev/null || ARGUMENTS="-U $ARGUMENTS"
+			
+				run /usr/sbin/useradd -r -s /sbin/nologin -c "${arg3}" $ARGUMENTS
+			fi
+		elif [ -x "$busybox" ]; then
+			/usr/bin/getent group "${arg1}" >> /dev/null || $busybox addgroup "${arg1}"
+
+			if ! /usr/bin/getent passwd ${arg1} >> /dev/null; then
+				ARGUMENTS="$(echo -G ${arg1} $ARGUMENTS | sed -e 's|-d|-h|g' -e 's|-g|-G|g')"
+				run $busybox adduser -S -H -s /sbin/nologin -g "${arg3}" $ARGUMENTS
+			fi
+		else
+			echo "ERROR: neither useradd nor busybox found!"
+			exit 1
 		fi
-              	ARGUMENTS="-G ${arr[1]} $ARGUMENTS"
-		ARGUMENTS=`echo $ARGUMENTS | sed -e 's|-d|-h|g' -e 's|-g|-G|g'`
-		echo "adduser -S -s /sbin/nologin -g \"${arr[3]}\" $ARGUMENTS"
-		/usr/bin/getent passwd ${arr[1]} >> /dev/null || /usr/bin/busybox adduser -S -s /sbin/nologin -g "${arr[3]}" $ARGUMENTS || exit $?
-	    elif [ -x /bin/busybox ]; then
-		/usr/bin/getent group ${arr[1]} >> /dev/null
-		if [ $? -ne 0 ]; then
-		    /bin/busybox addgroup ${arr[1]}
+	    ;;
+	m)
+		if [ -x /usr/sbin/usermod ] ; then
+				run /usr/sbin/usermod -a -G ${arg2} ${arg1}
+		elif [ -x "$busybox" ]; then
+				run $busybox addgroup ${arg1} ${arg2}
+		else
+				echo "ERROR: neither usermod nor busybox found!"
+				exit 1
 		fi
-              	ARGUMENTS="-G ${arr[1]} $ARGUMENTS"
-		ARGUMENTS=`echo $ARGUMENTS | sed -e 's|-d|-h|g' -e 's|-g|-G|g'`
-		echo "adduser -S -s /sbin/nologin -g \"${arr[3]}\" $ARGUMENTS"
-		/usr/bin/getent passwd ${arr[1]} >> /dev/null || /bin/busybox adduser -S -s /sbin/nologin -g "${arr[3]}" $ARGUMENTS || exit $?
-	    else
-		echo "ERROR: neither useradd nor busybox found!"
-		exit 1
-	    fi
-	    ;;
-	m*)
-            eval arr=( $LINE )
-	    if [ -x /usr/sbin/usermod ] ; then
-		echo "usermod -a -G ${arr[2]} ${arr[1]}"
-		/usr/sbin/usermod -a -G ${arr[2]} ${arr[1]} || exit $?
-	    elif [ -x /usr/bin/busybox ]; then
-		echo "addgroup ${arr[1]} ${arr[2]}"
-		/usr/bin/busybox addgroup ${arr[1]} ${arr[2]} || exit $?
-	    elif [ -x /bin/busybox ]; then
-		echo "addgroup ${arr[1]} ${arr[2]}"
-		/bin/busybox addgroup ${arr[1]} ${arr[2]} || exit $?
-	    else
-		echo "ERROR: neither usermod nor busybox found!"
-		exit 1
-	    fi
-	    ;;
-	r*)
-	    echo "range option ignored: \"$LINE\""
 	    ;;
+	r)
+		echo "range option ignored: \"$arg0 $arg1 $arg2 $arg3\""
+		;;
 	*)
-	    echo "Syntax Error: \"$LINE\""
+	    echo "Syntax Error: \"$arg0\""
 	    exit 1
 	    ;;
-    esac
+	esac
 done