I am build custom image for Raspberry Pi 4 using Yocto. I trying to create user group account with privilages set using ACL. When rootfs is present on SD card everything works, but when I rootfs resides in RAM (fitImage) ACL seems to not working... I'm wondering what is a difference? The CONFIG_TMPFS_POSIX_ACL in kernel config is set to y.
Bellow my initramfs recipe:
require recipes-core/images/super-pi.bb
IMAGE_NAME = "super-pi-initramfs"
IMAGE_FSTYPES := "${INITRAMFS_FSTYPES}"
IMAGE_FSTYPES:remove = " wic wic.gz"
PACKAGE_INSTALL:append = " ${IMAGE_INSTALL}"
IMAGE_NAME_SUFFIX ?= ""
IMAGE_LINGUAS = ""
IMAGE_ROOTFS_EXTRA_SPACE = "0"
DEPENDS:append = " acl-native"
inherit extrausers
#to generate hash for password: printf "%q" $(mkpasswd -m sha256crypt
<password>)
#pass: puma1
DEVELOPER_PASSWORD_HASH =
"\$5\$5j7bye3XKroIht0\$rZ3af/o3gVXLYo5vqtfbjllCSa5jtx2QrRraKaWwqn5"
#pass: puma2
PRODUCTION_PASSWORD_HASH =
"\$5\$uoMhBHIwh8ReIv1\$Fxuh8QN4my0pNfOe/RGfLhMGD5LxVk6UOWupprvgFT/"
#pass: puma3
SERVIS_PASSWORD_HASH =
"\$5\$Q.5Zmboz3pIJ3hT\$Xi0f6YTzYGvTjD3cnniNa6htyBB/cY5GT7eUUM1Puq4"
#pass: puma4
VISITOR_PASSWORD_HASH =
"\$5\$7CBZsfthWke7GmAw\$uuejwFB.BuAyFAeTY7b40qXxg4oA4G8e7X/hztSIsh0"
EXTRA_USERS_PARAMS = "\
groupadd --gid 1001 developer; \
groupadd --gid 1002 production; \
groupadd --gid 1003 servis; \
groupadd --gid 1004 visitor; \
useradd --uid 1011 --no-user-group --no-create-home --password
'${DEVELOPER_PASSWORD_HASH}' --shell /bin/bash developer; \
useradd --uid 1012 --no-user-group --no-create-home --password
'${PRODUCTION_PASSWORD_HASH}' --shell /bin/bash production; \
useradd --uid 1013 --no-user-group --no-create-home --password
'${SERVIS_PASSWORD_HASH}' --shell /bin/bash servis; \
useradd --uid 1014 --no-user-group --create-home --password
'${VISITOR_PASSWORD_HASH}' --shell /bin/bash visitor; \
usermod -g developer developer; \
usermod -g production production; \
usermod -g servis servis; \
usermod -g visitor visitor; \
"
modify_user_access() {
setfacl -R -m g:developer:rwX ${IMAGE_ROOTFS}/etc \
${IMAGE_ROOTFS}/usr \
${IMAGE_ROOTFS}/lib \
${IMAGE_ROOTFS}/bin \
${IMAGE_ROOTFS}/sbin \
${IMAGE_ROOTFS}/sys \
${IMAGE_ROOTFS}/boot \
${IMAGE_ROOTFS}/proc \
${IMAGE_ROOTFS}/media \
${IMAGE_ROOTFS}/mnt \
${IMAGE_ROOTFS}/var \
${IMAGE_ROOTFS}/run;
bbnote "setfacl result: $?"
setfacl -R -m g:production:rwX ${IMAGE_ROOTFS}/etc \
${IMAGE_ROOTFS}/usr \
${IMAGE_ROOTFS}/lib \
${IMAGE_ROOTFS}/bin \
${IMAGE_ROOTFS}/sbin \
${IMAGE_ROOTFS}/media \
${IMAGE_ROOTFS}/mnt;
bbnote "setfacl result: $?"
setfacl -R -m g:servis:rX ${IMAGE_ROOTFS}/etc \
${IMAGE_ROOTFS}/usr \
${IMAGE_ROOTFS}/bin \
${IMAGE_ROOTFS}/sbin \
${IMAGE_ROOTFS}/media \
${IMAGE_ROOTFS}/mnt;
bbnote "setfacl result: $?"
setfacl -R -m g:visitor:--- ${IMAGE_ROOTFS}/;
setfacl -R -m g:visitor:r ${IMAGE_ROOTFS}/home/visitor;
bbnote "setfacl result: $?"
}
modify_sudoers() {
sed -i.bak 's/# Cmnd_Alias\tREBOOT/Cmnd_Alias\tREBOOT/'
${IMAGE_ROOTFS}/etc/sudoers
sed -i.bak 's/# Cmnd_Alias\tPROCESSES/Cmnd_Alias\tPROCESSES/'
${IMAGE_ROOTFS}/etc/sudoers
sed -i.bak 's/# \t\t\t \/usr\/bin\/pkill/ \t\t\t
\/usr\/bin\/pkill/' ${IMAGE_ROOTFS}/etc/sudoers
echo "%developer ALL=(ALL) REBOOT, PROCESSES, /usr/bin/setfacl" >
${IMAGE_ROOTFS}/etc/sudoers.d/0001_custom_sudo_rules
echo "%production ALL=(ALL) REBOOT, PROCESSES, /usr/bin/setfacl"
>> ${IMAGE_ROOTFS}/etc/sudoers.d/0001_custom_sudo_rules
rm ${IMAGE_ROOTFS}/etc/sudoers.bak
}
rootfs_update_timestamp() {
date "+%Y%m%d%H%M%S" > ${IMAGE_ROOTFS}/etc/timestamp
}
IMAGE_PREPROCESS_COMMAND += "modify_user_access;"
ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp;modify_sudoers;"