yocto - How to set permission to command of busybox

Question

I am currently working on a yocto projet and I'm looking for a solution to set permission on busybox's command. I have my layer meta-exemple1 in which there is the recipes-core that contains busybox_%.bbappend and files/defconfig_patch.cfg that set configuration's.

I am looking for a way to set permission of a specific command for user's..

Example,

Let suppose I have two user, user1 and user2. I want to allow user1 to use to command cat and not the user2

How can I do it ?

Thanks in advance

Answer 1

In Linux there is getfacl and setfacl which you can use to set users permissions on a given binary. More details here.

In Yocto, you can use this for example:

do_install_append(){
    setfacl -m u:user_name:r-- $D${bindir}/cat
}

There are two problems now:

You need to see if busybox packages all the binaries splitted into ${D} or packages one binary "busybox", if it is one binary you can try to append the package of the image recipe.

The idea is to find the recipe that packages your target binary.

The second problem is that Yocto does not keep those permissions when creating the final rootfs, the problem is mentionned here.

So, you can try the suggested solution which is adding permissions after the package stage with pkg_postinst_${PN}_append(), or I suggest that you can create a service that runs on boot and runs setfacl commands on the binaries you want.

This is what I found, hope it helps you finding the right solution.