From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6659376390151864320 X-Received: by 2002:a2e:447:: with SMTP id 68mr513910lje.0.1551084285515; Mon, 25 Feb 2019 00:44:45 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:4d0:: with SMTP id a77ls1455595ljf.1.gmail; Mon, 25 Feb 2019 00:44:45 -0800 (PST) X-Google-Smtp-Source: AHgI3IalqK4e5gRjhlFBcrnb/3JU3Cbwva4VWUoLmhn2vqsgJgp2hpIn2twqw7JLRe+GHtYNmJ8V X-Received: by 2002:a2e:8ec9:: with SMTP id e9mr805933ljl.6.1551084285024; Mon, 25 Feb 2019 00:44:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551084285; cv=none; d=google.com; s=arc-20160816; b=DOzWFVJba2Tw3B7i+YIzpg1VwZwjhdRQ1B1kz+U/6JAZdKn9KAcOp6uByHE0OSNrnK J4DWy5tgnm5g/2rOwfY6xI4sTxyWQnbBjzVUz3rxYjo6h7XuN/TChgJP7aiHjfg5W5HU kYGIfEUyUAHalTxdTxAfgWx1RWcrpNTFZAB/8ur+G2I+YS/FI7lUH5vHNAMuCsut/DLe FsSZRprK1IUMITI+qQFytw3vekASpgveJCZRO3IaUcU13RNHnhoqB5U3hRyjXpugs2Cy tH14LCx61yFZFrN4aNvxehG04HKczGDRMrdMCnmeocCiLR6RKuPmb8Psk6B87RjqbQSk kUpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:user-agent:message-id:from:to:subject:references:in-reply-to :content-disposition:mime-version; bh=+WDThhg3MtLbHhH2wozYAGhB86FfWXk+bCm4Pj3MPZM=; b=reAl0Xtm3kAbAdbnE+ZWjIzjaR/vomwTw61ReeYnyyrFlqKEoVedIKxmmJfyh4dXrk NAe3N/7Y2vJgchD0+VPySHeE6ierITrAKMLt13pHp7ZVaKloy+xnzTFQrpwl/o9HoO6G trbxCwRE1Wnyzuu5HliylqXZyBJJO3/oCAuo7hvGidm35PwzNC4iU/zdcsLDTtBEMPmO ka3FbnsIG370krKcFnBP/bKmphXhLpdZBzaqgcEg4NUfzPCaBTeIt4FyvssvQ3e0t1S1 FgDvRVUrk2cpxJDPILtmLqbjaWR2QmTc+DsODmvjSZvL8QS/Ze9JPC3jEbOUN7L8f7D9 +qGw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of ch@denx.de) smtp.mailfrom=ch@denx.de Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net. [2001:a60:0:28:0:1:25:1]) by gmr-mx.google.com with ESMTPS id u21si446166lja.1.2019.02.25.00.44.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 00:44:43 -0800 (PST) Received-SPF: neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of ch@denx.de) client-ip=2001:a60:0:28:0:1:25:1; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 2001:a60:0:28:0:1:25:1 is neither permitted nor denied by best guess record for domain of ch@denx.de) smtp.mailfrom=ch@denx.de Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 447Fqv2jqTz1r0hR; Mon, 25 Feb 2019 09:44:43 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 447Fqv2RWYz1rVwZ; Mon, 25 Feb 2019 09:44:43 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id tBaLAnnlVwMz; Mon, 25 Feb 2019 09:44:41 +0100 (CET) X-Auth-Info: ouNSFaabUEZ/leK2y5K2N7/MeyZ7j2jMibxpdR/Z+Rk= Received: from localhost (p578adb1c.dip0.t-ipconnect.de [87.138.219.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Mon, 25 Feb 2019 09:44:41 +0100 (CET) Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============2077147768801862692==" MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com> References: <20190218162113.8538-1-claudius.heine.ext@siemens.com> <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de> <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com> Subject: Re: [PATCH] added 'isar-cfg-userpw' package To: "[ext] claudius.heine.ext@siemens.com" , Jan Kiszka , isar-users@googlegroups.com From: Claudius Heine Message-ID: <155108427994.4408.2228465568428075120@ardipi> User-Agent: alot/0.8 Date: Mon, 25 Feb 2019 09:44:39 +0100 X-TUID: bcnRYrYhxZGk --===============2077147768801862692== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi Jan, Quoting Jan Kiszka (2019-02-25 09:07:35) > On 23.02.19 11:42, Jan Kiszka wrote: > > On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote: > >> From: Claudius Heine > >> > >> With this package setting of arbitrary user passwords should be > >> possible. > >> > >> To do this use the 'CFG_USER_PW' variable as described in the user > >> manual. > >> > >> Signed-off-by: Claudius Heine > >> --- > >> =C2=A0 doc/user_manual.md=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 1 + > >> =C2=A0 meta-isar/conf/local.conf.sample=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 2 ++ > >> =C2=A0 meta/classes/isar-image.bbclass=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 2 +- > >> =C2=A0 .../isar-cfg-userpw/files/postinst.tmpl=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 | 15 ++++++++++++ > >> =C2=A0 .../isar-cfg-userpw/isar-cfg-userpw.bb=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 | 23 +++++++++++++++++++ > >> =C2=A0 5 files changed, 42 insertions(+), 1 deletion(-) > >> =C2=A0 create mode 100644 meta/recipes-support/isar-cfg-userpw/files/p= ostinst.tmpl > >> =C2=A0 create mode 100644 meta/recipes-support/isar-cfg-userpw/isar-cf= g-userpw.bb > >> > >> diff --git a/doc/user_manual.md b/doc/user_manual.md > >> index db0bf85..53bb36a 100644 > >> --- a/doc/user_manual.md > >> +++ b/doc/user_manual.md > >> @@ -328,6 +328,7 @@ Some other variables include: > >> =C2=A0=C2=A0 - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append = it to the default=20 > >> URI in the format `ftp.debian.org my.preferred.mirror`. This variable = is=20 > >> optional. > >> =C2=A0=C2=A0 - `CFG_ROOT_PW` - The encrypted root password to be set. = To encrypt=20 > >> password use `mkpasswd`. You find `mkpasswd` in the `whois` package of= Debian.=20 > >> If the variable is empty, root login is passwordless. > >> =C2=A0=C2=A0 - `CFG_ROOT_LOCKED` - If set to `1` the root account will= be locked. > >> + - `CFG_USER_PW` - A space separated list of user names and encrypted= =20 > >> passwords separated by a colon. (e.g. `username1:encryptedpw1=20 > >> username2:encryptedpw2`) > >> > >> =C2=A0 --- > >> > >> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.c= onf.sample > >> index e5827aa..494a283 100644 > >> --- a/meta-isar/conf/local.conf.sample > >> +++ b/meta-isar/conf/local.conf.sample > >> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?=3D "0" > >> =C2=A0 #=C2=A0=C2=A0 mkpasswd -m sha512crypt -R 10000 > >> =C2=A0 # mkpasswd is part of the 'whois' package of Debian > >> =C2=A0 CFG_ROOT_PW ?=3D=20 > >> "$6$rounds=3D10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHq= REJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"=20 > >> > >> +# Set user 'isar' password to 'isar': > >> +CFG_USER_PW ?=3D=20 > >> "isar:$6$rounds=3D10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3V= b85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1"=20 > >> > >> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image= .bbclass > >> index cdd1651..0100d0b 100644 > >> --- a/meta/classes/isar-image.bbclass > >> +++ b/meta/classes/isar-image.bbclass > >> @@ -17,7 +17,7 @@ SRC_URI +=3D "${@ cfg_script(d) }" > >> > >> =C2=A0 DEPENDS +=3D "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > >> > >> -IMAGE_TRANSIENT_PACKAGES +=3D "isar-cfg-localepurge isar-cfg-rootpw" > >> +IMAGE_TRANSIENT_PACKAGES +=3D "isar-cfg-localepurge isar-cfg-rootpw=20 > >> isar-cfg-userpw" > >> > >> =C2=A0 WORKDIR =3D "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >> > >> diff --git a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl = > >> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > >> new file mode 100644 > >> index 0000000..47fffd0 > >> --- /dev/null > >> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > >> @@ -0,0 +1,15 @@ > >> +#!/bin/sh > >> +set -e > >> + > >> +USER_ENTRIES=3D'${CFG_USER_PW} ' > >> + > >> +while true; do > >> +=C2=A0=C2=A0=C2=A0 USER_ENTRY=3D"${USER_ENTRIES%% *}" # First element= of list > >> +=C2=A0=C2=A0=C2=A0 USER_ENTRIES=3D"${USER_ENTRIES#${USER_ENTRY} }" # = Rest of list > >> + > >> +=C2=A0=C2=A0=C2=A0 if [ -z "${USER_ENTRY}" ]; then > >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break > >> +=C2=A0=C2=A0=C2=A0 fi > >> + > >> +=C2=A0=C2=A0=C2=A0 printf '%s' "${USER_ENTRY}" | chpasswd -e > >> +done > >> diff --git a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb=20 > >> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > >> new file mode 100644 > >> index 0000000..75b0446 > >> --- /dev/null > >> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > >> @@ -0,0 +1,23 @@ > >> +# This software is a part of ISAR. > >> + > >> +DESCRIPTION =3D "Isar configuration package for user passwords" > >> +MAINTAINER =3D "isar-users " > >> +DEBIAN_DEPENDS =3D "passwd" > >> + > >> +SRC_URI =3D "file://postinst.tmpl" > >> + > >> +TEMPLATE_FILES =3D "postinst.tmpl" > >> +TEMPLATE_VARS =3D "CFG_USER_PW" > >> + > >> +CFG_USER_PW ?=3D "" > >> + > >> +python() { > >> +=C2=A0=C2=A0=C2=A0 # Enforce CFG_USER_PW to be a single space separat= ed array > >> +=C2=A0=C2=A0=C2=A0 d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USE= R_PW", True).split())) > >> +} > >> + > >> +inherit dpkg-raw > >> + > >> +do_install() { > >> +=C2=A0=C2=A0=C2=A0 echo "intentionally left blank" > >> +} > >> > >=20 > > Missed this until I had to deal with it: This does not allow per-image = password > > configuration because there is only one, hard-coded isar-cfg-userpw pac= kage that > > all images pull. E.g., how to build a release (root account locked) and= a debug > > image (well-known insecure or empty password) at the same time now? > >=20 > > We rather need to change the logic to pass the control variables from t= he host > > down into the chroot during installation where the transient package ca= n then > > evaluate them. Or model this - as a special case - without a package. > >=20 > > Before the release, we should at least prove if the current recipe inte= rface can > > be maintained with the above requirement, so that we do not break it ag= ain right > > after that. > >=20 >=20 > The same conceptual issue applies to isar-cfg-localepurge: LOCALE_GEN and= =20 > LOCALE_DEFAULT should be configurable on a per-image basis, not a per-bui= ld. You are right! I haven't considered that. Normally you would not have a 'debug' image and a 'release' image, but different multi/local configurations for that. Having debug images and release images is a anti-pattern for bb based projects IMO and should not be done in Isar. But of course if you now have a '*-debug' and '*-release' multiconfig, you cannot build that in parallel if one package is build with two different variables. And that exactly hits the mark with the problem I have with the way Isar uses multiconfigs and tries to share packages from different multiconfigs. IMO if you want to continue doing it that way, you would need to have a 'isar-cfg-localpurge-debug' and a 'isar-cfg-userpw-debug'. And do that for all possible other configurations you want to build in parallel... Cheers, Claudius >=20 > Jan >=20 > --=20 > Siemens AG, Corporate Technology, CT RDA IOT SES-DE > Corporate Competence Center Embedded Linux >=20 > --=20 > You received this message because you are subscribed to the Google Groups= "isar-users" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to isar-users+unsubscribe@googlegroups.com. > To post to this group, send email to isar-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgi= d/isar-users/683245f8-e5f0-38b8-0532-94170db742fe%40siemens.com. > For more options, visit https://groups.google.com/d/optout. -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153 Keyserver: hkp://pool.sks-keyservers.net --===============2077147768801862692== MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Description: signature Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEb/LlnwDGvCgx2GTBEXPLGZgIsVMFAlxzqvAACgkQEXPLGZgI sVNRfA/+NE3EyRUCEshdKunNFIiyV0kd+psaKCR4eaHxlCbVAsLa9ITkn4yo0e7w obQn9oqA7ILssXe4AWql4PkY1fb9R1r/A2m/QVCltKT/Q5bfdx7D57DW4cHqDaeR Kxh04SDJ2wDnWVYya2E0n/EEluOQcQ7FG8bGxU/jm6undLn8A/BJSWnpFB3XwVGN TUPQd6q+1edEZ/UyadcMM2+ljK9VsdSFFip6Bs+DVgq2jFzlKAYwTAoIBqys1OV4 +e9RvEpoY+G+ATfq//4egSDlhbpkV5Iq3/uJpuRb9o8f485MLSsp+tPD4o0tNxAF FCdOtsOgXkygnRx5LUZzjV/rd0259cheYCQbRZqd9aJqpATdJcrlOZKZr19oy/fR BvQW1QJc/e/mAezKijezc2kROGBWpPcR6FygPN9Rvqx4L1lyc9pCRYgk/+byUG9O 8o1WqKCUn+nazqKZNJ8PFerwLUMIwteHqJifoVOlu/+pLGuKQt8eMBgLcnA4pzHT 7xaT2Sn8PMdXyqCNDGZo6ZmRq4TvmB4aEkjW2B+21HE6YYFK08OOsccDxQ4z7wlH HYncJ00camkfV9jyJBGou26g7BqZi9Z7g6MrnCx2/EUMAx3oXBl8WGCPyjiNtmMf G4Gfcj0njOaAFx4hADmIfEuMGDcQiR6/rDDzJ26tLdvWbFRgvk0= =3NPT -----END PGP SIGNATURE----- --===============2077147768801862692==--