* [PATCH 0/1] Centralize root password configuration @ 2019-02-06 13:41 claudius.heine.ext 2019-02-06 13:41 ` [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext 0 siblings, 1 reply; 5+ messages in thread From: claudius.heine.ext @ 2019-02-06 13:41 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine From: Claudius Heine <ch@denx.de> Hi, this patchset depends on the `Template system` patchset. Cheers, Claudius Changes from the RFC patch: - Transformed package to be a transient package, prevents leaking of password via /var/lib/dpkg/info - Check if password was already set before setting it. Error if password was set already - Added possibility to set encrypted passwords - Fixed locking to allow restoration of choosen password when account is unlocked later - added documentation in RECIPE-API_CHANGELOG - removed isar-cfg-hostname - fix some scripting errors Claudius Heine (1): meta: add isar-cfg-rootpw recipe for setting root password RECIPE-API-CHANGELOG.md | 9 ++++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 21 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-06 13:41 [PATCH 0/1] Centralize root password configuration claudius.heine.ext @ 2019-02-06 13:41 ` claudius.heine.ext 2019-02-06 15:52 ` Henning Schild 0 siblings, 1 reply; 5+ messages in thread From: claudius.heine.ext @ 2019-02-06 13:41 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine From: Claudius Heine <ch@denx.de> The isar-cfg-rootpw recipe is a central point to set the root password for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. This package is installed as a transient package to avoid leaking passwords set by it via the scripts in `/var/lib/dpkg/info/`. The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root password as clear text or encrypted, or are both empty, in which case login without password is possible. The encrypted password is preferred if both variables are set. The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock the root account, other values leave the account unlocked. Unlocking the account at a later point will restore the password set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. Signed-off-by: Claudius Heine <ch@denx.de> --- RECIPE-API-CHANGELOG.md | 9 ++++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 21 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index dcfbbee..7863e8a 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. It's now sufficient to provide only kbuild rules. Makefile targets like modules or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. + +### Remove setting of root passwords in custom packages + +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password via its script in /var/lib/dpkg/info. + +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the password and use +the transient 'isar-cfg-rootpw' package (now installed as transient package per +default). diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst index f60be8c..f48d993 100644 --- a/meta-isar/recipes-app/example-raw/files/postinst +++ b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ fi chown -R isar:isar /var/lib/isar -# this wins over meta-isar/recipes-core/images/files/*configscript.sh -# but we take the same password for this example -echo "root:root" | chpasswd - echo "isar" > /etc/hostname diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 --- a/meta/classes/isar-image.bbclass +++ b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file mode 100644 index 0000000..7634f6a --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl @@ -0,0 +1,21 @@ +#!/bin/sh +set -e + +if ! grep -q 'root:\*:' /etc/shadow; then + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 + exit -1 +fi + +if [ -n "${CFG_ROOT_PW_ENC}" ]; then + echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e +elif [ -n "${CFG_ROOT_PW}" ]; then + echo "root:${CFG_ROOT_PW}" | chpasswd +else + passwd -d root +fi + +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then + # Lock the account after setting the password, since unlocking it at some + # point later would set it to the back to the previous one. + passwd -l root +fi diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file mode 100644 index 0000000..52bb153 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb @@ -0,0 +1,20 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Isar configuration package for root password" +MAINTAINER = "isar-users <isar-users@googlegroups.com>" +DEBIAN_DEPENDS = "passwd" + +SRC_URI = "file://postinst.tmpl" + +TEMPLATE_FILES = "postinst.tmpl" +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED" + +CFG_ROOT_PW ??= "" +CFG_ROOT_PW_ENC ??= "" +CFG_ROOT_LOCKED ??= "0" + +inherit dpkg-raw + +do_install() { + echo "intentionally left blank" +} -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-06 13:41 ` [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext @ 2019-02-06 15:52 ` Henning Schild 2019-02-06 16:10 ` Claudius Heine 0 siblings, 1 reply; 5+ messages in thread From: Henning Schild @ 2019-02-06 15:52 UTC (permalink / raw) To: [ext] claudius.heine.ext@siemens.com; +Cc: isar-users, Claudius Heine Am Wed, 6 Feb 2019 14:41:39 +0100 schrieb "[ext] claudius.heine.ext@siemens.com" <claudius.heine.ext@siemens.com>: > From: Claudius Heine <ch@denx.de> > > The isar-cfg-rootpw recipe is a central point to set the root password > for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, > `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file > or via `isar-cfg-rootpw.bbappend`. > > This package is installed as a transient package to avoid leaking > passwords set by it via the scripts in `/var/lib/dpkg/info/`. > > The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a > root password as clear text or encrypted, or are both empty, in which > case login without password is possible. The encrypted password is > preferred if both variables are set. How about _ENC only? I do not really see the point to support two versions here. Say someone still got the package, they would still have to find a password matching the hash. So _ENC is better, and just one way is simpler. We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to encrypt a password. In fact that seems to depend on rootfs/etc/login.defs ... maybe meaning that supporting _ENC is not the best idea after all. We should demo setting a passwd in isar-image-base, a good idea for a password would be "root" because that is what isar-only users already know. And it might be in the docs ... Henning > The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock > the root account, other values leave the account unlocked. Unlocking > the account at a later point will restore the password set by > `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. > > Signed-off-by: Claudius Heine <ch@denx.de> > --- > RECIPE-API-CHANGELOG.md | 9 ++++++++ > .../recipes-app/example-raw/files/postinst | 4 ---- > meta/classes/isar-image.bbclass | 2 +- > .../isar-cfg-rootpw/files/postinst.tmpl | 21 > +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | > 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 > deletions(-) create mode 100644 > meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode > 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index dcfbbee..7863e8a 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. > > It's now sufficient to provide only kbuild rules. Makefile targets > like modules or modules_install as well as KDIR and DESTDIR > evaluation are no longer needed. + > +### Remove setting of root passwords in custom packages > + > +Custom packages that are not installed via the > IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password > via its script in /var/lib/dpkg/info. + > +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the > password and use +the transient 'isar-cfg-rootpw' package (now > installed as transient package per +default). > diff --git a/meta-isar/recipes-app/example-raw/files/postinst > b/meta-isar/recipes-app/example-raw/files/postinst index > f60be8c..f48d993 100644 --- > a/meta-isar/recipes-app/example-raw/files/postinst +++ > b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ > fi > chown -R isar:isar /var/lib/isar > > -# this wins over meta-isar/recipes-core/images/files/*configscript.sh > -# but we take the same password for this example > -echo "root:root" | chpasswd > - > echo "isar" > /etc/hostname > diff --git a/meta/classes/isar-image.bbclass > b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 > --- a/meta/classes/isar-image.bbclass > +++ b/meta/classes/isar-image.bbclass > @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" > > DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > > -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" > +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" > > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file > mode 100644 index 0000000..7634f6a > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > @@ -0,0 +1,21 @@ > +#!/bin/sh > +set -e > + > +if ! grep -q 'root:\*:' /etc/shadow; then > + echo "ERROR:isar-cfg-rootpw: root password was set by a > different package" >&2 > + exit -1 > +fi > + > +if [ -n "${CFG_ROOT_PW_ENC}" ]; then > + echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e > +elif [ -n "${CFG_ROOT_PW}" ]; then > + echo "root:${CFG_ROOT_PW}" | chpasswd > +else > + passwd -d root > +fi > + > +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then > + # Lock the account after setting the password, since unlocking > it at some > + # point later would set it to the back to the previous one. > + passwd -l root > +fi > diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file > mode 100644 index 0000000..52bb153 > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > @@ -0,0 +1,20 @@ > +# This software is a part of ISAR. > + > +DESCRIPTION = "Isar configuration package for root password" > +MAINTAINER = "isar-users <isar-users@googlegroups.com>" > +DEBIAN_DEPENDS = "passwd" > + > +SRC_URI = "file://postinst.tmpl" > + > +TEMPLATE_FILES = "postinst.tmpl" > +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED" > + > +CFG_ROOT_PW ??= "" > +CFG_ROOT_PW_ENC ??= "" > +CFG_ROOT_LOCKED ??= "0" > + > +inherit dpkg-raw > + > +do_install() { > + echo "intentionally left blank" > +} ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-06 15:52 ` Henning Schild @ 2019-02-06 16:10 ` Claudius Heine 2019-02-07 17:45 ` Henning Schild 0 siblings, 1 reply; 5+ messages in thread From: Claudius Heine @ 2019-02-06 16:10 UTC (permalink / raw) To: Henning Schild; +Cc: isar-users, Claudius Heine Hi Henning, On 06/02/2019 16.52, Henning Schild wrote: > Am Wed, 6 Feb 2019 14:41:39 +0100 > schrieb "[ext] claudius.heine.ext@siemens.com" > <claudius.heine.ext@siemens.com>: > >> From: Claudius Heine <ch@denx.de> >> >> The isar-cfg-rootpw recipe is a central point to set the root password >> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, >> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file >> or via `isar-cfg-rootpw.bbappend`. >> >> This package is installed as a transient package to avoid leaking >> passwords set by it via the scripts in `/var/lib/dpkg/info/`. >> >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a >> root password as clear text or encrypted, or are both empty, in which >> case login without password is possible. The encrypted password is >> preferred if both variables are set. > > How about _ENC only? I do not really see the point to support two > versions here. Say someone still got the package, they would still have > to find a password matching the hash. So _ENC is better, and just one > way is simpler. Well the code complexity differenct between supporting both and just one is pretty small. And I like options, so I would be in favor of having both possible. But if the consensus is to only support one, then I would go with _ENC only as well. > > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to > encrypt a password. In fact that seems to depend on > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is > not the best idea after all. I think that is just the default algo used by passwd to create passwords, not the one enforced. Meaning I would still work if the set password was created with different options. > > We should demo setting a passwd in isar-image-base, a good idea for a > password would be "root" because that is what isar-only users already > know. And it might be in the docs ... Well the best way I can think of is using `mkpasswd`, but that tool is packed into the `whois` package for some strange, possibly historical reasons. Cheers, Claudius > > Henning > >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock >> the root account, other values leave the account unlocked. Unlocking >> the account at a later point will restore the password set by >> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. >> >> Signed-off-by: Claudius Heine <ch@denx.de> >> --- >> RECIPE-API-CHANGELOG.md | 9 ++++++++ >> .../recipes-app/example-raw/files/postinst | 4 ---- >> meta/classes/isar-image.bbclass | 2 +- >> .../isar-cfg-rootpw/files/postinst.tmpl | 21 >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 >> deletions(-) create mode 100644 >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode >> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md >> index dcfbbee..7863e8a 100644 >> --- a/RECIPE-API-CHANGELOG.md >> +++ b/RECIPE-API-CHANGELOG.md >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. >> >> It's now sufficient to provide only kbuild rules. Makefile targets >> like modules or modules_install as well as KDIR and DESTDIR >> evaluation are no longer needed. + >> +### Remove setting of root passwords in custom packages >> + >> +Custom packages that are not installed via the >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password >> via its script in /var/lib/dpkg/info. + >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the >> password and use +the transient 'isar-cfg-rootpw' package (now >> installed as transient package per +default). >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst >> b/meta-isar/recipes-app/example-raw/files/postinst index >> f60be8c..f48d993 100644 --- >> a/meta-isar/recipes-app/example-raw/files/postinst +++ >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ >> fi >> chown -R isar:isar /var/lib/isar >> >> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh >> -# but we take the same password for this example >> -echo "root:root" | chpasswd >> - >> echo "isar" > /etc/hostname >> diff --git a/meta/classes/isar-image.bbclass >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 >> --- a/meta/classes/isar-image.bbclass >> +++ b/meta/classes/isar-image.bbclass >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" >> >> DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" >> >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" >> >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >> >> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file >> mode 100644 index 0000000..7634f6a >> --- /dev/null >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl >> @@ -0,0 +1,21 @@ >> +#!/bin/sh >> +set -e >> + >> +if ! grep -q 'root:\*:' /etc/shadow; then >> + echo "ERROR:isar-cfg-rootpw: root password was set by a >> different package" >&2 >> + exit -1 >> +fi >> + >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then >> + echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e >> +elif [ -n "${CFG_ROOT_PW}" ]; then >> + echo "root:${CFG_ROOT_PW}" | chpasswd >> +else >> + passwd -d root >> +fi >> + >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then >> + # Lock the account after setting the password, since unlocking >> it at some >> + # point later would set it to the back to the previous one. >> + passwd -l root >> +fi >> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file >> mode 100644 index 0000000..52bb153 >> --- /dev/null >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> @@ -0,0 +1,20 @@ >> +# This software is a part of ISAR. >> + >> +DESCRIPTION = "Isar configuration package for root password" >> +MAINTAINER = "isar-users <isar-users@googlegroups.com>" >> +DEBIAN_DEPENDS = "passwd" >> + >> +SRC_URI = "file://postinst.tmpl" >> + >> +TEMPLATE_FILES = "postinst.tmpl" >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED" >> + >> +CFG_ROOT_PW ??= "" >> +CFG_ROOT_PW_ENC ??= "" >> +CFG_ROOT_LOCKED ??= "0" >> + >> +inherit dpkg-raw >> + >> +do_install() { >> + echo "intentionally left blank" >> +} > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-06 16:10 ` Claudius Heine @ 2019-02-07 17:45 ` Henning Schild 0 siblings, 0 replies; 5+ messages in thread From: Henning Schild @ 2019-02-07 17:45 UTC (permalink / raw) To: Claudius Heine; +Cc: isar-users, Claudius Heine Am Wed, 6 Feb 2019 17:10:09 +0100 schrieb Claudius Heine <claudius.heine.ext@siemens.com>: > Hi Henning, > > On 06/02/2019 16.52, Henning Schild wrote: > > Am Wed, 6 Feb 2019 14:41:39 +0100 > > schrieb "[ext] claudius.heine.ext@siemens.com" > > <claudius.heine.ext@siemens.com>: > > > >> From: Claudius Heine <ch@denx.de> > >> > >> The isar-cfg-rootpw recipe is a central point to set the root > >> password for images. It provides the `CFG_ROOT_PW`, > >> `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be > >> set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. > >> > >> This package is installed as a transient package to avoid leaking > >> passwords set by it via the scripts in `/var/lib/dpkg/info/`. > >> > >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a > >> root password as clear text or encrypted, or are both empty, in > >> which case login without password is possible. The encrypted > >> password is preferred if both variables are set. > > > > How about _ENC only? I do not really see the point to support two > > versions here. Say someone still got the package, they would still > > have to find a password matching the hash. So _ENC is better, and > > just one way is simpler. > > Well the code complexity differenct between supporting both and just > one is pretty small. And I like options, so I would be in favor of > having both possible. But if the consensus is to only support one, > then I would go with _ENC only as well. My take would be to only offer choice if there is a value in it, because you pay with complexity. If all versions of chpasswd take encrypted passwords, i do not see why plain ones should be supported. As usual, the ones discussing have to reach the consensus ... the other ones agree with not speaking up ;). > > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to > > encrypt a password. In fact that seems to depend on > > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is > > not the best idea after all. > > I think that is just the default algo used by passwd to create > passwords, not the one enforced. Meaning I would still work if the > set password was created with different options. Ok, so any version of mkpasswd on any machine can create the magic string that will be understood by any version of chpasswd. No reason to support plain. > > > > We should demo setting a passwd in isar-image-base, a good idea for > > a password would be "root" because that is what isar-only users > > already know. And it might be in the docs ... > > Well the best way I can think of is using `mkpasswd`, but that tool > is packed into the `whois` package for some strange, possibly > historical reasons. Ok so the example would be ... # echo root | mkpasswd -s CFG_ROOT_PW_ENC="xxxYYY" maybe in local.conf.example Henning > Cheers, > Claudius > > > > > Henning > > > >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to > >> lock the root account, other values leave the account unlocked. > >> Unlocking the account at a later point will restore the password > >> set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. > >> > >> Signed-off-by: Claudius Heine <ch@denx.de> > >> --- > >> RECIPE-API-CHANGELOG.md | 9 ++++++++ > >> .../recipes-app/example-raw/files/postinst | 4 ---- > >> meta/classes/isar-image.bbclass | 2 +- > >> .../isar-cfg-rootpw/files/postinst.tmpl | 21 > >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | > >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 > >> deletions(-) create mode 100644 > >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create > >> mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > >> > >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > >> index dcfbbee..7863e8a 100644 > >> --- a/RECIPE-API-CHANGELOG.md > >> +++ b/RECIPE-API-CHANGELOG.md > >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are > >> used. > >> It's now sufficient to provide only kbuild rules. Makefile > >> targets like modules or modules_install as well as KDIR and DESTDIR > >> evaluation are no longer needed. + > >> +### Remove setting of root passwords in custom packages > >> + > >> +Custom packages that are not installed via the > >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that > >> password via its script in /var/lib/dpkg/info. + > >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the > >> password and use +the transient 'isar-cfg-rootpw' package (now > >> installed as transient package per +default). > >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst > >> b/meta-isar/recipes-app/example-raw/files/postinst index > >> f60be8c..f48d993 100644 --- > >> a/meta-isar/recipes-app/example-raw/files/postinst +++ > >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 > >> @@ fi > >> chown -R isar:isar /var/lib/isar > >> > >> -# this wins over > >> meta-isar/recipes-core/images/files/*configscript.sh -# but we > >> take the same password for this example -echo "root:root" | > >> chpasswd - > >> echo "isar" > /etc/hostname > >> diff --git a/meta/classes/isar-image.bbclass > >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 > >> --- a/meta/classes/isar-image.bbclass > >> +++ b/meta/classes/isar-image.bbclass > >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" > >> > >> DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > >> > >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" > >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" > >> > >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >> > >> diff --git > >> a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new > >> file mode 100644 index 0000000..7634f6a --- /dev/null > >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > >> @@ -0,0 +1,21 @@ > >> +#!/bin/sh > >> +set -e > >> + > >> +if ! grep -q 'root:\*:' /etc/shadow; then > >> + echo "ERROR:isar-cfg-rootpw: root password was set by a > >> different package" >&2 > >> + exit -1 > >> +fi > >> + > >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then > >> + echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e > >> +elif [ -n "${CFG_ROOT_PW}" ]; then > >> + echo "root:${CFG_ROOT_PW}" | chpasswd > >> +else > >> + passwd -d root > >> +fi > >> + > >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then > >> + # Lock the account after setting the password, since unlocking > >> it at some > >> + # point later would set it to the back to the previous one. > >> + passwd -l root > >> +fi > >> diff --git > >> a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file > >> mode 100644 index 0000000..52bb153 --- /dev/null > >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > >> @@ -0,0 +1,20 @@ > >> +# This software is a part of ISAR. > >> + > >> +DESCRIPTION = "Isar configuration package for root password" > >> +MAINTAINER = "isar-users <isar-users@googlegroups.com>" > >> +DEBIAN_DEPENDS = "passwd" > >> + > >> +SRC_URI = "file://postinst.tmpl" > >> + > >> +TEMPLATE_FILES = "postinst.tmpl" > >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED" > >> + > >> +CFG_ROOT_PW ??= "" > >> +CFG_ROOT_PW_ENC ??= "" > >> +CFG_ROOT_LOCKED ??= "0" > >> + > >> +inherit dpkg-raw > >> + > >> +do_install() { > >> + echo "intentionally left blank" > >> +} > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-07 17:45 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-06 13:41 [PATCH 0/1] Centralize root password configuration claudius.heine.ext 2019-02-06 13:41 ` [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext 2019-02-06 15:52 ` Henning Schild 2019-02-06 16:10 ` Claudius Heine 2019-02-07 17:45 ` Henning Schild
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox