Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Henning Schild <henning.schild@siemens.com>]

Am Wed, 6 Feb 2019 14:41:39 +0100
schrieb "[ext] claudius.heine.ext@siemens.com"
<claudius.heine.ext@siemens.com>:

> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
> or via `isar-cfg-rootpw.bbappend`.
> 
> This package is installed as a transient package to avoid leaking
> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> 
> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> root password as clear text or encrypted, or are both empty, in which
> case login without password is possible. The encrypted password is
> preferred if both variables are set.

How about _ENC only? I do not really see the point to support two
versions here. Say someone still got the package, they would still have
to find a password matching the hash. So _ENC is better, and just one
way is simpler.

We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
encrypt a password. In fact that seems to depend on
rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
not the best idea after all.

We should demo setting a passwd in isar-image-base, a good idea for a
password would be "root" because that is what isar-only users already
know. And it might be in the docs ...

Henning

> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked. Unlocking
> the account at a later point will restore the password set by
> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>  RECIPE-API-CHANGELOG.md                       |  9 ++++++++
>  .../recipes-app/example-raw/files/postinst    |  4 ----
>  meta/classes/isar-image.bbclass               |  2 +-
>  .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> deletions(-) create mode 100644
> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode
> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index dcfbbee..7863e8a 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>  
>  It's now sufficient to provide only kbuild rules. Makefile targets
> like modules or modules_install as well as KDIR and DESTDIR
> evaluation are no longer needed. +
> +### Remove setting of root passwords in custom packages
> +
> +Custom packages that are not installed via the
> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password
> via its script in /var/lib/dpkg/info. +
> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> password and use +the transient 'isar-cfg-rootpw' package (now
> installed as transient package per +default).
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> b/meta-isar/recipes-app/example-raw/files/postinst index
> f60be8c..f48d993 100644 ---
> a/meta-isar/recipes-app/example-raw/files/postinst +++
> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@
> fi 
>  chown -R isar:isar /var/lib/isar
>  
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>  echo "isar" > /etc/hostname
> diff --git a/meta/classes/isar-image.bbclass
> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>  
>  DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>  
> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>  
>  WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>  
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file
> mode 100644 index 0000000..7634f6a
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +set -e
> +
> +if ! grep -q 'root:\*:' /etc/shadow; then
> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> different package" >&2
> +    exit -1
> +fi
> +
> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> +elif [ -n "${CFG_ROOT_PW}" ]; then
> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> +else
> +    passwd -d root
> +fi
> +
> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> +    # Lock the account after setting the password, since unlocking
> it at some
> +    # point later would set it to the back to the previous one.
> +    passwd -l root
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> mode 100644 index 0000000..52bb153
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,20 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_PW_ENC ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}