From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6654882193514430464
X-Received: by 2002:a1c:208c:: with SMTP id g134mr325750wmg.23.1549468335661;
        Wed, 06 Feb 2019 07:52:15 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a1c:e1c4:: with SMTP id y187ls289813wmg.8.gmail; Wed, 06 Feb
 2019 07:52:15 -0800 (PST)
X-Google-Smtp-Source: AHgI3IZZG4q4n1h7OvA3t3Du+MOZbwnS80ek5AQUdBwOOFkgF2eIdFfjGxs/px5SANbWY63cYqUD
X-Received: by 2002:a1c:2d07:: with SMTP id t7mr334295wmt.17.1549468335218;
        Wed, 06 Feb 2019 07:52:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549468335; cv=none;
        d=google.com; s=arc-20160816;
        b=WxsVzri4Y4Zt8AknXEt7OBcdli+snd5iMsJDwalzBIyt97fJSP42Hq/SpzFcPSvBmx
         G+xQ7I95Q0sKruHBRdmiZmbbqePrVG5qiDjzReEKR8eRReH7EC/umYE55w/O7M+bR2ln
         Sg4TndC8+NaPvgKWN0HbCGgFtwh/+5lrCH1EBQ53yd5d73mL/zJGd33EkzKpEbF2bwOS
         h6imZdx3q5gbZFvmU0QFqgOC2FKIpZLp0XyTaBewZJ1gIA3uOzobUcpvUk/uHy3OSQ6h
         fw42OHTz6K8BqBGtieKZbk8q3X1yhl27guF2oQztfId8uYgeLup9WNdXw7ia8Qy5EdaZ
         P9mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=w23azAQA/GnelOO3zCxcHi4IYbw33NT3q2SKaUxuNq8=;
        b=krccj3qZ/dHhvjX2R6qPYZ7qFoIM5lg6rnlDUTndnLQS6NvEZruBUD9f+s4xRv/i4x
         YhHt3jgjoO7+Zy7BOKOpU9QWoTxruQ5Ro5HOM+a0UkOy30QO2hrzP8dpoqxDJ6wo5Y7l
         7LS8P+78mUw3lU97m/edbIFR81Y/LvzpBzwOkJ8vcrAzMAFi3DA4CM6OAGhv3VmmDcEI
         zscHuGmQYC51EeBAuh6UXxfhJAThC/BTkijAmUh2C7HFS7dzZ2xwBhIfOHyOCprrhlNI
         UWPrF1Ex1Lm9/OCld7OdZ7aCyZrWZdcjeg11sVIWZIPfflai9N87I7+VFIosHTDsBxr5
         VZIA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id l22si78690wmg.4.2019.02.06.07.52.15
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 06 Feb 2019 07:52:15 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x16FqENk012441
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 6 Feb 2019 16:52:14 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.48])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x16FqE5K019173;
	Wed, 6 Feb 2019 16:52:14 +0100
Date: Wed, 6 Feb 2019 16:52:14 +0100
From: Henning Schild <henning.schild@siemens.com>
To: "[ext] claudius.heine.ext@siemens.com" <claudius.heine.ext@siemens.com>
Cc: <isar-users@googlegroups.com>, Claudius Heine <ch@denx.de>
Subject: Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root
 password
Message-ID: <20190206165214.74653294@md1za8fc.ad001.siemens.net>
In-Reply-To: <20190206134139.1597-2-claudius.heine.ext@siemens.com>
References: <20190206134139.1597-1-claudius.heine.ext@siemens.com>
	<20190206134139.1597-2-claudius.heine.ext@siemens.com>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: f3hVmX40WsS6

Am Wed, 6 Feb 2019 14:41:39 +0100
schrieb "[ext] claudius.heine.ext@siemens.com"
<claudius.heine.ext@siemens.com>:

> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
> or via `isar-cfg-rootpw.bbappend`.
> 
> This package is installed as a transient package to avoid leaking
> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> 
> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> root password as clear text or encrypted, or are both empty, in which
> case login without password is possible. The encrypted password is
> preferred if both variables are set.

How about _ENC only? I do not really see the point to support two
versions here. Say someone still got the package, they would still have
to find a password matching the hash. So _ENC is better, and just one
way is simpler.

We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
encrypt a password. In fact that seems to depend on
rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
not the best idea after all.

We should demo setting a passwd in isar-image-base, a good idea for a
password would be "root" because that is what isar-only users already
know. And it might be in the docs ...

Henning

> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked. Unlocking
> the account at a later point will restore the password set by
> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>  RECIPE-API-CHANGELOG.md                       |  9 ++++++++
>  .../recipes-app/example-raw/files/postinst    |  4 ----
>  meta/classes/isar-image.bbclass               |  2 +-
>  .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> deletions(-) create mode 100644
> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode
> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index dcfbbee..7863e8a 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>  
>  It's now sufficient to provide only kbuild rules. Makefile targets
> like modules or modules_install as well as KDIR and DESTDIR
> evaluation are no longer needed. +
> +### Remove setting of root passwords in custom packages
> +
> +Custom packages that are not installed via the
> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password
> via its script in /var/lib/dpkg/info. +
> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> password and use +the transient 'isar-cfg-rootpw' package (now
> installed as transient package per +default).
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> b/meta-isar/recipes-app/example-raw/files/postinst index
> f60be8c..f48d993 100644 ---
> a/meta-isar/recipes-app/example-raw/files/postinst +++
> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@
> fi 
>  chown -R isar:isar /var/lib/isar
>  
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>  echo "isar" > /etc/hostname
> diff --git a/meta/classes/isar-image.bbclass
> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>  
>  DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>  
> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>  
>  WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>  
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file
> mode 100644 index 0000000..7634f6a
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +set -e
> +
> +if ! grep -q 'root:\*:' /etc/shadow; then
> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> different package" >&2
> +    exit -1
> +fi
> +
> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> +elif [ -n "${CFG_ROOT_PW}" ]; then
> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> +else
> +    passwd -d root
> +fi
> +
> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> +    # Lock the account after setting the password, since unlocking
> it at some
> +    # point later would set it to the back to the previous one.
> +    passwd -l root
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> mode 100644 index 0000000..52bb153
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,20 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_PW_ENC ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}