* [PATCH v2 0/1] Centralize root password configuration @ 2019-02-07 11:35 claudius.heine.ext 2019-02-07 11:35 ` [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext 0 siblings, 1 reply; 5+ messages in thread From: claudius.heine.ext @ 2019-02-07 11:35 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine From: Claudius Heine <ch@denx.de> Hi, here the second version. This patchset depends on the `Template system` patchset. Cheers, Claudius Changes from v1: - Removed CFG_ROOT_PW_ENC setting, now CFG_ROOT_PW needs the encrypted password - fixed bug in postinst template by replacing double quotes with single quotes - added setting of root password to locale.conf.sample - added more documentation Changes from the RFC patch: - Transformed package to be a transient package, prevents leaking of password via /var/lib/dpkg/info - Check if password was already set before setting it. Error if password was set already - Added possibility to set encrypted passwords - Fixed locking to allow restoration of choosen password when account is unlocked later - added documentation in RECIPE-API_CHANGELOG - removed isar-cfg-hostname - fix some scripting errors Claudius Heine (1): meta: add isar-cfg-rootpw recipe for setting root password RECIPE-API-CHANGELOG.md | 9 +++++++++ doc/user_manual.md | 2 ++ meta-isar/conf/local.conf.sample | 6 ++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-07 11:35 [PATCH v2 0/1] Centralize root password configuration claudius.heine.ext @ 2019-02-07 11:35 ` claudius.heine.ext 2019-02-07 11:36 ` Claudius Heine 2019-02-07 11:40 ` [PATCH v3] " claudius.heine.ext 0 siblings, 2 replies; 5+ messages in thread From: claudius.heine.ext @ 2019-02-07 11:35 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine From: Claudius Heine <ch@denx.de> The isar-cfg-rootpw recipe is a central point to set the root password for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. This package is installed as a transient package to avoid leaking passwords set by it via the scripts in `/var/lib/dpkg/info/`. The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root password as clear text or encrypted, or are both empty, in which case login without password is possible. The encrypted password is preferred if both variables are set. The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock the root account, other values leave the account unlocked. Unlocking the account at a later point will restore the password set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. Signed-off-by: Claudius Heine <ch@denx.de> --- RECIPE-API-CHANGELOG.md | 9 +++++++++ doc/user_manual.md | 2 ++ meta-isar/conf/local.conf.sample | 6 ++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index dcfbbee..197ce99 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. It's now sufficient to provide only kbuild rules. Makefile targets like modules or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. + +### Remove setting of root passwords in custom packages + +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password via its script in /var/lib/dpkg/info. + +Instead set the CFG_ROOT_PW variable to the encrypted password and use the +transient 'isar-cfg-rootpw' package (now installed as transient package per +default). diff --git a/doc/user_manual.md b/doc/user_manual.md index eebcaa9..dfd46ce 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -313,6 +313,8 @@ Some other variables include: - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. --- diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample index a671b20..9bdfe10 100644 --- a/meta-isar/conf/local.conf.sample +++ b/meta-isar/conf/local.conf.sample @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" # # Uncomment this to enable use of cached base repository #ISAR_USE_CACHED_BASE_REPO ?= "1" + +# Set root password to 'root' +# Password was encrypted using following command: +# mkpasswd -m sha512crypt -R 10000 +# mkpasswd is part of the 'whois' package of Debian +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst index f60be8c..f48d993 100644 --- a/meta-isar/recipes-app/example-raw/files/postinst +++ b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ fi chown -R isar:isar /var/lib/isar -# this wins over meta-isar/recipes-core/images/files/*configscript.sh -# but we take the same password for this example -echo "root:root" | chpasswd - echo "isar" > /etc/hostname diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 --- a/meta/classes/isar-image.bbclass +++ b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file mode 100644 index 0000000..ca08a41 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +if ! grep -q 'root:\*:' /etc/shadow; then + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 + exit -1 +fi + +if [ -n '${CFG_ROOT_PW}' ]; then + echo 'root:${CFG_ROOT_PW}' | chpasswd -e +else + passwd -d root +fi + +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then + # Lock the account after setting the password, since unlocking it at some + # point later would set it to the back to the previous one. + passwd -l root +fi diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file mode 100644 index 0000000..adee3b5 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb @@ -0,0 +1,19 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Isar configuration package for root password" +MAINTAINER = "isar-users <isar-users@googlegroups.com>" +DEBIAN_DEPENDS = "passwd" + +SRC_URI = "file://postinst.tmpl" + +TEMPLATE_FILES = "postinst.tmpl" +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" + +CFG_ROOT_PW ??= "" +CFG_ROOT_LOCKED ??= "0" + +inherit dpkg-raw + +do_install() { + echo "intentionally left blank" +} -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-07 11:35 ` [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext @ 2019-02-07 11:36 ` Claudius Heine 2019-02-07 11:40 ` [PATCH v3] " claudius.heine.ext 1 sibling, 0 replies; 5+ messages in thread From: Claudius Heine @ 2019-02-07 11:36 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine On 07/02/2019 12.35, [ext] claudius.heine.ext@siemens.com wrote: > From: Claudius Heine <ch@denx.de> > > The isar-cfg-rootpw recipe is a central point to set the root password > for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, > `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file > or via `isar-cfg-rootpw.bbappend`. Dammit, I will fix the description to remove CFG_ROOT_PW_ENC next :( > > This package is installed as a transient package to avoid leaking > passwords set by it via the scripts in `/var/lib/dpkg/info/`. > > The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root > password as clear text or encrypted, or are both empty, in which case > login without password is possible. The encrypted password is preferred > if both variables are set. > > The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock > the root account, other values leave the account unlocked. Unlocking the > account at a later point will restore the password set by `CFG_ROOT_PW` > or `CFG_ROOT_PW_ENC`. > > Signed-off-by: Claudius Heine <ch@denx.de> > --- > RECIPE-API-CHANGELOG.md | 9 +++++++++ > doc/user_manual.md | 2 ++ > meta-isar/conf/local.conf.sample | 6 ++++++ > .../recipes-app/example-raw/files/postinst | 4 ---- > meta/classes/isar-image.bbclass | 2 +- > .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ > .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ > 7 files changed, 56 insertions(+), 5 deletions(-) > create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index dcfbbee..197ce99 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. > > It's now sufficient to provide only kbuild rules. Makefile targets like modules > or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. > + > +### Remove setting of root passwords in custom packages > + > +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set > +a root password, leak that password via its script in /var/lib/dpkg/info. > + > +Instead set the CFG_ROOT_PW variable to the encrypted password and use the > +transient 'isar-cfg-rootpw' package (now installed as transient package per > +default). > diff --git a/doc/user_manual.md b/doc/user_manual.md > index eebcaa9..dfd46ce 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -313,6 +313,8 @@ Some other variables include: > - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. > - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. > - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. > + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password > + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. > > --- > > diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample > index a671b20..9bdfe10 100644 > --- a/meta-isar/conf/local.conf.sample > +++ b/meta-isar/conf/local.conf.sample > @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" > # > # Uncomment this to enable use of cached base repository > #ISAR_USE_CACHED_BASE_REPO ?= "1" > + > +# Set root password to 'root' > +# Password was encrypted using following command: > +# mkpasswd -m sha512crypt -R 10000 > +# mkpasswd is part of the 'whois' package of Debian > +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" > diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst > index f60be8c..f48d993 100644 > --- a/meta-isar/recipes-app/example-raw/files/postinst > +++ b/meta-isar/recipes-app/example-raw/files/postinst > @@ -15,8 +15,4 @@ fi > > chown -R isar:isar /var/lib/isar > > -# this wins over meta-isar/recipes-core/images/files/*configscript.sh > -# but we take the same password for this example > -echo "root:root" | chpasswd > - > echo "isar" > /etc/hostname > diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass > index e2bae58..cdd1651 100644 > --- a/meta/classes/isar-image.bbclass > +++ b/meta/classes/isar-image.bbclass > @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" > > DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > > -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" > +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" > > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > new file mode 100644 > index 0000000..ca08a41 > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > @@ -0,0 +1,19 @@ > +#!/bin/sh > +set -e > + > +if ! grep -q 'root:\*:' /etc/shadow; then > + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 > + exit -1 > +fi > + > +if [ -n '${CFG_ROOT_PW}' ]; then > + echo 'root:${CFG_ROOT_PW}' | chpasswd -e > +else > + passwd -d root > +fi > + > +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then > + # Lock the account after setting the password, since unlocking it at some > + # point later would set it to the back to the previous one. > + passwd -l root > +fi > diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > new file mode 100644 > index 0000000..adee3b5 > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > @@ -0,0 +1,19 @@ > +# This software is a part of ISAR. > + > +DESCRIPTION = "Isar configuration package for root password" > +MAINTAINER = "isar-users <isar-users@googlegroups.com>" > +DEBIAN_DEPENDS = "passwd" > + > +SRC_URI = "file://postinst.tmpl" > + > +TEMPLATE_FILES = "postinst.tmpl" > +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" > + > +CFG_ROOT_PW ??= "" > +CFG_ROOT_LOCKED ??= "0" > + > +inherit dpkg-raw > + > +do_install() { > + echo "intentionally left blank" > +} > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v3] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-07 11:35 ` [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext 2019-02-07 11:36 ` Claudius Heine @ 2019-02-07 11:40 ` claudius.heine.ext 2019-02-18 11:43 ` Maxim Yu. Osipov 1 sibling, 1 reply; 5+ messages in thread From: claudius.heine.ext @ 2019-02-07 11:40 UTC (permalink / raw) To: isar-users; +Cc: Claudius Heine From: Claudius Heine <ch@denx.de> The isar-cfg-rootpw recipe is a central point to set the root password for images. It provides the `CFG_ROOT_PW` and `CFG_ROOT_LOCKED` variables, that can be set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. This package is installed as a transient package to avoid leaking passwords set by it via the scripts in `/var/lib/dpkg/info/`. The `CFG_ROOT_PW` variable contain the root password as crypt(3) encrypted string. If this variable is empty root login without password is possible possible. The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock the root account, other values leave the account unlocked. Unlocking the account at a later point will restore the password set by `CFG_ROOT_PW`. Signed-off-by: Claudius Heine <ch@denx.de> --- RECIPE-API-CHANGELOG.md | 9 +++++++++ doc/user_manual.md | 2 ++ meta-isar/conf/local.conf.sample | 6 ++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index dcfbbee..197ce99 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. It's now sufficient to provide only kbuild rules. Makefile targets like modules or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. + +### Remove setting of root passwords in custom packages + +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password via its script in /var/lib/dpkg/info. + +Instead set the CFG_ROOT_PW variable to the encrypted password and use the +transient 'isar-cfg-rootpw' package (now installed as transient package per +default). diff --git a/doc/user_manual.md b/doc/user_manual.md index eebcaa9..dfd46ce 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -313,6 +313,8 @@ Some other variables include: - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. --- diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample index a671b20..9bdfe10 100644 --- a/meta-isar/conf/local.conf.sample +++ b/meta-isar/conf/local.conf.sample @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" # # Uncomment this to enable use of cached base repository #ISAR_USE_CACHED_BASE_REPO ?= "1" + +# Set root password to 'root' +# Password was encrypted using following command: +# mkpasswd -m sha512crypt -R 10000 +# mkpasswd is part of the 'whois' package of Debian +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst index f60be8c..f48d993 100644 --- a/meta-isar/recipes-app/example-raw/files/postinst +++ b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ fi chown -R isar:isar /var/lib/isar -# this wins over meta-isar/recipes-core/images/files/*configscript.sh -# but we take the same password for this example -echo "root:root" | chpasswd - echo "isar" > /etc/hostname diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 --- a/meta/classes/isar-image.bbclass +++ b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file mode 100644 index 0000000..ca08a41 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +if ! grep -q 'root:\*:' /etc/shadow; then + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 + exit -1 +fi + +if [ -n '${CFG_ROOT_PW}' ]; then + echo 'root:${CFG_ROOT_PW}' | chpasswd -e +else + passwd -d root +fi + +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then + # Lock the account after setting the password, since unlocking it at some + # point later would set it to the back to the previous one. + passwd -l root +fi diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file mode 100644 index 0000000..adee3b5 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb @@ -0,0 +1,19 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Isar configuration package for root password" +MAINTAINER = "isar-users <isar-users@googlegroups.com>" +DEBIAN_DEPENDS = "passwd" + +SRC_URI = "file://postinst.tmpl" + +TEMPLATE_FILES = "postinst.tmpl" +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" + +CFG_ROOT_PW ??= "" +CFG_ROOT_LOCKED ??= "0" + +inherit dpkg-raw + +do_install() { + echo "intentionally left blank" +} -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] meta: add isar-cfg-rootpw recipe for setting root password 2019-02-07 11:40 ` [PATCH v3] " claudius.heine.ext @ 2019-02-18 11:43 ` Maxim Yu. Osipov 0 siblings, 0 replies; 5+ messages in thread From: Maxim Yu. Osipov @ 2019-02-18 11:43 UTC (permalink / raw) To: claudius.heine.ext, isar-users; +Cc: Claudius Heine On 2/7/19 12:40 PM, claudius.heine.ext@siemens.com wrote: > From: Claudius Heine <ch@denx.de> > > The isar-cfg-rootpw recipe is a central point to set the root password > for images. It provides the `CFG_ROOT_PW` and `CFG_ROOT_LOCKED` > variables, that can be set from any `.conf` file or via > `isar-cfg-rootpw.bbappend`. > > This package is installed as a transient package to avoid leaking > passwords set by it via the scripts in `/var/lib/dpkg/info/`. > > The `CFG_ROOT_PW` variable contain the root password as crypt(3) > encrypted string. If this variable is empty root login without password > is possible possible. > > The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock > the root account, other values leave the account unlocked. Unlocking the > account at a later point will restore the password set by `CFG_ROOT_PW`. Applied to the 'next', Note: Reworded `CFG_ROOT_PW` description in commit message and in user_manual. Thanks, Maxim. > Signed-off-by: Claudius Heine <ch@denx.de> > --- > RECIPE-API-CHANGELOG.md | 9 +++++++++ > doc/user_manual.md | 2 ++ > meta-isar/conf/local.conf.sample | 6 ++++++ > .../recipes-app/example-raw/files/postinst | 4 ---- > meta/classes/isar-image.bbclass | 2 +- > .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ > .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ > 7 files changed, 56 insertions(+), 5 deletions(-) > create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index dcfbbee..197ce99 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. > > It's now sufficient to provide only kbuild rules. Makefile targets like modules > or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. > + > +### Remove setting of root passwords in custom packages > + > +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set > +a root password, leak that password via its script in /var/lib/dpkg/info. > + > +Instead set the CFG_ROOT_PW variable to the encrypted password and use the > +transient 'isar-cfg-rootpw' package (now installed as transient package per > +default). > diff --git a/doc/user_manual.md b/doc/user_manual.md > index eebcaa9..dfd46ce 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -313,6 +313,8 @@ Some other variables include: > - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. > - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. > - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. > + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password > + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. > > --- > > diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample > index a671b20..9bdfe10 100644 > --- a/meta-isar/conf/local.conf.sample > +++ b/meta-isar/conf/local.conf.sample > @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" > # > # Uncomment this to enable use of cached base repository > #ISAR_USE_CACHED_BASE_REPO ?= "1" > + > +# Set root password to 'root' > +# Password was encrypted using following command: > +# mkpasswd -m sha512crypt -R 10000 > +# mkpasswd is part of the 'whois' package of Debian > +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" > diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst > index f60be8c..f48d993 100644 > --- a/meta-isar/recipes-app/example-raw/files/postinst > +++ b/meta-isar/recipes-app/example-raw/files/postinst > @@ -15,8 +15,4 @@ fi > > chown -R isar:isar /var/lib/isar > > -# this wins over meta-isar/recipes-core/images/files/*configscript.sh > -# but we take the same password for this example > -echo "root:root" | chpasswd > - > echo "isar" > /etc/hostname > diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass > index e2bae58..cdd1651 100644 > --- a/meta/classes/isar-image.bbclass > +++ b/meta/classes/isar-image.bbclass > @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" > > DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > > -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" > +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" > > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > new file mode 100644 > index 0000000..ca08a41 > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl > @@ -0,0 +1,19 @@ > +#!/bin/sh > +set -e > + > +if ! grep -q 'root:\*:' /etc/shadow; then > + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 > + exit -1 > +fi > + > +if [ -n '${CFG_ROOT_PW}' ]; then > + echo 'root:${CFG_ROOT_PW}' | chpasswd -e > +else > + passwd -d root > +fi > + > +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then > + # Lock the account after setting the password, since unlocking it at some > + # point later would set it to the back to the previous one. > + passwd -l root > +fi > diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > new file mode 100644 > index 0000000..adee3b5 > --- /dev/null > +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb > @@ -0,0 +1,19 @@ > +# This software is a part of ISAR. > + > +DESCRIPTION = "Isar configuration package for root password" > +MAINTAINER = "isar-users <isar-users@googlegroups.com>" > +DEBIAN_DEPENDS = "passwd" > + > +SRC_URI = "file://postinst.tmpl" > + > +TEMPLATE_FILES = "postinst.tmpl" > +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" > + > +CFG_ROOT_PW ??= "" > +CFG_ROOT_LOCKED ??= "0" > + > +inherit dpkg-raw > + > +do_install() { > + echo "intentionally left blank" > +} > -- Maxim Osipov ilbers GmbH Maria-Merian-Str. 8 85521 Ottobrunn Germany +49 (151) 6517 6917 mosipov@ilbers.de http://ilbers.de/ Commercial register Munich, HRB 214197 General Manager: Baurzhan Ismagulov ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-18 11:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-07 11:35 [PATCH v2 0/1] Centralize root password configuration claudius.heine.ext 2019-02-07 11:35 ` [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password claudius.heine.ext 2019-02-07 11:36 ` Claudius Heine 2019-02-07 11:40 ` [PATCH v3] " claudius.heine.ext 2019-02-18 11:43 ` Maxim Yu. Osipov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox