[PATCH v2 0/1] Centralize root password configuration

[PATCH v2 0/1] Centralize root password configuration

[claudius.heine.ext]

From: Claudius Heine <ch@denx.de>

Hi,

here the second version.
This patchset depends on the `Template system` patchset.

Cheers,
Claudius

Changes from v1:
 - Removed CFG_ROOT_PW_ENC setting, now CFG_ROOT_PW needs the encrypted
   password
 - fixed bug in postinst template by replacing double quotes with single
   quotes
 - added setting of root password to locale.conf.sample
 - added more documentation

Changes from the RFC patch:
 - Transformed package to be a transient package, prevents leaking of
   password via /var/lib/dpkg/info
 - Check if password was already set before setting it. Error if
   password was set already
 - Added possibility to set encrypted passwords
 - Fixed locking to allow restoration of choosen password when account
   is unlocked later
 - added documentation in RECIPE-API_CHANGELOG
 - removed isar-cfg-hostname
 - fix some scripting errors


Claudius Heine (1):
  meta: add isar-cfg-rootpw recipe for setting root password

 RECIPE-API-CHANGELOG.md                       |  9 +++++++++
 doc/user_manual.md                            |  2 ++
 meta-isar/conf/local.conf.sample              |  6 ++++++
 .../recipes-app/example-raw/files/postinst    |  4 ----
 meta/classes/isar-image.bbclass               |  2 +-
 .../isar-cfg-rootpw/files/postinst.tmpl       | 19 +++++++++++++++++++
 .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19 +++++++++++++++++++
 7 files changed, 56 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb

-- 
2.20.1

[PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[claudius.heine.ext]

From: Claudius Heine <ch@denx.de>

The isar-cfg-rootpw recipe is a central point to set the root password
for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
`CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
or via `isar-cfg-rootpw.bbappend`.

This package is installed as a transient package to avoid leaking
passwords set by it via the scripts in `/var/lib/dpkg/info/`.

The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root
password as clear text or encrypted, or are both empty, in which case
login without password is possible. The encrypted password is preferred
if both variables are set.

The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
the root account, other values leave the account unlocked. Unlocking the
account at a later point will restore the password set by `CFG_ROOT_PW`
or `CFG_ROOT_PW_ENC`.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 RECIPE-API-CHANGELOG.md                       |  9 +++++++++
 doc/user_manual.md                            |  2 ++
 meta-isar/conf/local.conf.sample              |  6 ++++++
 .../recipes-app/example-raw/files/postinst    |  4 ----
 meta/classes/isar-image.bbclass               |  2 +-
 .../isar-cfg-rootpw/files/postinst.tmpl       | 19 +++++++++++++++++++
 .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19 +++++++++++++++++++
 7 files changed, 56 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index dcfbbee..197ce99 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
 
 It's now sufficient to provide only kbuild rules. Makefile targets like modules
 or modules_install as well as KDIR and DESTDIR evaluation are no longer needed.
+
+### Remove setting of root passwords in custom packages
+
+Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set
+a root password, leak that password via its script in /var/lib/dpkg/info.
+
+Instead set the CFG_ROOT_PW variable to the encrypted password and use the
+transient 'isar-cfg-rootpw' package (now installed as transient package per
+default).
diff --git a/doc/user_manual.md b/doc/user_manual.md
index eebcaa9..dfd46ce 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -313,6 +313,8 @@ Some other variables include:
  - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional.
  - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional.
  - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional.
+ - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password
+ - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
 
 ---
 
diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index a671b20..9bdfe10 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0"
 #
 # Uncomment this to enable use of cached base repository
 #ISAR_USE_CACHED_BASE_REPO ?= "1"
+
+# Set root password to 'root'
+# Password was encrypted using following command:
+#   mkpasswd -m sha512crypt -R 10000
+# mkpasswd is part of the 'whois' package of Debian
+CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
index f60be8c..f48d993 100644
--- a/meta-isar/recipes-app/example-raw/files/postinst
+++ b/meta-isar/recipes-app/example-raw/files/postinst
@@ -15,8 +15,4 @@ fi
 
 chown -R isar:isar /var/lib/isar
 
-# this wins over meta-isar/recipes-core/images/files/*configscript.sh
-# but we take the same password for this example
-echo "root:root" | chpasswd
-
 echo "isar" > /etc/hostname
diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
index e2bae58..cdd1651 100644
--- a/meta/classes/isar-image.bbclass
+++ b/meta/classes/isar-image.bbclass
@@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
 
 DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
 
-IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
+IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
 
 WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
 
diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
new file mode 100644
index 0000000..ca08a41
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+if ! grep -q 'root:\*:' /etc/shadow; then
+    echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2
+    exit -1
+fi
+
+if [ -n '${CFG_ROOT_PW}' ]; then
+    echo 'root:${CFG_ROOT_PW}' | chpasswd -e
+else
+    passwd -d root
+fi
+
+if [ '${CFG_ROOT_LOCKED}' = "1" ]; then
+    # Lock the account after setting the password, since unlocking it at some
+    # point later would set it to the back to the previous one.
+    passwd -l root
+fi
diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
new file mode 100644
index 0000000..adee3b5
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
@@ -0,0 +1,19 @@
+# This software is a part of ISAR.
+
+DESCRIPTION = "Isar configuration package for root password"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "passwd"
+
+SRC_URI = "file://postinst.tmpl"
+
+TEMPLATE_FILES = "postinst.tmpl"
+TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED"
+
+CFG_ROOT_PW ??= ""
+CFG_ROOT_LOCKED ??= "0"
+
+inherit dpkg-raw
+
+do_install() {
+    echo "intentionally left blank"
+}
-- 
2.20.1

Re: [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Claudius Heine]

On 07/02/2019 12.35, [ext] claudius.heine.ext@siemens.com wrote:
> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
> or via `isar-cfg-rootpw.bbappend`.

Dammit, I will fix the description to remove CFG_ROOT_PW_ENC next :(

> 
> This package is installed as a transient package to avoid leaking
> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> 
> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root
> password as clear text or encrypted, or are both empty, in which case
> login without password is possible. The encrypted password is preferred
> if both variables are set.
> 
> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked. Unlocking the
> account at a later point will restore the password set by `CFG_ROOT_PW`
> or `CFG_ROOT_PW_ENC`.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>   RECIPE-API-CHANGELOG.md                       |  9 +++++++++
>   doc/user_manual.md                            |  2 ++
>   meta-isar/conf/local.conf.sample              |  6 ++++++
>   .../recipes-app/example-raw/files/postinst    |  4 ----
>   meta/classes/isar-image.bbclass               |  2 +-
>   .../isar-cfg-rootpw/files/postinst.tmpl       | 19 +++++++++++++++++++
>   .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19 +++++++++++++++++++
>   7 files changed, 56 insertions(+), 5 deletions(-)
>   create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
>   create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index dcfbbee..197ce99 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>   
>   It's now sufficient to provide only kbuild rules. Makefile targets like modules
>   or modules_install as well as KDIR and DESTDIR evaluation are no longer needed.
> +
> +### Remove setting of root passwords in custom packages
> +
> +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set
> +a root password, leak that password via its script in /var/lib/dpkg/info.
> +
> +Instead set the CFG_ROOT_PW variable to the encrypted password and use the
> +transient 'isar-cfg-rootpw' package (now installed as transient package per
> +default).
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index eebcaa9..dfd46ce 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -313,6 +313,8 @@ Some other variables include:
>    - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional.
>    - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional.
>    - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional.
> + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password
> + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
>   
>   ---
>   
> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
> index a671b20..9bdfe10 100644
> --- a/meta-isar/conf/local.conf.sample
> +++ b/meta-isar/conf/local.conf.sample
> @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0"
>   #
>   # Uncomment this to enable use of cached base repository
>   #ISAR_USE_CACHED_BASE_REPO ?= "1"
> +
> +# Set root password to 'root'
> +# Password was encrypted using following command:
> +#   mkpasswd -m sha512crypt -R 10000
> +# mkpasswd is part of the 'whois' package of Debian
> +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
> index f60be8c..f48d993 100644
> --- a/meta-isar/recipes-app/example-raw/files/postinst
> +++ b/meta-isar/recipes-app/example-raw/files/postinst
> @@ -15,8 +15,4 @@ fi
>   
>   chown -R isar:isar /var/lib/isar
>   
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>   echo "isar" > /etc/hostname
> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
> index e2bae58..cdd1651 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>   
>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>   
> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>   
>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>   
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> new file mode 100644
> index 0000000..ca08a41
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +set -e
> +
> +if ! grep -q 'root:\*:' /etc/shadow; then
> +    echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2
> +    exit -1
> +fi
> +
> +if [ -n '${CFG_ROOT_PW}' ]; then
> +    echo 'root:${CFG_ROOT_PW}' | chpasswd -e
> +else
> +    passwd -d root
> +fi
> +
> +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then
> +    # Lock the account after setting the password, since unlocking it at some
> +    # point later would set it to the back to the previous one.
> +    passwd -l root
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> new file mode 100644
> index 0000000..adee3b5
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,19 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

[PATCH v3] meta: add isar-cfg-rootpw recipe for setting root password

[claudius.heine.ext]

From: Claudius Heine <ch@denx.de>

The isar-cfg-rootpw recipe is a central point to set the root password
for images. It provides the `CFG_ROOT_PW` and `CFG_ROOT_LOCKED`
variables, that can be set from any `.conf` file or via
`isar-cfg-rootpw.bbappend`.

This package is installed as a transient package to avoid leaking
passwords set by it via the scripts in `/var/lib/dpkg/info/`.

The `CFG_ROOT_PW` variable contain the root password as crypt(3)
encrypted string. If this variable is empty root login without password
is possible possible.

The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
the root account, other values leave the account unlocked. Unlocking the
account at a later point will restore the password set by `CFG_ROOT_PW`.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 RECIPE-API-CHANGELOG.md                       |  9 +++++++++
 doc/user_manual.md                            |  2 ++
 meta-isar/conf/local.conf.sample              |  6 ++++++
 .../recipes-app/example-raw/files/postinst    |  4 ----
 meta/classes/isar-image.bbclass               |  2 +-
 .../isar-cfg-rootpw/files/postinst.tmpl       | 19 +++++++++++++++++++
 .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19 +++++++++++++++++++
 7 files changed, 56 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index dcfbbee..197ce99 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
 
 It's now sufficient to provide only kbuild rules. Makefile targets like modules
 or modules_install as well as KDIR and DESTDIR evaluation are no longer needed.
+
+### Remove setting of root passwords in custom packages
+
+Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set
+a root password, leak that password via its script in /var/lib/dpkg/info.
+
+Instead set the CFG_ROOT_PW variable to the encrypted password and use the
+transient 'isar-cfg-rootpw' package (now installed as transient package per
+default).
diff --git a/doc/user_manual.md b/doc/user_manual.md
index eebcaa9..dfd46ce 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -313,6 +313,8 @@ Some other variables include:
  - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional.
  - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional.
  - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional.
+ - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password
+ - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
 
 ---
 
diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index a671b20..9bdfe10 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0"
 #
 # Uncomment this to enable use of cached base repository
 #ISAR_USE_CACHED_BASE_REPO ?= "1"
+
+# Set root password to 'root'
+# Password was encrypted using following command:
+#   mkpasswd -m sha512crypt -R 10000
+# mkpasswd is part of the 'whois' package of Debian
+CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
index f60be8c..f48d993 100644
--- a/meta-isar/recipes-app/example-raw/files/postinst
+++ b/meta-isar/recipes-app/example-raw/files/postinst
@@ -15,8 +15,4 @@ fi
 
 chown -R isar:isar /var/lib/isar
 
-# this wins over meta-isar/recipes-core/images/files/*configscript.sh
-# but we take the same password for this example
-echo "root:root" | chpasswd
-
 echo "isar" > /etc/hostname
diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
index e2bae58..cdd1651 100644
--- a/meta/classes/isar-image.bbclass
+++ b/meta/classes/isar-image.bbclass
@@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
 
 DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
 
-IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
+IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
 
 WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
 
diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
new file mode 100644
index 0000000..ca08a41
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+if ! grep -q 'root:\*:' /etc/shadow; then
+    echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2
+    exit -1
+fi
+
+if [ -n '${CFG_ROOT_PW}' ]; then
+    echo 'root:${CFG_ROOT_PW}' | chpasswd -e
+else
+    passwd -d root
+fi
+
+if [ '${CFG_ROOT_LOCKED}' = "1" ]; then
+    # Lock the account after setting the password, since unlocking it at some
+    # point later would set it to the back to the previous one.
+    passwd -l root
+fi
diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
new file mode 100644
index 0000000..adee3b5
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
@@ -0,0 +1,19 @@
+# This software is a part of ISAR.
+
+DESCRIPTION = "Isar configuration package for root password"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "passwd"
+
+SRC_URI = "file://postinst.tmpl"
+
+TEMPLATE_FILES = "postinst.tmpl"
+TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED"
+
+CFG_ROOT_PW ??= ""
+CFG_ROOT_LOCKED ??= "0"
+
+inherit dpkg-raw
+
+do_install() {
+    echo "intentionally left blank"
+}
-- 
2.20.1

Re: [PATCH v3] meta: add isar-cfg-rootpw recipe for setting root password

[Maxim Yu. Osipov]

On 2/7/19 12:40 PM, claudius.heine.ext@siemens.com wrote:
> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_PW` and `CFG_ROOT_LOCKED`
> variables, that can be set from any `.conf` file or via
> `isar-cfg-rootpw.bbappend`.
> 
> This package is installed as a transient package to avoid leaking
> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> 
> The `CFG_ROOT_PW` variable contain the root password as crypt(3)
> encrypted string. If this variable is empty root login without password
> is possible possible.
> 
> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked. Unlocking the
> account at a later point will restore the password set by `CFG_ROOT_PW`.

Applied to the 'next',

Note: Reworded `CFG_ROOT_PW` description in commit message and in 
user_manual.

Thanks,
Maxim.

> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>   RECIPE-API-CHANGELOG.md                       |  9 +++++++++
>   doc/user_manual.md                            |  2 ++
>   meta-isar/conf/local.conf.sample              |  6 ++++++
>   .../recipes-app/example-raw/files/postinst    |  4 ----
>   meta/classes/isar-image.bbclass               |  2 +-
>   .../isar-cfg-rootpw/files/postinst.tmpl       | 19 +++++++++++++++++++
>   .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19 +++++++++++++++++++
>   7 files changed, 56 insertions(+), 5 deletions(-)
>   create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
>   create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index dcfbbee..197ce99 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>   
>   It's now sufficient to provide only kbuild rules. Makefile targets like modules
>   or modules_install as well as KDIR and DESTDIR evaluation are no longer needed.
> +
> +### Remove setting of root passwords in custom packages
> +
> +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set
> +a root password, leak that password via its script in /var/lib/dpkg/info.
> +
> +Instead set the CFG_ROOT_PW variable to the encrypted password and use the
> +transient 'isar-cfg-rootpw' package (now installed as transient package per
> +default).
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index eebcaa9..dfd46ce 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -313,6 +313,8 @@ Some other variables include:
>    - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional.
>    - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional.
>    - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional.
> + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password
> + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
>   
>   ---
>   
> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
> index a671b20..9bdfe10 100644
> --- a/meta-isar/conf/local.conf.sample
> +++ b/meta-isar/conf/local.conf.sample
> @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0"
>   #
>   # Uncomment this to enable use of cached base repository
>   #ISAR_USE_CACHED_BASE_REPO ?= "1"
> +
> +# Set root password to 'root'
> +# Password was encrypted using following command:
> +#   mkpasswd -m sha512crypt -R 10000
> +# mkpasswd is part of the 'whois' package of Debian
> +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
> index f60be8c..f48d993 100644
> --- a/meta-isar/recipes-app/example-raw/files/postinst
> +++ b/meta-isar/recipes-app/example-raw/files/postinst
> @@ -15,8 +15,4 @@ fi
>   
>   chown -R isar:isar /var/lib/isar
>   
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>   echo "isar" > /etc/hostname
> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
> index e2bae58..cdd1651 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>   
>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>   
> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>   
>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>   
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> new file mode 100644
> index 0000000..ca08a41
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +set -e
> +
> +if ! grep -q 'root:\*:' /etc/shadow; then
> +    echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2
> +    exit -1
> +fi
> +
> +if [ -n '${CFG_ROOT_PW}' ]; then
> +    echo 'root:${CFG_ROOT_PW}' | chpasswd -e
> +else
> +    passwd -d root
> +fi
> +
> +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then
> +    # Lock the account after setting the password, since unlocking it at some
> +    # point later would set it to the back to the previous one.
> +    passwd -l root
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> new file mode 100644
> index 0000000..adee3b5
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,19 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov