From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6654882193514430464 X-Received: by 2002:a19:5f1d:: with SMTP id t29mr552715lfb.17.1549539316995; Thu, 07 Feb 2019 03:35:16 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:2d4f:: with SMTP id t15ls202980lft.2.gmail; Thu, 07 Feb 2019 03:35:16 -0800 (PST) X-Google-Smtp-Source: AHgI3IZDpx/DjP5tN/f8UKbFZi40qGgke1QMmLaoFFGcdv7IQnJ9X7r4uVoKaQ36PgaON71N9SzB X-Received: by 2002:a19:5519:: with SMTP id n25mr1029141lfe.1.1549539316432; Thu, 07 Feb 2019 03:35:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549539316; cv=none; d=google.com; s=arc-20160816; b=WmUIgy4vj9KfnlO8L8P8hy2pp4J6VBIsCG5MI3XE81QywEMY7eJkrNYjezxiO0fCHi O72hl7mnJB5sSauwwzhF0OHGI9WyWnH36e+Q/uFB4wF3iNuW/R4FU4nPd0/HGrqOVBx9 RuyrR4n0/SU12XhTjQQTjulRwGI5bhMLk91FJ2Xb1B3sCXU1btkNMt8GEbUet+sx+1Ob rEWtgj68g2RNj5ePfYwpK6Lyc59pjmqLaLn5ZM0D3E3k/6Ic4IlosnjDEWdCSIc9PAwQ zY68YJDnuJEJxOwGuBxkrt3DrzKcfi8Mq1yrpW9R02xZflJj0jrxjU4SEtI2b2rfSXQb +AKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=8ZQjaSg5gYZz18ucCCKJ3JTwk76UPKVrJwNEz1u01e8=; b=km/6PnYaAIyzLhxGRi1skHr8+19Fz2k1kHHOK6dtojDtcUMuq5xgqEBcRz7yrv4uEH vrMTKpeE7sHJkXk697juO8c1MXlJhSKakhObaQ9wRY8t4n5qdViazfDTENJDOZP0u1D8 Q7avX3rmEYkt8+B080ByjcUHOTyxud5nkP3NdhhEtDGvrjJHiDd3doY/vWeRmBhC1dTu PD4jbBrbsFnMvkwunEp9dUrjQX4ohRe0VmvuVSuKKcKe/yUDrAJEk+aSlrBPSDOExB/U pXfduvNIkFzrwUcigdsbaYOoMcf2TzPONW0luTxfHu7TZydIYgvR1dra4ifWV25gAvOH YZUg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id q10-v6si1356486lji.4.2019.02.07.03.35.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 03:35:16 -0800 (PST) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x17BZFtB016868 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 12:35:15 +0100 Received: from ring.ppmd.siemens.net (linux-ses-ext02.ppmd.siemens.net [139.25.69.181]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x17BZEb5029922; Thu, 7 Feb 2019 12:35:15 +0100 From: claudius.heine.ext@siemens.com To: isar-users@googlegroups.com Cc: Claudius Heine Subject: [PATCH v2 1/1] meta: add isar-cfg-rootpw recipe for setting root password Date: Thu, 7 Feb 2019 12:35:12 +0100 Message-Id: <20190207113512.3773-2-claudius.heine.ext@siemens.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190207113512.3773-1-claudius.heine.ext@siemens.com> References: <20190207113512.3773-1-claudius.heine.ext@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: ebgIFTrM8WYr From: Claudius Heine The isar-cfg-rootpw recipe is a central point to set the root password for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. This package is installed as a transient package to avoid leaking passwords set by it via the scripts in `/var/lib/dpkg/info/`. The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root password as clear text or encrypted, or are both empty, in which case login without password is possible. The encrypted password is preferred if both variables are set. The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock the root account, other values leave the account unlocked. Unlocking the account at a later point will restore the password set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. Signed-off-by: Claudius Heine --- RECIPE-API-CHANGELOG.md | 9 +++++++++ doc/user_manual.md | 2 ++ meta-isar/conf/local.conf.sample | 6 ++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index dcfbbee..197ce99 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. It's now sufficient to provide only kbuild rules. Makefile targets like modules or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. + +### Remove setting of root passwords in custom packages + +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password via its script in /var/lib/dpkg/info. + +Instead set the CFG_ROOT_PW variable to the encrypted password and use the +transient 'isar-cfg-rootpw' package (now installed as transient package per +default). diff --git a/doc/user_manual.md b/doc/user_manual.md index eebcaa9..dfd46ce 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -313,6 +313,8 @@ Some other variables include: - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. --- diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample index a671b20..9bdfe10 100644 --- a/meta-isar/conf/local.conf.sample +++ b/meta-isar/conf/local.conf.sample @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" # # Uncomment this to enable use of cached base repository #ISAR_USE_CACHED_BASE_REPO ?= "1" + +# Set root password to 'root' +# Password was encrypted using following command: +# mkpasswd -m sha512crypt -R 10000 +# mkpasswd is part of the 'whois' package of Debian +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst index f60be8c..f48d993 100644 --- a/meta-isar/recipes-app/example-raw/files/postinst +++ b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ fi chown -R isar:isar /var/lib/isar -# this wins over meta-isar/recipes-core/images/files/*configscript.sh -# but we take the same password for this example -echo "root:root" | chpasswd - echo "isar" > /etc/hostname diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 --- a/meta/classes/isar-image.bbclass +++ b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file mode 100644 index 0000000..ca08a41 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +if ! grep -q 'root:\*:' /etc/shadow; then + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 + exit -1 +fi + +if [ -n '${CFG_ROOT_PW}' ]; then + echo 'root:${CFG_ROOT_PW}' | chpasswd -e +else + passwd -d root +fi + +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then + # Lock the account after setting the password, since unlocking it at some + # point later would set it to the back to the previous one. + passwd -l root +fi diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file mode 100644 index 0000000..adee3b5 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb @@ -0,0 +1,19 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Isar configuration package for root password" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "passwd" + +SRC_URI = "file://postinst.tmpl" + +TEMPLATE_FILES = "postinst.tmpl" +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" + +CFG_ROOT_PW ??= "" +CFG_ROOT_LOCKED ??= "0" + +inherit dpkg-raw + +do_install() { + echo "intentionally left blank" +} -- 2.20.1