From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6654882193514430464 X-Received: by 2002:a2e:9e41:: with SMTP id g1-v6mr175730ljk.22.1549539620822; Thu, 07 Feb 2019 03:40:20 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:d3c9:: with SMTP id k192ls30434lfg.12.gmail; Thu, 07 Feb 2019 03:40:20 -0800 (PST) X-Google-Smtp-Source: AHgI3IYosd3c4vfZrmeyVBozhkNvnnmbvEKcG5sO1C+KvIPB/hHWyvJQDBLfDVsCRxygwv9qUhOc X-Received: by 2002:ac2:50d1:: with SMTP id h17mr1024407lfm.15.1549539620309; Thu, 07 Feb 2019 03:40:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549539620; cv=none; d=google.com; s=arc-20160816; b=T4+9SG6CY4ncwW1la5pvmEnIIY5t6vyIurWnMLMoXzEXapFhlII2iNU+iY7T5Z8hUr z2siwixEEyaHoVX5B0MAY6vDY67AZSfpe+HGXyCINWYw9g4e0gLZ8T3opw+BfDR8iyIB q8nVIwZClNY2OvFpxdvOgghTYnKnI50MIiHwzmUevmkg7KqgbX+ue5yTlQa33vGSQ/Fc dWRR3Ms86Vy4nnISraU3Agunq00F+yaKRzvNkX/gcsKGhVsjhH5crWS4qeIuWZSoPZ4S Q5yDzIp6oTX0a2dQ+FN9q8veYUjA/wybpb8gZpLheL9JRPIOC65tgN10cG8MG3ctkRWw pNCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=kan37C8GcOH03VRx90Tj8rLNRSf3j40ABRM4FgsgQFw=; b=Wk92DAC4s5cZ3Qje1taJc/Hd3zjWCEM/dERs2AynH+QMeqEustT71gr6Rk2VDkX4jG 5HGEqG67CDVp1dXc+pcnTuKIfQdD6UC5SIoSOaevSjqvJlWVaW3dMJDhoS5moSY5YKdB ie3l6Z8HoUfSIrCMDsPcXrhUNIp1VYnGeGGxCbust4RbcHBx9evZGqfWhZ1ATnDpS7sw CUS0MGayHHEGwuC4NHTCf1BjFxslF0PoXrlLhd5Q9Tp4nqsPSD1deogXjVfxTpJzVrvF h4f23nN0xewe/REIbRCzUorCz+4V1ASfwhSGlY/8Edhi4g7Vcqbu5z4xXHppdhtgHmku +8/w== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id e17-v6si1234752ljg.5.2019.02.07.03.40.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 03:40:20 -0800 (PST) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x17BeJ4g005402 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 12:40:19 +0100 Received: from ring.ppmd.siemens.net (linux-ses-ext02.ppmd.siemens.net [139.25.69.181]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x17BeJYh031931; Thu, 7 Feb 2019 12:40:19 +0100 From: claudius.heine.ext@siemens.com To: isar-users@googlegroups.com Cc: Claudius Heine Subject: [PATCH v3] meta: add isar-cfg-rootpw recipe for setting root password Date: Thu, 7 Feb 2019 12:40:11 +0100 Message-Id: <20190207114011.3924-1-claudius.heine.ext@siemens.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190207113512.3773-2-claudius.heine.ext@siemens.com> References: <20190207113512.3773-2-claudius.heine.ext@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: MpChHzJIGFQT From: Claudius Heine The isar-cfg-rootpw recipe is a central point to set the root password for images. It provides the `CFG_ROOT_PW` and `CFG_ROOT_LOCKED` variables, that can be set from any `.conf` file or via `isar-cfg-rootpw.bbappend`. This package is installed as a transient package to avoid leaking passwords set by it via the scripts in `/var/lib/dpkg/info/`. The `CFG_ROOT_PW` variable contain the root password as crypt(3) encrypted string. If this variable is empty root login without password is possible possible. The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock the root account, other values leave the account unlocked. Unlocking the account at a later point will restore the password set by `CFG_ROOT_PW`. Signed-off-by: Claudius Heine --- RECIPE-API-CHANGELOG.md | 9 +++++++++ doc/user_manual.md | 2 ++ meta-isar/conf/local.conf.sample | 6 ++++++ .../recipes-app/example-raw/files/postinst | 4 ---- meta/classes/isar-image.bbclass | 2 +- .../isar-cfg-rootpw/files/postinst.tmpl | 19 +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | 19 +++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index dcfbbee..197ce99 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. It's now sufficient to provide only kbuild rules. Makefile targets like modules or modules_install as well as KDIR and DESTDIR evaluation are no longer needed. + +### Remove setting of root passwords in custom packages + +Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password via its script in /var/lib/dpkg/info. + +Instead set the CFG_ROOT_PW variable to the encrypted password and use the +transient 'isar-cfg-rootpw' package (now installed as transient package per +default). diff --git a/doc/user_manual.md b/doc/user_manual.md index eebcaa9..dfd46ce 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -313,6 +313,8 @@ Some other variables include: - `HOST_ARCH` - The Debian architecture of SDK root filesystem (e.g., `amd64`). By default set to current Debian host architecture. This variable is optional. - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional. - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional. + - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login requires not password + - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. --- diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample index a671b20..9bdfe10 100644 --- a/meta-isar/conf/local.conf.sample +++ b/meta-isar/conf/local.conf.sample @@ -171,3 +171,9 @@ ISAR_CROSS_COMPILE ?= "0" # # Uncomment this to enable use of cached base repository #ISAR_USE_CACHED_BASE_REPO ?= "1" + +# Set root password to 'root' +# Password was encrypted using following command: +# mkpasswd -m sha512crypt -R 10000 +# mkpasswd is part of the 'whois' package of Debian +CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst index f60be8c..f48d993 100644 --- a/meta-isar/recipes-app/example-raw/files/postinst +++ b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ fi chown -R isar:isar /var/lib/isar -# this wins over meta-isar/recipes-core/images/files/*configscript.sh -# but we take the same password for this example -echo "root:root" | chpasswd - echo "isar" > /etc/hostname diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 --- a/meta/classes/isar-image.bbclass +++ b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file mode 100644 index 0000000..ca08a41 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +if ! grep -q 'root:\*:' /etc/shadow; then + echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2 + exit -1 +fi + +if [ -n '${CFG_ROOT_PW}' ]; then + echo 'root:${CFG_ROOT_PW}' | chpasswd -e +else + passwd -d root +fi + +if [ '${CFG_ROOT_LOCKED}' = "1" ]; then + # Lock the account after setting the password, since unlocking it at some + # point later would set it to the back to the previous one. + passwd -l root +fi diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file mode 100644 index 0000000..adee3b5 --- /dev/null +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb @@ -0,0 +1,19 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Isar configuration package for root password" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "passwd" + +SRC_URI = "file://postinst.tmpl" + +TEMPLATE_FILES = "postinst.tmpl" +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED" + +CFG_ROOT_PW ??= "" +CFG_ROOT_LOCKED ??= "0" + +inherit dpkg-raw + +do_install() { + echo "intentionally left blank" +} -- 2.20.1