Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Henning Schild <henning.schild@siemens.com>]

Am Wed, 6 Feb 2019 17:10:09 +0100
schrieb Claudius Heine <claudius.heine.ext@siemens.com>:

> Hi Henning,
> 
> On 06/02/2019 16.52, Henning Schild wrote:
> > Am Wed, 6 Feb 2019 14:41:39 +0100
> > schrieb "[ext] claudius.heine.ext@siemens.com"
> > <claudius.heine.ext@siemens.com>:
> >   
> >> From: Claudius Heine <ch@denx.de>
> >>
> >> The isar-cfg-rootpw recipe is a central point to set the root
> >> password for images. It provides the `CFG_ROOT_PW`,
> >> `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be
> >> set from any `.conf` file or via `isar-cfg-rootpw.bbappend`.
> >>
> >> This package is installed as a transient package to avoid leaking
> >> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> >>
> >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> >> root password as clear text or encrypted, or are both empty, in
> >> which case login without password is possible. The encrypted
> >> password is preferred if both variables are set.  
> > 
> > How about _ENC only? I do not really see the point to support two
> > versions here. Say someone still got the package, they would still
> > have to find a password matching the hash. So _ENC is better, and
> > just one way is simpler.  
> 
> Well the code complexity differenct between supporting both and just
> one is pretty small. And I like options, so I would be in favor of
> having both possible. But if the consensus is to only support one,
> then I would go with _ENC only as well.

My take would be to only offer choice if there is a value in it,
because you pay with complexity. If all versions of chpasswd take
encrypted passwords, i do not see why plain ones should be supported. 
As usual, the ones discussing have to reach the consensus ... the other
ones agree with not speaking up ;).

> > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
> > encrypt a password. In fact that seems to depend on
> > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
> > not the best idea after all.  
> 
> I think that is just the default algo used by passwd to create 
> passwords, not the one enforced. Meaning I would still work if the
> set password was created with different options.

Ok, so any version of mkpasswd on any machine can create the magic
string that will be understood by any version of chpasswd. No reason to
support plain.

> > 
> > We should demo setting a passwd in isar-image-base, a good idea for
> > a password would be "root" because that is what isar-only users
> > already know. And it might be in the docs ...  
> 
> Well the best way I can think of is using `mkpasswd`, but that tool
> is packed into the `whois` package for some strange, possibly
> historical reasons.

Ok so the example would be ...
# echo root | mkpasswd -s
CFG_ROOT_PW_ENC="xxxYYY"

maybe in local.conf.example

Henning

> Cheers,
> Claudius
> 
> > 
> > Henning
> >   
> >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to
> >> lock the root account, other values leave the account unlocked.
> >> Unlocking the account at a later point will restore the password
> >> set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> >>
> >> Signed-off-by: Claudius Heine <ch@denx.de>
> >> ---
> >>   RECIPE-API-CHANGELOG.md                       |  9 ++++++++
> >>   .../recipes-app/example-raw/files/postinst    |  4 ----
> >>   meta/classes/isar-image.bbclass               |  2 +-
> >>   .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> >> deletions(-) create mode 100644
> >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create
> >> mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >>
> >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> >> index dcfbbee..7863e8a 100644
> >> --- a/RECIPE-API-CHANGELOG.md
> >> +++ b/RECIPE-API-CHANGELOG.md
> >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are
> >> used. 
> >>   It's now sufficient to provide only kbuild rules. Makefile
> >> targets like modules or modules_install as well as KDIR and DESTDIR
> >> evaluation are no longer needed. +
> >> +### Remove setting of root passwords in custom packages
> >> +
> >> +Custom packages that are not installed via the
> >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that
> >> password via its script in /var/lib/dpkg/info. +
> >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> >> password and use +the transient 'isar-cfg-rootpw' package (now
> >> installed as transient package per +default).
> >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> >> b/meta-isar/recipes-app/example-raw/files/postinst index
> >> f60be8c..f48d993 100644 ---
> >> a/meta-isar/recipes-app/example-raw/files/postinst +++
> >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4
> >> @@ fi
> >>   chown -R isar:isar /var/lib/isar
> >>   
> >> -# this wins over
> >> meta-isar/recipes-core/images/files/*configscript.sh -# but we
> >> take the same password for this example -echo "root:root" |
> >> chpasswd -
> >>   echo "isar" > /etc/hostname
> >> diff --git a/meta/classes/isar-image.bbclass
> >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> >> --- a/meta/classes/isar-image.bbclass
> >> +++ b/meta/classes/isar-image.bbclass
> >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
> >>   
> >>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
> >>   
> >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
> >>   
> >>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
> >>   
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new
> >> file mode 100644 index 0000000..7634f6a --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> @@ -0,0 +1,21 @@
> >> +#!/bin/sh
> >> +set -e
> >> +
> >> +if ! grep -q 'root:\*:' /etc/shadow; then
> >> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> >> different package" >&2
> >> +    exit -1
> >> +fi
> >> +
> >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> >> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> >> +elif [ -n "${CFG_ROOT_PW}" ]; then
> >> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> >> +else
> >> +    passwd -d root
> >> +fi
> >> +
> >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> >> +    # Lock the account after setting the password, since unlocking
> >> it at some
> >> +    # point later would set it to the back to the previous one.
> >> +    passwd -l root
> >> +fi
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> >> mode 100644 index 0000000..52bb153 --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> @@ -0,0 +1,20 @@
> >> +# This software is a part of ISAR.
> >> +
> >> +DESCRIPTION = "Isar configuration package for root password"
> >> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> >> +DEBIAN_DEPENDS = "passwd"
> >> +
> >> +SRC_URI = "file://postinst.tmpl"
> >> +
> >> +TEMPLATE_FILES = "postinst.tmpl"
> >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> >> +
> >> +CFG_ROOT_PW ??= ""
> >> +CFG_ROOT_PW_ENC ??= ""
> >> +CFG_ROOT_LOCKED ??= "0"
> >> +
> >> +inherit dpkg-raw
> >> +
> >> +do_install() {
> >> +    echo "intentionally left blank"
> >> +}  
> >   
>