From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6654882193514430464
X-Received: by 2002:a1c:c789:: with SMTP id x131mr784579wmf.3.1549561556706;
        Thu, 07 Feb 2019 09:45:56 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a5d:5088:: with SMTP id a8ls635828wrt.14.gmail; Thu, 07 Feb
 2019 09:45:56 -0800 (PST)
X-Google-Smtp-Source: AHgI3IYaI1xbVb89ULAd3Eye5ywLdFyTKAW02ehtTnTYJAAGSi4ycNP9vU0wGJ+f8psi70+M9TMV
X-Received: by 2002:a5d:6a52:: with SMTP id t18mr996985wrw.13.1549561556268;
        Thu, 07 Feb 2019 09:45:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549561556; cv=none;
        d=google.com; s=arc-20160816;
        b=wyeZTcFz57yHmKTqEOk9z4/ftc0zJ272UVuFVmXp9GjSC8ZmFxz53vcPIce4dG9y+A
         mR4x9Cxmw2bmrr82uo2tF6ANNrG1zJbrjSE0dZINpK/VFpjmZ9z77ggrkL47IlR7O/xH
         KUegsUI2LuJX9vVlW9MnZQZy/HDMslogdNFKdl84ECN0I742n+5L11GyeoPrj6uXgl3c
         YtPlT9iMwyoPh961Tug2g/FodBnKhw5KOYd2gDCbYqaaY8ZAZdVlxKFI+Mcecv+yLVcK
         lMCyVSPt4W+CbWB+Nqqgn++tf0WDd6j1cLDgqdVc/s8sLEbl0tdt++47BNAvVIdhVETE
         XgIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=RXZWX+VILL7u4/jyjSeFvfx6ZDg8ns6l2OnN/3wWphc=;
        b=nSDeBiyWrqSScSG3MbGFrMpAQKHIyo2mfNSueu3mIW9jmW+x+fVnXS46P6YwF6hgrC
         rkllNlfV9ZZ7OvHFgazmbgCeuIN3wH7HQFMKvpuP7vtguGN8Q1voMXbSpKAAcUlENX2L
         cCeVuD7PeUzIbkJJRhcJ05/c6Z5f7/0z5wDqctxJIDudeIpObXNtsQMYsjKsqgVSO5sP
         UI2KwpeWEHfrQ4S9mhE0TT1FdK+SyY3qGV2AXaIQQlefw7yQnwAB+99v/vyTkAeRbwZw
         C6U3YTUVerGjtP+lO7Qv04GEqU8tWCi7PYXoVgeSq4wbt0H8zochTw7nPMgUL7YIZYdV
         B5Uw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39])
        by gmr-mx.google.com with ESMTPS id f6si867820wmj.0.2019.02.07.09.45.56
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Feb 2019 09:45:56 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x17HjrpG015674
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 7 Feb 2019 18:45:53 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.156])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x17Hjra5003900;
	Thu, 7 Feb 2019 18:45:53 +0100
Date: Thu, 7 Feb 2019 18:45:52 +0100
From: Henning Schild <henning.schild@siemens.com>
To: Claudius Heine <claudius.heine.ext@siemens.com>
Cc: <isar-users@googlegroups.com>, Claudius Heine <ch@denx.de>
Subject: Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root
 password
Message-ID: <20190207184552.4edaaf79@md1za8fc.ad001.siemens.net>
In-Reply-To: <80b02340-7bef-4116-9495-828dd751eaec@siemens.com>
References: <20190206134139.1597-1-claudius.heine.ext@siemens.com>
	<20190206134139.1597-2-claudius.heine.ext@siemens.com>
	<20190206165214.74653294@md1za8fc.ad001.siemens.net>
	<80b02340-7bef-4116-9495-828dd751eaec@siemens.com>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: lejYAALDjGDf

Am Wed, 6 Feb 2019 17:10:09 +0100
schrieb Claudius Heine <claudius.heine.ext@siemens.com>:

> Hi Henning,
> 
> On 06/02/2019 16.52, Henning Schild wrote:
> > Am Wed, 6 Feb 2019 14:41:39 +0100
> > schrieb "[ext] claudius.heine.ext@siemens.com"
> > <claudius.heine.ext@siemens.com>:
> >   
> >> From: Claudius Heine <ch@denx.de>
> >>
> >> The isar-cfg-rootpw recipe is a central point to set the root
> >> password for images. It provides the `CFG_ROOT_PW`,
> >> `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be
> >> set from any `.conf` file or via `isar-cfg-rootpw.bbappend`.
> >>
> >> This package is installed as a transient package to avoid leaking
> >> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> >>
> >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> >> root password as clear text or encrypted, or are both empty, in
> >> which case login without password is possible. The encrypted
> >> password is preferred if both variables are set.  
> > 
> > How about _ENC only? I do not really see the point to support two
> > versions here. Say someone still got the package, they would still
> > have to find a password matching the hash. So _ENC is better, and
> > just one way is simpler.  
> 
> Well the code complexity differenct between supporting both and just
> one is pretty small. And I like options, so I would be in favor of
> having both possible. But if the consensus is to only support one,
> then I would go with _ENC only as well.

My take would be to only offer choice if there is a value in it,
because you pay with complexity. If all versions of chpasswd take
encrypted passwords, i do not see why plain ones should be supported. 
As usual, the ones discussing have to reach the consensus ... the other
ones agree with not speaking up ;).

> > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
> > encrypt a password. In fact that seems to depend on
> > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
> > not the best idea after all.  
> 
> I think that is just the default algo used by passwd to create 
> passwords, not the one enforced. Meaning I would still work if the
> set password was created with different options.

Ok, so any version of mkpasswd on any machine can create the magic
string that will be understood by any version of chpasswd. No reason to
support plain.

> > 
> > We should demo setting a passwd in isar-image-base, a good idea for
> > a password would be "root" because that is what isar-only users
> > already know. And it might be in the docs ...  
> 
> Well the best way I can think of is using `mkpasswd`, but that tool
> is packed into the `whois` package for some strange, possibly
> historical reasons.

Ok so the example would be ...
# echo root | mkpasswd -s
CFG_ROOT_PW_ENC="xxxYYY"

maybe in local.conf.example

Henning

> Cheers,
> Claudius
> 
> > 
> > Henning
> >   
> >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to
> >> lock the root account, other values leave the account unlocked.
> >> Unlocking the account at a later point will restore the password
> >> set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> >>
> >> Signed-off-by: Claudius Heine <ch@denx.de>
> >> ---
> >>   RECIPE-API-CHANGELOG.md                       |  9 ++++++++
> >>   .../recipes-app/example-raw/files/postinst    |  4 ----
> >>   meta/classes/isar-image.bbclass               |  2 +-
> >>   .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> >> deletions(-) create mode 100644
> >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create
> >> mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >>
> >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> >> index dcfbbee..7863e8a 100644
> >> --- a/RECIPE-API-CHANGELOG.md
> >> +++ b/RECIPE-API-CHANGELOG.md
> >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are
> >> used. 
> >>   It's now sufficient to provide only kbuild rules. Makefile
> >> targets like modules or modules_install as well as KDIR and DESTDIR
> >> evaluation are no longer needed. +
> >> +### Remove setting of root passwords in custom packages
> >> +
> >> +Custom packages that are not installed via the
> >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that
> >> password via its script in /var/lib/dpkg/info. +
> >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> >> password and use +the transient 'isar-cfg-rootpw' package (now
> >> installed as transient package per +default).
> >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> >> b/meta-isar/recipes-app/example-raw/files/postinst index
> >> f60be8c..f48d993 100644 ---
> >> a/meta-isar/recipes-app/example-raw/files/postinst +++
> >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4
> >> @@ fi
> >>   chown -R isar:isar /var/lib/isar
> >>   
> >> -# this wins over
> >> meta-isar/recipes-core/images/files/*configscript.sh -# but we
> >> take the same password for this example -echo "root:root" |
> >> chpasswd -
> >>   echo "isar" > /etc/hostname
> >> diff --git a/meta/classes/isar-image.bbclass
> >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> >> --- a/meta/classes/isar-image.bbclass
> >> +++ b/meta/classes/isar-image.bbclass
> >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
> >>   
> >>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
> >>   
> >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
> >>   
> >>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
> >>   
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new
> >> file mode 100644 index 0000000..7634f6a --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> @@ -0,0 +1,21 @@
> >> +#!/bin/sh
> >> +set -e
> >> +
> >> +if ! grep -q 'root:\*:' /etc/shadow; then
> >> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> >> different package" >&2
> >> +    exit -1
> >> +fi
> >> +
> >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> >> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> >> +elif [ -n "${CFG_ROOT_PW}" ]; then
> >> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> >> +else
> >> +    passwd -d root
> >> +fi
> >> +
> >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> >> +    # Lock the account after setting the password, since unlocking
> >> it at some
> >> +    # point later would set it to the back to the previous one.
> >> +    passwd -l root
> >> +fi
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> >> mode 100644 index 0000000..52bb153 --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> @@ -0,0 +1,20 @@
> >> +# This software is a part of ISAR.
> >> +
> >> +DESCRIPTION = "Isar configuration package for root password"
> >> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> >> +DEBIAN_DEPENDS = "passwd"
> >> +
> >> +SRC_URI = "file://postinst.tmpl"
> >> +
> >> +TEMPLATE_FILES = "postinst.tmpl"
> >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> >> +
> >> +CFG_ROOT_PW ??= ""
> >> +CFG_ROOT_PW_ENC ??= ""
> >> +CFG_ROOT_LOCKED ??= "0"
> >> +
> >> +inherit dpkg-raw
> >> +
> >> +do_install() {
> >> +    echo "intentionally left blank"
> >> +}  
> >   
>