From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6994441500916449280 X-Received: by 2002:ac2:4c37:: with SMTP id u23mr17682662lfq.340.1628520316443; Mon, 09 Aug 2021 07:45:16 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:9019:: with SMTP id h25ls2503977ljg.8.gmail; Mon, 09 Aug 2021 07:45:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyI4Ft6s6ejM1IZgZe8F9BQ/gD8Jcjd49LC7EMGhZU4+EsRqarH2wuZI+JZTdTBF+5lc+j3 X-Received: by 2002:a2e:5005:: with SMTP id e5mr3102029ljb.253.1628520315353; Mon, 09 Aug 2021 07:45:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628520315; cv=none; d=google.com; s=arc-20160816; b=qql8mRPUqlJnvS0dvE9trPUvlGfwioYAJrKMfSdGWYQffSF6Dm573TSFFJ8tKAGvRE HhIVy8V2q0rbhKZidqLc0Zi02s4rAWWCZ4xPk1mQqh5uLOUNHgU3U23Jb9/ID+n9a9kh 9PZqs/giTTwcyj/g407lVdHPnOD0Nejyy/+JqQjbxdYXXzAgnRWGVp2iRUb0XQ2nIiDT fblOpIv7GAW/GS0opcXmXwVXPFzdtwz8levucL1R8BmxSxlptTe/P5M/jZagyRsmVI1r +W8Ag1T/BIG0Z9XkxHCs50wIT4U0nbHqYEPDmgc18ulsa/T/j1xft5fZ9x/jW47HmF8q jZJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=YPC1I5Uh3kO/f8ugGS1TzA1pCDsV/9L8/MIHbrrRClc=; b=zEGeTzyNuSwMMW+2GBcREIWg0SdnBWKFi9KGthHi/uzlltZMKpX5QbCiZnj64T0jld mMGPY21/eqQzE18fEGhdsK7q8UOiODKqtHtPrZVUYcOmKLuq59QqsBnRJrLW2qbHT7fQ lBXKjupehmZ3JluILUkf7OhppdP4MF8Q1Qi2Nsgz6MbmBc5EA4ZaThnElU97nBG87Kzv KByhJcV9lWrqYXUza8/N9hIzVS9BzWNP9H9WL04JP+QIJP3FI/338JtllwsHl3+GLSck 2JO9Wl8vHgPewcJXV34rlVhO15WPfRUdnf3yo452HQLjYt52eu07hYzdTiL+i69CpG7W 2bLg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id v15si725822lfa.6.2021.08.09.07.45.15 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Aug 2021 07:45:15 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 179EjDHj008144 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 16:45:14 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.0.59]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 179EjDqn010689; Mon, 9 Aug 2021 16:45:13 +0200 From: Henning Schild To: isar-users@googlegroups.com Cc: Claudius Heine , Jan Kiszka , Henning Schild Subject: [PATCH] meta: image-account-extension: allow clear-text-passwords Date: Mon, 9 Aug 2021 16:45:12 +0200 Message-Id: <20210809144512.19117-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: CBt0CpAzHU/k When setting a password, having to always do so in encrypted form seems a little overkill. We often see the clear-text as comment above the encrypted version anyways. Allowing to set the password as clear-text makes it more obvious that things might not be super-secure, while making a layer more readable ... say you are looking for the password an image asks for. Signed-off-by: Henning Schild --- doc/user_manual.md | 1 + meta-isar/conf/local.conf.sample | 3 +++ meta/classes/image-account-extension.bbclass | 10 +++++++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/user_manual.md b/doc/user_manual.md index cf7dc2fee35e..1da0e9d4ee98 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -633,6 +633,7 @@ The `USERS` and `USER_` variable works similar to the `GROUPS` and `GR - `create-home` - `useradd` will be called with `-m` to force creation of the users home directory. - `system` - `useradd` will be called with `--system`. - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password. + - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it. #### Home directory contents prefilling diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample index 6cf1656d8b01..96a8beb31196 100644 --- a/meta-isar/conf/local.conf.sample +++ b/meta-isar/conf/local.conf.sample @@ -217,5 +217,8 @@ USER_isar[home] = "/var/lib/isar" USER_isar[comment] = "My isar user" USER_isar[flags] = "system create-home" +USER_isar[password] = "isar" +USER_isar[flags] += "clear-text-password" + # Uncomment the below line to debug WIC. # WIC_CREATE_EXTRA_ARGS += "-D" diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index 70c2bfa2b6f2..c9bebe85c2b5 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -8,7 +8,7 @@ USERS ??= "" #USERS += "root" -#USER_root[password] = "" # Encrypted password +#USER_root[password] = "" # Encrypted password, or clear-text when [flags] = "clear-text-password" #USER_root[expire] = "" #USER_root[inactive] = "" #USER_root[uid] = "" @@ -17,7 +17,7 @@ USERS ??= "" #USER_root[home] = "/home/root" #USER_root[shell] = "/bin/sh" #USER_root[groups] = "audio video" -#USER_root[flags] = "no-create-home create-home system allow-empty-password" +#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password" GROUPS ??= "" @@ -252,8 +252,12 @@ image_configure_accounts() { # Set password: if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then + chpasswd_args="-e" + if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then + chpasswd_args="" + fi printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ - /usr/sbin/chpasswd -e + /usr/sbin/chpasswd $chpasswd_args fi done } -- 2.31.1