From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7096466320318791680 X-Received: by 2002:a05:6402:1a36:b0:425:f96c:350f with SMTP id be22-20020a0564021a3600b00425f96c350fmr34890087edb.160.1652357077482; Thu, 12 May 2022 05:04:37 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6402:270b:b0:427:d070:5bfe with SMTP id y11-20020a056402270b00b00427d0705bfels1572239edd.0.gmail; Thu, 12 May 2022 05:04:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJzAUv0az2io8LwaSCwKRfrxRhklbmcCPHkNWir5Nm+zwegsf3K+hVA5xoihyIICUCDuoi X-Received: by 2002:aa7:c6da:0:b0:428:24bc:e652 with SMTP id b26-20020aa7c6da000000b0042824bce652mr34633171eds.21.1652357076475; Thu, 12 May 2022 05:04:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652357076; cv=none; d=google.com; s=arc-20160816; b=mmQLGtJVS/EjcgbreWmrk4GdlwSrL8mwd6QR0OMmDnLFj3XDFoOzWyKulsopFX+4lG u4aLjMRciDtji2wcxujyg794WEEP84+HUNKNrt1tx7yAgrcSGuTsb4V1oSnwpqpiIU1x mKtVYBkghK8lPuj+3/lZ4wDS34SJjauT8adNSPfHE5xd4ycf3+JjyEdHAsxIn9A7hTW3 GBOLHurDT2vTiSfNs1Z34XGvTZSbWpcHKANBbRGrUsPt8MG8SYcDthMi1pa/37PXgPVe BBswXI/u1iTgj0INoMzMZCejLVYx0v/l/A0YDpr60dteMm/e9/+2kZMerIoXlQ6ORFyh 9U4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:to:from:dkim-signature; bh=i+M/f7hTauGlqEqW2IVmSZL7wozMHJ0mC2bTYEQ9+Eo=; b=1Lj3+ggNrp+8fzBHahlc/JA4YRiW5MnmDdgdstPtlYKdUwSzqjeLgsoxWR2gKS3CB7 kQwGQC7WI8hv20TRCh2kvl1ZlYXE2giwPT+PrQiT9QVBQ85RRnkn1n7nIPZ9jv9O332c 69hlGfqL4QOadpv5Kp68vh4kLUUz37Nlodoai2OZtF07W6VUHXhQKOdLJGa1TlHuAHLp tcZD6lTFotA/67Gi17PsA5UBKrneii01CLDdlcXmv1VBw7ZeNkC6POFh2wl2ITrd80li I0wWv9b2xAGRyZ5VXAHRnL6xv8RkuV7Zrhaa3fON6Iw8r+0u3Kebcxv/JnXJ8qB51gn/ TFCg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=bQ2D0xpj; spf=pass (google.com: domain of fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-51332-202205121204352154f9d795207f32ef-up7R4X@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id og11-20020a1709071dcb00b006f4639cc02dsi248348ejc.2.2022.05.12.05.04.36 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 May 2022 05:04:36 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=bQ2D0xpj; spf=pass (google.com: domain of fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-51332-202205121204352154f9d795207f32ef-up7R4X@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202205121204352154f9d795207f32ef for ; Thu, 12 May 2022 14:04:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=i+M/f7hTauGlqEqW2IVmSZL7wozMHJ0mC2bTYEQ9+Eo=; b=bQ2D0xpjrIv5nf3yObSxuszmPo0w0KXTjF3l1cBBERq7wsbH/qU+fnuk5YqKpxNQEGvAD9 gi4XZf+jOL28imF8hFAOd4gwDwF1LJN2W1uBU58uOt5rT8MXBOK5EZtfUS8cSfle/lQNJ3UO ykDla/84F4ds2zd1FC6jXwCOzlqdY=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, isar-users@googlegroups.com, henning.schild@siemens.com Subject: [PATCH v2 2/2] classes/image-account-extension: Add flag to force password change on first login Date: Thu, 12 May 2022 14:04:33 +0200 Message-Id: <20220512120433.695303-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20220512120433.695303-1-Quirin.Gylstorff@siemens.com> References: <20220512120433.695303-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer X-TUID: 6DHhkdlgl8GT From: Quirin Gylstorff This avoids possible errors if `passwd --expire root` is set during package installation. Signed-off-by: Quirin Gylstorff --- doc/user_manual.md | 1 + meta/classes/image-account-extension.bbclass | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/user_manual.md b/doc/user_manual.md index cdb73224..02874b6d 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -678,6 +678,7 @@ The `USERS` and `USER_` variable works similar to the `GROUPS` and `GR - `system` - `useradd` will be called with `--system`. - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password. - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it. + - `force-passwd-change` - Force the user to change to password on first login. #### Home directory contents prefilling diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index caa962a0..99de8b0d 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -17,7 +17,7 @@ USERS ??= "" #USER_root[home] = "/home/root" #USER_root[shell] = "/bin/sh" #USER_root[groups] = "audio video" -#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password" +#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password force-passwd-change" GROUPS ??= "" @@ -258,5 +258,10 @@ image_configure_accounts() { printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args fi + if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then + echo "Execute passwd to force password change on first boot for \"$name\"" + sudo -E chroot '${ROOTFSDIR}' \ + /usr/bin/passwd --expire "$name" + fi done } -- 2.35.1