From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6659376390151864320
X-Received: by 2002:a19:a411:: with SMTP id q17mr497176lfc.14.1550918541569;
        Sat, 23 Feb 2019 02:42:21 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a19:9146:: with SMTP id y6ls825177lfj.10.gmail; Sat, 23 Feb
 2019 02:42:20 -0800 (PST)
X-Google-Smtp-Source: AHgI3IYpA4yfG5oi1QoTMRvkH8XkudH+0WXCnmnYYjJvVG4Xy2+dX1VYX8wJufQ0k0AGdxGAwZdh
X-Received: by 2002:a19:c950:: with SMTP id z77mr495243lff.10.1550918540608;
        Sat, 23 Feb 2019 02:42:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1550918540; cv=none;
        d=google.com; s=arc-20160816;
        b=h8pwYRBrsVVtAOXDfA9lvehHQHSUUSqRBdly8XQ917n/Sz1ll/Kodq8JjU2eQJishi
         vD0KykaVPriFRyaF5gZOGZrLyDElf4LYNtVAc7UtIqSzMlS9cGarB0VY7bYnKaGgXmas
         GKSLBYjsBYszoknxt4hjidXrIVxtJLko5VD88pWt/20GVJEmdXlGEgCJIWCGAxGgQYvI
         Go7ZlSsicMoJtkixOWvfh/tkm1cXj2tOz72SQ5c7HoyP9HMsFAwrv4yavR58sHMXvSH7
         IBbTi+2gMdpJxqLlHXLnvWRmd2z1hgLoDsgXajg1riK+opyf856nFR0G7jC9Jv7vLXrd
         +EQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:cc:to:subject
         :dkim-signature;
        bh=CubJhs3vZwGJ3W/eSk7cSeFpn5waqDOWZ0l51QmEi5g=;
        b=CJEpCkc2HSGEansjfhwVOs8kNZvR67lyd2VO0rM4Q9Mye6ZaprYnMi9XnSo80jZlQe
         UHdAGC63hz/v5lqdb6aaP9gl0Kwrnp+GEwrENRNvQ/rE0dKFQgzk547Vuo8pWzSIlz95
         pDDEM9hhHV4nvVWLKHcfMUKL+4G2aYFL4F9cRFx7G1CfDR8bei6nMK4CdgorQL3izq2j
         tFT8EwMHN2bP2lxahz9AqtAM/U0ZvmpazMWeKkgXFnTehaqoplBy7aftA+/GEZfMf2Ob
         2JfVAFIUGmwmxB99vtePVuIdt71RgrdtvRHuNrOll3Vq81hgvualSUUuSNKeu6KaGD7c
         cc6A==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=S6s8U0+k;
       spf=pass (google.com: domain of jan.kiszka@web.de designates 212.227.15.4 as permitted sender) smtp.mailfrom=jan.kiszka@web.de
Return-Path: <jan.kiszka@web.de>
Received: from mout.web.de (mout.web.de. [212.227.15.4])
        by gmr-mx.google.com with ESMTPS id 19si138797lje.4.2019.02.23.02.42.20
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 23 Feb 2019 02:42:20 -0800 (PST)
Received-SPF: pass (google.com: domain of jan.kiszka@web.de designates 212.227.15.4 as permitted sender) client-ip=212.227.15.4;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=S6s8U0+k;
       spf=pass (google.com: domain of jan.kiszka@web.de designates 212.227.15.4 as permitted sender) smtp.mailfrom=jan.kiszka@web.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
	s=dbaedf251592; t=1550918539;
	bh=OOEfBlyP7a4ipOACiy5EPcdzF787OIb7StLg0yRf1Tg=;
	h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To;
	b=S6s8U0+kPSg5ZKd8unTm41gDj8qQ+P4iM1zomhh+FWeZF6lxC+upjAg97KfHjEEML
	 zXenToNHS3Me6tcRo2T/7xRBuJ/bnfdIdTxWt/KP1zMNHKnWdNhzoTKdAv8+wqzz2n
	 8VsJ49+sNKA3OuMwX3vvwDcjJwkP8XsG5oAQ3OWQ=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.1.10] ([95.157.57.47]) by smtp.web.de (mrweb001
 [213.165.67.108]) with ESMTPSA (Nemesis) id 0Lilcj-1hZrmQ3L1J-00cxYp; Sat, 23
 Feb 2019 11:42:19 +0100
Subject: Re: [PATCH] added 'isar-cfg-userpw' package
To: "[ext] claudius.heine.ext@siemens.com" <claudius.heine.ext@siemens.com>,
 isar-users@googlegroups.com
Cc: Claudius Heine <ch@denx.de>
References: <20190218162113.8538-1-claudius.heine.ext@siemens.com>
From: Jan Kiszka <jan.kiszka@web.de>
Message-ID: <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de>
Date: Sat, 23 Feb 2019 11:42:19 +0100
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12)
 Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
In-Reply-To: <20190218162113.8538-1-claudius.heine.ext@siemens.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:87OII+xKBcGrkhnngr3fp2rn9VwhB0syubjWlyJvmrgqUiM/5RK
 3obx2MrLVG8dM0sg/J3JM96gB92+V+sERmQ+6ZDULGVX/4DjA4zXUejSUapL+DTD898OWbN
 GBkiSngbWkEKneG3E+ehamZkJ5foxdS466n+QISpWuLav9DpUyWLoBSyDUwIlEhivj0TlrA
 vt0d6zV2ei7fZX+yCiv/Q==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:PVjbJSEYDvU=:zsui9+Lz6Y6Cjq0atzY4FA
 b7EETtrQl5gsO0/3ncdfZwpxDffGS8q8CdSDYsBpXYKXVGiCvX/t2ZCgFs9MTLSffy6iGInC2
 oB9lyYa3Y8LNSeVSTlbjlSx7+byoacdMdAiopkyt/isuoYN4VMMGoUbsW3aAwWPUxAjoxaJM9
 ns7hqJVO4+DHoW7mlRtaph+Nl0TSFbR+baIe97P8r7aYg6qrMdE+pO3fg9RdccBwHZfxfGspw
 8J6gWhunPWaH3u5eVu8okITAq/44u+U9q5n9ViMzOJ3WoAUFzyZ8MfUy5dEpFCjBMNsrIIOHJ
 bsJNgTvYWOYBx/rjrlTh6pOYkp0DT4qypk8arjDEaskuF+xakY/7EUCdhbJ9JPK+kPz9iiCzD
 BgLRkBLY5444j7lrxzlTgBBU2ME3JlPwfybmUl3VEOzrbpoanuN6AEvemdpVEFPtY7pJJQxMX
 v8XuLvIvVpYlR8Vr2Bw/mEN8TqLLYLLzfi1qGe56hiRmSIcfM6f7f9V+76egoJ0Nw/PpbMqzW
 BLtSbC44xVOZUKp0yghmxJ62Wb3CLT57DtRVYe7HDKthTTL4sf6RXT6yVB6iq5uPKdiLNFvEx
 zvpOhFmbjCipoU7ow+55eDNl2alICrKxv8u062LnBdLKvnykepdxDg/tMw8vA1w0/AMJ0VMUz
 NioOZb5LZw2cAr6RNWlJl9AGqEe00JLim5+TqIUdL55nN3JFCcmgCLyDECVi9GDedZ2SsPxEX
 hqCNKNT6wKEun3NE6UAy9ouR3428+rO5l/y+FM/ZqYBGapXQjkJvXMUV4xc5zDEjdZAzz6tYL
 bMVrsXS2MDPKZ+vHlhQbLnWl3xhFAMly+8V7MO1m7TwjVRX2PnZzMxZ+5tpWCc04Ra77btF4D
 HWdKzF9vhMl/1ih8QyCvuNmxaCD5i/0Q32RRuE7m9NvswRMm/2BdeNblPyFFO/OmNACvT3BkF
 6RGQHsljQZA==
X-TUID: r8FJLXvdRvIE

On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote:
> From: Claudius Heine <ch@denx.de>
>
> With this package setting of arbitrary user passwords should be
> possible.
>
> To do this use the 'CFG_USER_PW' variable as described in the user
> manual.
>
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>   doc/user_manual.md                            |  1 +
>   meta-isar/conf/local.conf.sample              |  2 ++
>   meta/classes/isar-image.bbclass               |  2 +-
>   .../isar-cfg-userpw/files/postinst.tmpl       | 15 ++++++++++++
>   .../isar-cfg-userpw/isar-cfg-userpw.bb        | 23 +++++++++++++++++++
>   5 files changed, 42 insertions(+), 1 deletion(-)
>   create mode 100644 meta/recipes-support/isar-cfg-userpw/files/postinst=
.tmpl
>   create mode 100644 meta/recipes-support/isar-cfg-userpw/isar-cfg-userp=
w.bb
>
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index db0bf85..53bb36a 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -328,6 +328,7 @@ Some other variables include:
>    - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it to the de=
fault URI in the format `ftp.debian.org my.preferred.mirror`. This variabl=
e is optional.
>    - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt p=
assword use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debi=
an. If the variable is empty, root login is passwordless.
>    - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
> + - `CFG_USER_PW` - A space separated list of user names and encrypted p=
asswords separated by a colon. (e.g. `username1:encryptedpw1 username2:enc=
ryptedpw2`)
>
>   ---
>
> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.con=
f.sample
> index e5827aa..494a283 100644
> --- a/meta-isar/conf/local.conf.sample
> +++ b/meta-isar/conf/local.conf.sample
> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?=3D "0"
>   #   mkpasswd -m sha512crypt -R 10000
>   # mkpasswd is part of the 'whois' package of Debian
>   CFG_ROOT_PW ?=3D "$6$rounds=3D10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQs=
izIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
> +# Set user 'isar' password to 'isar':
> +CFG_USER_PW ?=3D "isar:$6$rounds=3D10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzs=
cs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1"
> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.b=
bclass
> index cdd1651..0100d0b 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI +=3D "${@ cfg_script(d) }"
>
>   DEPENDS +=3D "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>
> -IMAGE_TRANSIENT_PACKAGES +=3D "isar-cfg-localepurge isar-cfg-rootpw"
> +IMAGE_TRANSIENT_PACKAGES +=3D "isar-cfg-localepurge isar-cfg-rootpw isa=
r-cfg-userpw"
>
>   WORKDIR =3D "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>
> diff --git a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl b/=
meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
> new file mode 100644
> index 0000000..47fffd0
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
> @@ -0,0 +1,15 @@
> +#!/bin/sh
> +set -e
> +
> +USER_ENTRIES=3D'${CFG_USER_PW} '
> +
> +while true; do
> +    USER_ENTRY=3D"${USER_ENTRIES%% *}" # First element of list
> +    USER_ENTRIES=3D"${USER_ENTRIES#${USER_ENTRY} }" # Rest of list
> +
> +    if [ -z "${USER_ENTRY}" ]; then
> +        break
> +    fi
> +
> +    printf '%s' "${USER_ENTRY}" | chpasswd -e
> +done
> diff --git a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb b/m=
eta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
> new file mode 100644
> index 0000000..75b0446
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
> @@ -0,0 +1,23 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION =3D "Isar configuration package for user passwords"
> +MAINTAINER =3D "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS =3D "passwd"
> +
> +SRC_URI =3D "file://postinst.tmpl"
> +
> +TEMPLATE_FILES =3D "postinst.tmpl"
> +TEMPLATE_VARS =3D "CFG_USER_PW"
> +
> +CFG_USER_PW ?=3D ""
> +
> +python() {
> +    # Enforce CFG_USER_PW to be a single space separated array
> +    d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW", True).spli=
t()))
> +}
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}
>

Missed this until I had to deal with it: This does not allow per-image pas=
sword
configuration because there is only one, hard-coded isar-cfg-userpw packag=
e that
all images pull. E.g., how to build a release (root account locked) and a =
debug
image (well-known insecure or empty password) at the same time now?

We rather need to change the logic to pass the control variables from the =
host
down into the chroot during installation where the transient package can t=
hen
evaluate them. Or model this - as a special case - without a package.

Before the release, we should at least prove if the current recipe interfa=
ce can
be maintained with the above requirement, so that we do not break it again=
 right
after that.

Jan