From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6659376390151864320
X-Received: by 2002:ac2:4292:: with SMTP id m18mr861354lfh.15.1551082059612;
        Mon, 25 Feb 2019 00:07:39 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a19:9146:: with SMTP id y6ls1145447lfj.10.gmail; Mon, 25 Feb
 2019 00:07:38 -0800 (PST)
X-Google-Smtp-Source: AHgI3IZJ7S/1EhfOzDJOXEtyMMAnmk6lulKaMyboPBZldGGFN0mEIwFL+/SLJFxfk413UlGQPMLJ
X-Received: by 2002:ac2:4207:: with SMTP id y7mr852888lfh.7.1551082058885;
        Mon, 25 Feb 2019 00:07:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551082058; cv=none;
        d=google.com; s=arc-20160816;
        b=FpIs9k3Ry5FujDeOOG6kENlwaz2Ob5+A93nYJYs3xpjyfI3IcqXpS9tuDTnVn26YUI
         XaVbvkhliglLpSIW9cG0x9uIXjkCrIqt6iW8t9s0GkUiEiiqj3OrDNLdYFyagoZ34AFQ
         pluLqaFzqF6l94fxBQVXgLzCmq2xBQo8jElghCEjpgZFbWs6bNUcYhL7prWkv1MyiFx8
         B9WDH9OfgmIMDraKCoEn+fHlzo11WF9c1TA0GG7ngwHXUW2idqLxs+p8gzqlUOGteiRK
         J3LEU6b0i4G6+1yZzuK4LYl1OWZyZXFP1U9n7Hw7jInndWwxDHf1QA/lANcu9yVZCNKj
         jAVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:references:cc:to:from:subject;
        bh=tyn0x6fhAHrAJ4kh3OdPEJVkJv+eve7WmRCwfSKICp8=;
        b=zTrjd8SihWDvvR2Ptv9qy6Xq6wqxjRY7dL7X4m+IJyd8E2Ke9MP+3LM2Qlcz1BfsIm
         TvFylSQz9cyMULowdeiA1jeRkV8sfbkZ50m4/X7s08GW7zofCXvo4Hpm4cGnh03Z922L
         L/E8Yac/DokClFMtCZEqVZjGLSNytTaaNRIApcqBdiRsLnCL319CQQw2CjM0d4T1ieA7
         uXWvQahzxQLNrdS//BJcoAEyQm+roUMTap9/WJM9hJINnhIGtK1ADnjAkz+PcBaAYjL2
         jGuhaZOTnJGs2TWUyWEXBzwgBrwNfQDVPLsZkoBaVhMOViRvHZw+zBks5b9yLfouRle9
         tR6g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id k13si261601lja.5.2019.02.25.00.07.38
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 25 Feb 2019 00:07:38 -0800 (PST)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x1P87bEV018902
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Mon, 25 Feb 2019 09:07:37 +0100
Received: from [167.87.21.74] ([167.87.21.74])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x1P87af7009964;
	Mon, 25 Feb 2019 09:07:36 +0100
Subject: Re: [PATCH] added 'isar-cfg-userpw' package
From: Jan Kiszka <jan.kiszka@siemens.com>
To: "[ext] claudius.heine.ext@siemens.com" <claudius.heine.ext@siemens.com>,
        isar-users@googlegroups.com
Cc: Claudius Heine <ch@denx.de>
References: <20190218162113.8538-1-claudius.heine.ext@siemens.com>
 <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de>
Message-ID: <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com>
Date: Mon, 25 Feb 2019 09:07:35 +0100
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12)
 Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
In-Reply-To: <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-TUID: cJ1J/SgBeq6T

On 23.02.19 11:42, Jan Kiszka wrote:
> On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote:
>> From: Claudius Heine <ch@denx.de>
>>
>> With this package setting of arbitrary user passwords should be
>> possible.
>>
>> To do this use the 'CFG_USER_PW' variable as described in the user
>> manual.
>>
>> Signed-off-by: Claudius Heine <ch@denx.de>
>> ---
>>   doc/user_manual.md                            |  1 +
>>   meta-isar/conf/local.conf.sample              |  2 ++
>>   meta/classes/isar-image.bbclass               |  2 +-
>>   .../isar-cfg-userpw/files/postinst.tmpl       | 15 ++++++++++++
>>   .../isar-cfg-userpw/isar-cfg-userpw.bb        | 23 +++++++++++++++++++
>>   5 files changed, 42 insertions(+), 1 deletion(-)
>>   create mode 100644 meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
>>   create mode 100644 meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>>
>> diff --git a/doc/user_manual.md b/doc/user_manual.md
>> index db0bf85..53bb36a 100644
>> --- a/doc/user_manual.md
>> +++ b/doc/user_manual.md
>> @@ -328,6 +328,7 @@ Some other variables include:
>>    - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it to the default 
>> URI in the format `ftp.debian.org my.preferred.mirror`. This variable is 
>> optional.
>>    - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt 
>> password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. 
>> If the variable is empty, root login is passwordless.
>>    - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
>> + - `CFG_USER_PW` - A space separated list of user names and encrypted 
>> passwords separated by a colon. (e.g. `username1:encryptedpw1 
>> username2:encryptedpw2`)
>>
>>   ---
>>
>> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
>> index e5827aa..494a283 100644
>> --- a/meta-isar/conf/local.conf.sample
>> +++ b/meta-isar/conf/local.conf.sample
>> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?= "0"
>>   #   mkpasswd -m sha512crypt -R 10000
>>   # mkpasswd is part of the 'whois' package of Debian
>>   CFG_ROOT_PW ?= 
>> "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" 
>>
>> +# Set user 'isar' password to 'isar':
>> +CFG_USER_PW ?= 
>> "isar:$6$rounds=10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1" 
>>
>> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
>> index cdd1651..0100d0b 100644
>> --- a/meta/classes/isar-image.bbclass
>> +++ b/meta/classes/isar-image.bbclass
>> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>>
>>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>>
>> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw 
>> isar-cfg-userpw"
>>
>>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>>
>> diff --git a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl 
>> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
>> new file mode 100644
>> index 0000000..47fffd0
>> --- /dev/null
>> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
>> @@ -0,0 +1,15 @@
>> +#!/bin/sh
>> +set -e
>> +
>> +USER_ENTRIES='${CFG_USER_PW} '
>> +
>> +while true; do
>> +    USER_ENTRY="${USER_ENTRIES%% *}" # First element of list
>> +    USER_ENTRIES="${USER_ENTRIES#${USER_ENTRY} }" # Rest of list
>> +
>> +    if [ -z "${USER_ENTRY}" ]; then
>> +        break
>> +    fi
>> +
>> +    printf '%s' "${USER_ENTRY}" | chpasswd -e
>> +done
>> diff --git a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb 
>> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>> new file mode 100644
>> index 0000000..75b0446
>> --- /dev/null
>> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>> @@ -0,0 +1,23 @@
>> +# This software is a part of ISAR.
>> +
>> +DESCRIPTION = "Isar configuration package for user passwords"
>> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>> +DEBIAN_DEPENDS = "passwd"
>> +
>> +SRC_URI = "file://postinst.tmpl"
>> +
>> +TEMPLATE_FILES = "postinst.tmpl"
>> +TEMPLATE_VARS = "CFG_USER_PW"
>> +
>> +CFG_USER_PW ?= ""
>> +
>> +python() {
>> +    # Enforce CFG_USER_PW to be a single space separated array
>> +    d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW", True).split()))
>> +}
>> +
>> +inherit dpkg-raw
>> +
>> +do_install() {
>> +    echo "intentionally left blank"
>> +}
>>
> 
> Missed this until I had to deal with it: This does not allow per-image password
> configuration because there is only one, hard-coded isar-cfg-userpw package that
> all images pull. E.g., how to build a release (root account locked) and a debug
> image (well-known insecure or empty password) at the same time now?
> 
> We rather need to change the logic to pass the control variables from the host
> down into the chroot during installation where the transient package can then
> evaluate them. Or model this - as a special case - without a package.
> 
> Before the release, we should at least prove if the current recipe interface can
> be maintained with the above requirement, so that we do not break it again right
> after that.
> 

The same conceptual issue applies to isar-cfg-localepurge: LOCALE_GEN and 
LOCALE_DEFAULT should be configurable on a per-image basis, not a per-build.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux