[PATCH 0/2] Fix possible build errors due to expired root account

[PATCH 0/2] Fix possible build errors due to expired root account

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This fixes build errors due to expiring/deactiving the root password before
installing packages which create new user.

Quirin Gylstorff (2):
  classes/image-account-extension:Move account configuration to
    post-process
  classes/image-account-extension: Add flag to force password change on
    first login

 doc/user_manual.md                           |  1 +
 meta/classes/image-account-extension.bbclass | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

-- 
2.35.1

[PATCH 1/2] classes/image-account-extension:Move account configuration to post-process

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

If the root account is deactivate during rootfs configuration
, e.g. by setting 'USER_root[expire]="01-01-1970"', the following error
occurs if a packages tries to create/modifies a user account.

```
Setting up systemd (247.3-7) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service -> /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target -> /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Your account has expired; please contact your system administrator.
chfn: PAM: Authentication failure
adduser: `/bin/chfn -f systemd Network Management systemd-network' returned error code 1. Exiting.
dpkg: error processing package systemd (--configure):
installed systemd package post-installation script subprocess returned error exit status 1
Setting up dmsetup (2:1.02.175-2.1) ...
Errors were encountered while processing:
systemd
E: Sub-process /usr/bin/dpkg returned an error code (1)
WARNING: exit code 100 from a shell command.
```

This move also allows  /etc/skel modification to be applicable to
all users.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 meta/classes/image-account-extension.bbclass | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index c9bebe85..caa962a0 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -58,8 +58,7 @@ IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP', ['gid', 'f
 
 do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} ${IMAGE_ACCOUNTS_USERS}"
 
-ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts"
-image_configure_accounts[weight] = "3"
+ROOTFS_POSTPROCESS_COMMAND += "image_configure_accounts"
 image_configure_accounts() {
     # Create groups
     # Add space to the end of the list:
-- 
2.35.1

[PATCH 2/2] classes/image-account-extension: Add flag to force password change on first login

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids possible errors if `passwd --expire root` is
set during package installation.

This flag is necesssary as

```
USER_root[expire] = "1970-01-01"
```

disables the root account and displays the message:

If the user tries to login the following message is displayed:

```
Your account has expired; please contact your system administrator.
Authentication failure
``` 

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/user_manual.md                           | 1 +
 meta/classes/image-account-extension.bbclass | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index cdb73224..02874b6d 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -678,6 +678,7 @@ The `USERS` and `USER_<username>` variable works similar to the `GROUPS` and `GR
    - `system` - `useradd` will be called with `--system`.
    - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password.
    - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it.
+   - `force-passwd-change` - Force the user to change to password on first login.
 
 #### Home directory contents prefilling
 
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index caa962a0..99de8b0d 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -17,7 +17,7 @@ USERS ??= ""
 #USER_root[home] = "/home/root"
 #USER_root[shell] = "/bin/sh"
 #USER_root[groups] = "audio video"
-#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password"
+#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password force-passwd-change"
 
 GROUPS ??= ""
 
@@ -258,5 +258,10 @@ image_configure_accounts() {
             printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
                 /usr/sbin/chpasswd $chpasswd_args
         fi
+        if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then
+            echo "Execute passwd to force password change on first boot for \"$name\""
+            sudo -E chroot '${ROOTFSDIR}' \
+                /usr/bin/passwd --expire "$name"
+        fi
     done
 }
-- 
2.35.1

Re: [PATCH 1/2] classes/image-account-extension:Move account configuration to post-process

[Henning Schild]

I once had this in the context of adding users to groups which are
coming from packages. i.e. the docker group

In order to add a user to that group one will also have to add the
group, and essentially copy that group creation from the postinst from
the group creating package. Like what type of group, or a fixed gid and
things like that.

So moving the user creation into postinst is imho a really good idea.
However a significant change that might be worth a changelog entry. I
would have to drop group creation of "docker" or "www" and things like
that from some layers.

regards,
Henning

Am Wed, 11 May 2022 15:13:37 +0200
schrieb Quirin Gylstorff <Quirin.Gylstorff@siemens.com>:

> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> If the root account is deactivate during rootfs configuration
> , e.g. by setting 'USER_root[expire]="01-01-1970"', the following
> error occurs if a packages tries to create/modifies a user account.
> 
> ```
> Setting up systemd (247.3-7) ...
> Created symlink
> /etc/systemd/system/getty.target.wants/getty@tty1.service ->
> /lib/systemd/system/getty@.service. Created symlink
> /etc/systemd/system/multi-user.target.wants/remote-fs.target ->
> /lib/systemd/system/remote-fs.target. Created symlink
> /etc/systemd/system/sysinit.target.wants/systemd-pstore.service ->
> /lib/systemd/system/systemd-pstore.service. Initializing machine ID
> from random generator. Your account has expired; please contact your
> system administrator. chfn: PAM: Authentication failure adduser:
> `/bin/chfn -f systemd Network Management systemd-network' returned
> error code 1. Exiting. dpkg: error processing package systemd
> (--configure): installed systemd package post-installation script
> subprocess returned error exit status 1 Setting up dmsetup
> (2:1.02.175-2.1) ... Errors were encountered while processing:
> systemd E: Sub-process /usr/bin/dpkg returned an error code (1)
> WARNING: exit code 100 from a shell command. ```
> 
> This move also allows  /etc/skel modification to be applicable to
> all users.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  meta/classes/image-account-extension.bbclass | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/meta/classes/image-account-extension.bbclass
> b/meta/classes/image-account-extension.bbclass index
> c9bebe85..caa962a0 100644 ---
> a/meta/classes/image-account-extension.bbclass +++
> b/meta/classes/image-account-extension.bbclass @@ -58,8 +58,7 @@
> IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP',
> ['gid', 'f do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS}
> ${IMAGE_ACCOUNTS_USERS}" 
> -ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts"
> -image_configure_accounts[weight] = "3"
> +ROOTFS_POSTPROCESS_COMMAND += "image_configure_accounts"
>  image_configure_accounts() {
>      # Create groups
>      # Add space to the end of the list:

Re: [PATCH 1/2] classes/image-account-extension:Move account configuration to post-process

[Jan Kiszka]

On 11.05.22 16:57, Henning Schild wrote:
> I once had this in the context of adding users to groups which are
> coming from packages. i.e. the docker group
> 
> In order to add a user to that group one will also have to add the
> group, and essentially copy that group creation from the postinst from
> the group creating package. Like what type of group, or a fixed gid and
> things like that.
> 
> So moving the user creation into postinst is imho a really good idea.
> However a significant change that might be worth a changelog entry. I
> would have to drop group creation of "docker" or "www" and things like
> that from some layers.
> 

Good points, and second reason to actually change the ordering. Then
let's do this, with a proper changelog.

Jan

> regards,
> Henning
> 
> Am Wed, 11 May 2022 15:13:37 +0200
> schrieb Quirin Gylstorff <Quirin.Gylstorff@siemens.com>:
> 
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> If the root account is deactivate during rootfs configuration
>> , e.g. by setting 'USER_root[expire]="01-01-1970"', the following
>> error occurs if a packages tries to create/modifies a user account.
>>
>> ```
>> Setting up systemd (247.3-7) ...
>> Created symlink
>> /etc/systemd/system/getty.target.wants/getty@tty1.service ->
>> /lib/systemd/system/getty@.service. Created symlink
>> /etc/systemd/system/multi-user.target.wants/remote-fs.target ->
>> /lib/systemd/system/remote-fs.target. Created symlink
>> /etc/systemd/system/sysinit.target.wants/systemd-pstore.service ->
>> /lib/systemd/system/systemd-pstore.service. Initializing machine ID
>> from random generator. Your account has expired; please contact your
>> system administrator. chfn: PAM: Authentication failure adduser:
>> `/bin/chfn -f systemd Network Management systemd-network' returned
>> error code 1. Exiting. dpkg: error processing package systemd
>> (--configure): installed systemd package post-installation script
>> subprocess returned error exit status 1 Setting up dmsetup
>> (2:1.02.175-2.1) ... Errors were encountered while processing:
>> systemd E: Sub-process /usr/bin/dpkg returned an error code (1)
>> WARNING: exit code 100 from a shell command. ```
>>
>> This move also allows  /etc/skel modification to be applicable to
>> all users.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>  meta/classes/image-account-extension.bbclass | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/meta/classes/image-account-extension.bbclass
>> b/meta/classes/image-account-extension.bbclass index
>> c9bebe85..caa962a0 100644 ---
>> a/meta/classes/image-account-extension.bbclass +++
>> b/meta/classes/image-account-extension.bbclass @@ -58,8 +58,7 @@
>> IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP',
>> ['gid', 'f do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS}
>> ${IMAGE_ACCOUNTS_USERS}" 
>> -ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts"
>> -image_configure_accounts[weight] = "3"
>> +ROOTFS_POSTPROCESS_COMMAND += "image_configure_accounts"
>>  image_configure_accounts() {
>>      # Create groups
>>      # Add space to the end of the list:
> 

-- 
Siemens AG, Technology
Competence Center Embedded Linux