[PATCH 0/1] Centralize root password configuration

[PATCH 0/1] Centralize root password configuration

[claudius.heine.ext]

From: Claudius Heine <ch@denx.de>

Hi,

this patchset depends on the `Template system` patchset.

Cheers,
Claudius

Changes from the RFC patch:
 - Transformed package to be a transient package, prevents leaking of
   password via /var/lib/dpkg/info
 - Check if password was already set before setting it. Error if
   password was set already
 - Added possibility to set encrypted passwords
 - Fixed locking to allow restoration of choosen password when account
   is unlocked later
 - added documentation in RECIPE-API_CHANGELOG
 - removed isar-cfg-hostname
 - fix some scripting errors

Claudius Heine (1):
  meta: add isar-cfg-rootpw recipe for setting root password

 RECIPE-API-CHANGELOG.md                       |  9 ++++++++
 .../recipes-app/example-raw/files/postinst    |  4 ----
 meta/classes/isar-image.bbclass               |  2 +-
 .../isar-cfg-rootpw/files/postinst.tmpl       | 21 +++++++++++++++++++
 .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 20 ++++++++++++++++++
 5 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb

-- 
2.20.1

[PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[claudius.heine.ext]

From: Claudius Heine <ch@denx.de>

The isar-cfg-rootpw recipe is a central point to set the root password
for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
`CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
or via `isar-cfg-rootpw.bbappend`.

This package is installed as a transient package to avoid leaking
passwords set by it via the scripts in `/var/lib/dpkg/info/`.

The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a root
password as clear text or encrypted, or are both empty, in which case
login without password is possible. The encrypted password is preferred
if both variables are set.

The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
the root account, other values leave the account unlocked. Unlocking the
account at a later point will restore the password set by `CFG_ROOT_PW`
or `CFG_ROOT_PW_ENC`.

Signed-off-by: Claudius Heine <ch@denx.de>
---
 RECIPE-API-CHANGELOG.md                       |  9 ++++++++
 .../recipes-app/example-raw/files/postinst    |  4 ----
 meta/classes/isar-image.bbclass               |  2 +-
 .../isar-cfg-rootpw/files/postinst.tmpl       | 21 +++++++++++++++++++
 .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 20 ++++++++++++++++++
 5 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
 create mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index dcfbbee..7863e8a 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
 
 It's now sufficient to provide only kbuild rules. Makefile targets like modules
 or modules_install as well as KDIR and DESTDIR evaluation are no longer needed.
+
+### Remove setting of root passwords in custom packages
+
+Custom packages that are not installed via the IMAGE_TRANSIENT_PACKAGES and set
+a root password, leak that password via its script in /var/lib/dpkg/info.
+
+Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the password and use
+the transient 'isar-cfg-rootpw' package (now installed as transient package per
+default).
diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
index f60be8c..f48d993 100644
--- a/meta-isar/recipes-app/example-raw/files/postinst
+++ b/meta-isar/recipes-app/example-raw/files/postinst
@@ -15,8 +15,4 @@ fi
 
 chown -R isar:isar /var/lib/isar
 
-# this wins over meta-isar/recipes-core/images/files/*configscript.sh
-# but we take the same password for this example
-echo "root:root" | chpasswd
-
 echo "isar" > /etc/hostname
diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
index e2bae58..cdd1651 100644
--- a/meta/classes/isar-image.bbclass
+++ b/meta/classes/isar-image.bbclass
@@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
 
 DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
 
-IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
+IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
 
 WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
 
diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
new file mode 100644
index 0000000..7634f6a
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+if ! grep -q 'root:\*:' /etc/shadow; then
+    echo "ERROR:isar-cfg-rootpw: root password was set by a different package" >&2
+    exit -1
+fi
+
+if [ -n "${CFG_ROOT_PW_ENC}" ]; then
+    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
+elif [ -n "${CFG_ROOT_PW}" ]; then
+    echo "root:${CFG_ROOT_PW}" | chpasswd
+else
+    passwd -d root
+fi
+
+if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
+    # Lock the account after setting the password, since unlocking it at some
+    # point later would set it to the back to the previous one.
+    passwd -l root
+fi
diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
new file mode 100644
index 0000000..52bb153
--- /dev/null
+++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
@@ -0,0 +1,20 @@
+# This software is a part of ISAR.
+
+DESCRIPTION = "Isar configuration package for root password"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "passwd"
+
+SRC_URI = "file://postinst.tmpl"
+
+TEMPLATE_FILES = "postinst.tmpl"
+TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
+
+CFG_ROOT_PW ??= ""
+CFG_ROOT_PW_ENC ??= ""
+CFG_ROOT_LOCKED ??= "0"
+
+inherit dpkg-raw
+
+do_install() {
+    echo "intentionally left blank"
+}
-- 
2.20.1

Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Henning Schild]

Am Wed, 6 Feb 2019 14:41:39 +0100
schrieb "[ext] claudius.heine.ext@siemens.com"
<claudius.heine.ext@siemens.com>:

> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
> or via `isar-cfg-rootpw.bbappend`.
> 
> This package is installed as a transient package to avoid leaking
> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> 
> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> root password as clear text or encrypted, or are both empty, in which
> case login without password is possible. The encrypted password is
> preferred if both variables are set.

How about _ENC only? I do not really see the point to support two
versions here. Say someone still got the package, they would still have
to find a password matching the hash. So _ENC is better, and just one
way is simpler.

We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
encrypt a password. In fact that seems to depend on
rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
not the best idea after all.

We should demo setting a passwd in isar-image-base, a good idea for a
password would be "root" because that is what isar-only users already
know. And it might be in the docs ...

Henning

> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked. Unlocking
> the account at a later point will restore the password set by
> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>  RECIPE-API-CHANGELOG.md                       |  9 ++++++++
>  .../recipes-app/example-raw/files/postinst    |  4 ----
>  meta/classes/isar-image.bbclass               |  2 +-
>  .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> deletions(-) create mode 100644
> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode
> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index dcfbbee..7863e8a 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>  
>  It's now sufficient to provide only kbuild rules. Makefile targets
> like modules or modules_install as well as KDIR and DESTDIR
> evaluation are no longer needed. +
> +### Remove setting of root passwords in custom packages
> +
> +Custom packages that are not installed via the
> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password
> via its script in /var/lib/dpkg/info. +
> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> password and use +the transient 'isar-cfg-rootpw' package (now
> installed as transient package per +default).
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> b/meta-isar/recipes-app/example-raw/files/postinst index
> f60be8c..f48d993 100644 ---
> a/meta-isar/recipes-app/example-raw/files/postinst +++
> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@
> fi 
>  chown -R isar:isar /var/lib/isar
>  
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>  echo "isar" > /etc/hostname
> diff --git a/meta/classes/isar-image.bbclass
> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>  
>  DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>  
> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>  
>  WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>  
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file
> mode 100644 index 0000000..7634f6a
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +set -e
> +
> +if ! grep -q 'root:\*:' /etc/shadow; then
> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> different package" >&2
> +    exit -1
> +fi
> +
> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> +elif [ -n "${CFG_ROOT_PW}" ]; then
> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> +else
> +    passwd -d root
> +fi
> +
> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> +    # Lock the account after setting the password, since unlocking
> it at some
> +    # point later would set it to the back to the previous one.
> +    passwd -l root
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> mode 100644 index 0000000..52bb153
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,20 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_PW_ENC ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}

Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Claudius Heine]

Hi Henning,

On 06/02/2019 16.52, Henning Schild wrote:
> Am Wed, 6 Feb 2019 14:41:39 +0100
> schrieb "[ext] claudius.heine.ext@siemens.com"
> <claudius.heine.ext@siemens.com>:
> 
>> From: Claudius Heine <ch@denx.de>
>>
>> The isar-cfg-rootpw recipe is a central point to set the root password
>> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`,
>> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file
>> or via `isar-cfg-rootpw.bbappend`.
>>
>> This package is installed as a transient package to avoid leaking
>> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
>>
>> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
>> root password as clear text or encrypted, or are both empty, in which
>> case login without password is possible. The encrypted password is
>> preferred if both variables are set.
> 
> How about _ENC only? I do not really see the point to support two
> versions here. Say someone still got the package, they would still have
> to find a password matching the hash. So _ENC is better, and just one
> way is simpler.

Well the code complexity differenct between supporting both and just one 
is pretty small. And I like options, so I would be in favor of having 
both possible. But if the consensus is to only support one, then I would 
go with _ENC only as well.

> 
> We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
> encrypt a password. In fact that seems to depend on
> rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
> not the best idea after all.

I think that is just the default algo used by passwd to create 
passwords, not the one enforced. Meaning I would still work if the set 
password was created with different options.

> 
> We should demo setting a passwd in isar-image-base, a good idea for a
> password would be "root" because that is what isar-only users already
> know. And it might be in the docs ...

Well the best way I can think of is using `mkpasswd`, but that tool is 
packed into the `whois` package for some strange, possibly historical 
reasons.

Cheers,
Claudius

> 
> Henning
> 
>> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
>> the root account, other values leave the account unlocked. Unlocking
>> the account at a later point will restore the password set by
>> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
>>
>> Signed-off-by: Claudius Heine <ch@denx.de>
>> ---
>>   RECIPE-API-CHANGELOG.md                       |  9 ++++++++
>>   .../recipes-app/example-raw/files/postinst    |  4 ----
>>   meta/classes/isar-image.bbclass               |  2 +-
>>   .../isar-cfg-rootpw/files/postinst.tmpl       | 21
>> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
>> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
>> deletions(-) create mode 100644
>> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode
>> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
>>
>> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
>> index dcfbbee..7863e8a 100644
>> --- a/RECIPE-API-CHANGELOG.md
>> +++ b/RECIPE-API-CHANGELOG.md
>> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used.
>>   
>>   It's now sufficient to provide only kbuild rules. Makefile targets
>> like modules or modules_install as well as KDIR and DESTDIR
>> evaluation are no longer needed. +
>> +### Remove setting of root passwords in custom packages
>> +
>> +Custom packages that are not installed via the
>> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password
>> via its script in /var/lib/dpkg/info. +
>> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
>> password and use +the transient 'isar-cfg-rootpw' package (now
>> installed as transient package per +default).
>> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
>> b/meta-isar/recipes-app/example-raw/files/postinst index
>> f60be8c..f48d993 100644 ---
>> a/meta-isar/recipes-app/example-raw/files/postinst +++
>> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@
>> fi
>>   chown -R isar:isar /var/lib/isar
>>   
>> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
>> -# but we take the same password for this example
>> -echo "root:root" | chpasswd
>> -
>>   echo "isar" > /etc/hostname
>> diff --git a/meta/classes/isar-image.bbclass
>> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
>> --- a/meta/classes/isar-image.bbclass
>> +++ b/meta/classes/isar-image.bbclass
>> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>>   
>>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>>   
>> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
>> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
>>   
>>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>>   
>> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
>> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file
>> mode 100644 index 0000000..7634f6a
>> --- /dev/null
>> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
>> @@ -0,0 +1,21 @@
>> +#!/bin/sh
>> +set -e
>> +
>> +if ! grep -q 'root:\*:' /etc/shadow; then
>> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
>> different package" >&2
>> +    exit -1
>> +fi
>> +
>> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
>> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
>> +elif [ -n "${CFG_ROOT_PW}" ]; then
>> +    echo "root:${CFG_ROOT_PW}" | chpasswd
>> +else
>> +    passwd -d root
>> +fi
>> +
>> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
>> +    # Lock the account after setting the password, since unlocking
>> it at some
>> +    # point later would set it to the back to the previous one.
>> +    passwd -l root
>> +fi
>> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
>> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
>> mode 100644 index 0000000..52bb153
>> --- /dev/null
>> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
>> @@ -0,0 +1,20 @@
>> +# This software is a part of ISAR.
>> +
>> +DESCRIPTION = "Isar configuration package for root password"
>> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>> +DEBIAN_DEPENDS = "passwd"
>> +
>> +SRC_URI = "file://postinst.tmpl"
>> +
>> +TEMPLATE_FILES = "postinst.tmpl"
>> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
>> +
>> +CFG_ROOT_PW ??= ""
>> +CFG_ROOT_PW_ENC ??= ""
>> +CFG_ROOT_LOCKED ??= "0"
>> +
>> +inherit dpkg-raw
>> +
>> +do_install() {
>> +    echo "intentionally left blank"
>> +}
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password

[Henning Schild]

Am Wed, 6 Feb 2019 17:10:09 +0100
schrieb Claudius Heine <claudius.heine.ext@siemens.com>:

> Hi Henning,
> 
> On 06/02/2019 16.52, Henning Schild wrote:
> > Am Wed, 6 Feb 2019 14:41:39 +0100
> > schrieb "[ext] claudius.heine.ext@siemens.com"
> > <claudius.heine.ext@siemens.com>:
> >   
> >> From: Claudius Heine <ch@denx.de>
> >>
> >> The isar-cfg-rootpw recipe is a central point to set the root
> >> password for images. It provides the `CFG_ROOT_PW`,
> >> `CFG_ROOT_PW_ENC`, `CFG_ROOT_LOCKED` and variables, that can be
> >> set from any `.conf` file or via `isar-cfg-rootpw.bbappend`.
> >>
> >> This package is installed as a transient package to avoid leaking
> >> passwords set by it via the scripts in `/var/lib/dpkg/info/`.
> >>
> >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a
> >> root password as clear text or encrypted, or are both empty, in
> >> which case login without password is possible. The encrypted
> >> password is preferred if both variables are set.  
> > 
> > How about _ENC only? I do not really see the point to support two
> > versions here. Say someone still got the package, they would still
> > have to find a password matching the hash. So _ENC is better, and
> > just one way is simpler.  
> 
> Well the code complexity differenct between supporting both and just
> one is pretty small. And I like options, so I would be in favor of
> having both possible. But if the consensus is to only support one,
> then I would go with _ENC only as well.

My take would be to only offer choice if there is a value in it,
because you pay with complexity. If all versions of chpasswd take
encrypted passwords, i do not see why plain ones should be supported. 
As usual, the ones discussing have to reach the consensus ... the other
ones agree with not speaking up ;).

> > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to
> > encrypt a password. In fact that seems to depend on
> > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is
> > not the best idea after all.  
> 
> I think that is just the default algo used by passwd to create 
> passwords, not the one enforced. Meaning I would still work if the
> set password was created with different options.

Ok, so any version of mkpasswd on any machine can create the magic
string that will be understood by any version of chpasswd. No reason to
support plain.

> > 
> > We should demo setting a passwd in isar-image-base, a good idea for
> > a password would be "root" because that is what isar-only users
> > already know. And it might be in the docs ...  
> 
> Well the best way I can think of is using `mkpasswd`, but that tool
> is packed into the `whois` package for some strange, possibly
> historical reasons.

Ok so the example would be ...
# echo root | mkpasswd -s
CFG_ROOT_PW_ENC="xxxYYY"

maybe in local.conf.example

Henning

> Cheers,
> Claudius
> 
> > 
> > Henning
> >   
> >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to
> >> lock the root account, other values leave the account unlocked.
> >> Unlocking the account at a later point will restore the password
> >> set by `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`.
> >>
> >> Signed-off-by: Claudius Heine <ch@denx.de>
> >> ---
> >>   RECIPE-API-CHANGELOG.md                       |  9 ++++++++
> >>   .../recipes-app/example-raw/files/postinst    |  4 ----
> >>   meta/classes/isar-image.bbclass               |  2 +-
> >>   .../isar-cfg-rootpw/files/postinst.tmpl       | 21
> >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb        |
> >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5
> >> deletions(-) create mode 100644
> >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create
> >> mode 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >>
> >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> >> index dcfbbee..7863e8a 100644
> >> --- a/RECIPE-API-CHANGELOG.md
> >> +++ b/RECIPE-API-CHANGELOG.md
> >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are
> >> used. 
> >>   It's now sufficient to provide only kbuild rules. Makefile
> >> targets like modules or modules_install as well as KDIR and DESTDIR
> >> evaluation are no longer needed. +
> >> +### Remove setting of root passwords in custom packages
> >> +
> >> +Custom packages that are not installed via the
> >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that
> >> password via its script in /var/lib/dpkg/info. +
> >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the
> >> password and use +the transient 'isar-cfg-rootpw' package (now
> >> installed as transient package per +default).
> >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> >> b/meta-isar/recipes-app/example-raw/files/postinst index
> >> f60be8c..f48d993 100644 ---
> >> a/meta-isar/recipes-app/example-raw/files/postinst +++
> >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4
> >> @@ fi
> >>   chown -R isar:isar /var/lib/isar
> >>   
> >> -# this wins over
> >> meta-isar/recipes-core/images/files/*configscript.sh -# but we
> >> take the same password for this example -echo "root:root" |
> >> chpasswd -
> >>   echo "isar" > /etc/hostname
> >> diff --git a/meta/classes/isar-image.bbclass
> >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644
> >> --- a/meta/classes/isar-image.bbclass
> >> +++ b/meta/classes/isar-image.bbclass
> >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
> >>   
> >>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
> >>   
> >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge"
> >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw"
> >>   
> >>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
> >>   
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new
> >> file mode 100644 index 0000000..7634f6a --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> >> @@ -0,0 +1,21 @@
> >> +#!/bin/sh
> >> +set -e
> >> +
> >> +if ! grep -q 'root:\*:' /etc/shadow; then
> >> +    echo "ERROR:isar-cfg-rootpw: root password was set by a
> >> different package" >&2
> >> +    exit -1
> >> +fi
> >> +
> >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then
> >> +    echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e
> >> +elif [ -n "${CFG_ROOT_PW}" ]; then
> >> +    echo "root:${CFG_ROOT_PW}" | chpasswd
> >> +else
> >> +    passwd -d root
> >> +fi
> >> +
> >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then
> >> +    # Lock the account after setting the password, since unlocking
> >> it at some
> >> +    # point later would set it to the back to the previous one.
> >> +    passwd -l root
> >> +fi
> >> diff --git
> >> a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> >> mode 100644 index 0000000..52bb153 --- /dev/null
> >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> >> @@ -0,0 +1,20 @@
> >> +# This software is a part of ISAR.
> >> +
> >> +DESCRIPTION = "Isar configuration package for root password"
> >> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> >> +DEBIAN_DEPENDS = "passwd"
> >> +
> >> +SRC_URI = "file://postinst.tmpl"
> >> +
> >> +TEMPLATE_FILES = "postinst.tmpl"
> >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED"
> >> +
> >> +CFG_ROOT_PW ??= ""
> >> +CFG_ROOT_PW_ENC ??= ""
> >> +CFG_ROOT_LOCKED ??= "0"
> >> +
> >> +inherit dpkg-raw
> >> +
> >> +do_install() {
> >> +    echo "intentionally left blank"
> >> +}  
> >   
>