From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6654882193514430464 X-Received: by 2002:aa7:d8c8:: with SMTP id k8mr565992eds.5.1549469410663; Wed, 06 Feb 2019 08:10:10 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:c381:: with SMTP id t1ls4708638ejz.5.gmail; Wed, 06 Feb 2019 08:10:10 -0800 (PST) X-Google-Smtp-Source: AHgI3IareWHqZ2Ioqk10V8tuQkzkHQN00cXtSf2whDZRV6L8ng+sx8DcQYekuJr4SONtcEKpxhV2 X-Received: by 2002:a17:906:46ca:: with SMTP id k10mr1399633ejs.2.1549469410184; Wed, 06 Feb 2019 08:10:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549469410; cv=none; d=google.com; s=arc-20160816; b=fL8lYppGX4mAJqlslzAmnWmsRj9MbMpAK44rFmx3o53JeG4Cv/IiiiVTER9hJeCncA wwyC3WtVBqxUrwoK/jkZKcdKlP5jyIOpNSJDH1KwlfVs/KvxtVa4Zvg9JdVtEVtXBUMp 5ehePJ5rIrM/a3xvkV/w8BTYWd0OzfjQ4hlnlSpXYL9/IIF5eu6xPnneR2OvdmN2U9MS EuNupjhHPz16/ETVQ5RafL5IphAfprVKsKK8aUa/CxmudxWCrKlBWFj8jlXyv8a1o3Ex ZTc7vARZKM13h79z5qH20WUHM4O8rJM3d9d7HvZGk5Mhcb14lHwkrQa0dkxkCcZRRLgQ ER7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=i26eftuFqAaoiML6lGd9Ax8O5PmSTrIF8L+s3uwycJY=; b=G5HyXz4wGUf6xamTL21wxdxph/bFsOwM0SdJoJLfmIt9OsTBQJZn9nR+Q0qXXrabm4 pvamf127bBOngBmjznz0c3jegRd7a5bL09Hk/EeapZmVq+4WVNyPhcpDVZ+AhCzM1iZz 2pyNxugeBM4b3j9dEJEp/WbTSjU0sEruGZgKDLc5n7IY+AyVFkCbQXjOXAg9gaPNzhie TqGI+MxAgWn7RJeUqTm2nHj25xp8pioKICj+/V1ToLDAb97snV/LdjBKfYXbYc2SwpK5 mfOi5X5TfOcP57N1f/3KtGuzW3ovtnM72FAl3mE6hzz64T6TObh8CApxkshmYkID+jAV X/SA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id a3si832005eda.0.2019.02.06.08.10.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Feb 2019 08:10:10 -0800 (PST) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x16GA8fW030141 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 6 Feb 2019 17:10:08 +0100 Received: from [139.25.69.181] (linux-ses-ext02.ppmd.siemens.net [139.25.69.181]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x16GA97Z006940; Wed, 6 Feb 2019 17:10:09 +0100 Subject: Re: [PATCH 1/1] meta: add isar-cfg-rootpw recipe for setting root password To: Henning Schild Cc: isar-users@googlegroups.com, Claudius Heine References: <20190206134139.1597-1-claudius.heine.ext@siemens.com> <20190206134139.1597-2-claudius.heine.ext@siemens.com> <20190206165214.74653294@md1za8fc.ad001.siemens.net> From: Claudius Heine Message-ID: <80b02340-7bef-4116-9495-828dd751eaec@siemens.com> Date: Wed, 6 Feb 2019 17:10:09 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190206165214.74653294@md1za8fc.ad001.siemens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: /hk4wpTty4a/ Hi Henning, On 06/02/2019 16.52, Henning Schild wrote: > Am Wed, 6 Feb 2019 14:41:39 +0100 > schrieb "[ext] claudius.heine.ext@siemens.com" > : > >> From: Claudius Heine >> >> The isar-cfg-rootpw recipe is a central point to set the root password >> for images. It provides the `CFG_ROOT_PW`, `CFG_ROOT_PW_ENC`, >> `CFG_ROOT_LOCKED` and variables, that can be set from any `.conf` file >> or via `isar-cfg-rootpw.bbappend`. >> >> This package is installed as a transient package to avoid leaking >> passwords set by it via the scripts in `/var/lib/dpkg/info/`. >> >> The `CFG_ROOT_PW` and `CFG_ROOT_PW_ENC` variables contain either a >> root password as clear text or encrypted, or are both empty, in which >> case login without password is possible. The encrypted password is >> preferred if both variables are set. > > How about _ENC only? I do not really see the point to support two > versions here. Say someone still got the package, they would still have > to find a password matching the hash. So _ENC is better, and just one > way is simpler. Well the code complexity differenct between supporting both and just one is pretty small. And I like options, so I would be in favor of having both possible. But if the consensus is to only support one, then I would go with _ENC only as well. > > We do need an example/doc how to fill CFG_ROOT_PW_ENC. So how to > encrypt a password. In fact that seems to depend on > rootfs/etc/login.defs ... maybe meaning that supporting _ENC is > not the best idea after all. I think that is just the default algo used by passwd to create passwords, not the one enforced. Meaning I would still work if the set password was created with different options. > > We should demo setting a passwd in isar-image-base, a good idea for a > password would be "root" because that is what isar-only users already > know. And it might be in the docs ... Well the best way I can think of is using `mkpasswd`, but that tool is packed into the `whois` package for some strange, possibly historical reasons. Cheers, Claudius > > Henning > >> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock >> the root account, other values leave the account unlocked. Unlocking >> the account at a later point will restore the password set by >> `CFG_ROOT_PW` or `CFG_ROOT_PW_ENC`. >> >> Signed-off-by: Claudius Heine >> --- >> RECIPE-API-CHANGELOG.md | 9 ++++++++ >> .../recipes-app/example-raw/files/postinst | 4 ---- >> meta/classes/isar-image.bbclass | 2 +- >> .../isar-cfg-rootpw/files/postinst.tmpl | 21 >> +++++++++++++++++++ .../isar-cfg-rootpw/isar-cfg-rootpw.bb | >> 20 ++++++++++++++++++ 5 files changed, 51 insertions(+), 5 >> deletions(-) create mode 100644 >> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode >> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> >> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md >> index dcfbbee..7863e8a 100644 >> --- a/RECIPE-API-CHANGELOG.md >> +++ b/RECIPE-API-CHANGELOG.md >> @@ -136,3 +136,12 @@ files). Otherwise, default permissions are used. >> >> It's now sufficient to provide only kbuild rules. Makefile targets >> like modules or modules_install as well as KDIR and DESTDIR >> evaluation are no longer needed. + >> +### Remove setting of root passwords in custom packages >> + >> +Custom packages that are not installed via the >> IMAGE_TRANSIENT_PACKAGES and set +a root password, leak that password >> via its script in /var/lib/dpkg/info. + >> +Instead set the CFG_ROOT_PW or CFG_ROOT_PW_ENC variables to the >> password and use +the transient 'isar-cfg-rootpw' package (now >> installed as transient package per +default). >> diff --git a/meta-isar/recipes-app/example-raw/files/postinst >> b/meta-isar/recipes-app/example-raw/files/postinst index >> f60be8c..f48d993 100644 --- >> a/meta-isar/recipes-app/example-raw/files/postinst +++ >> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@ >> fi >> chown -R isar:isar /var/lib/isar >> >> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh >> -# but we take the same password for this example >> -echo "root:root" | chpasswd >> - >> echo "isar" > /etc/hostname >> diff --git a/meta/classes/isar-image.bbclass >> b/meta/classes/isar-image.bbclass index e2bae58..cdd1651 100644 >> --- a/meta/classes/isar-image.bbclass >> +++ b/meta/classes/isar-image.bbclass >> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" >> >> DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" >> >> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge" >> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" >> >> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >> >> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl >> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file >> mode 100644 index 0000000..7634f6a >> --- /dev/null >> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl >> @@ -0,0 +1,21 @@ >> +#!/bin/sh >> +set -e >> + >> +if ! grep -q 'root:\*:' /etc/shadow; then >> + echo "ERROR:isar-cfg-rootpw: root password was set by a >> different package" >&2 >> + exit -1 >> +fi >> + >> +if [ -n "${CFG_ROOT_PW_ENC}" ]; then >> + echo "root:${CFG_ROOT_PW_ENC}" | chpasswd -e >> +elif [ -n "${CFG_ROOT_PW}" ]; then >> + echo "root:${CFG_ROOT_PW}" | chpasswd >> +else >> + passwd -d root >> +fi >> + >> +if [ "${CFG_ROOT_LOCKED}" = "1" ]; then >> + # Lock the account after setting the password, since unlocking >> it at some >> + # point later would set it to the back to the previous one. >> + passwd -l root >> +fi >> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file >> mode 100644 index 0000000..52bb153 >> --- /dev/null >> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb >> @@ -0,0 +1,20 @@ >> +# This software is a part of ISAR. >> + >> +DESCRIPTION = "Isar configuration package for root password" >> +MAINTAINER = "isar-users " >> +DEBIAN_DEPENDS = "passwd" >> + >> +SRC_URI = "file://postinst.tmpl" >> + >> +TEMPLATE_FILES = "postinst.tmpl" >> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_PW_ENC CFG_ROOT_LOCKED" >> + >> +CFG_ROOT_PW ??= "" >> +CFG_ROOT_PW_ENC ??= "" >> +CFG_ROOT_LOCKED ??= "0" >> + >> +inherit dpkg-raw >> + >> +do_install() { >> + echo "intentionally left blank" >> +} > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de