public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed
* [PATCH] meta: image-account-extension: allow clear-text-passwords
@ 2021-08-09 14:45 Henning Schild
  2021-08-24 13:47 ` Anton Mikanovich
  0 siblings, 1 reply; 2+ messages in thread
From: Henning Schild @ 2021-08-09 14:45 UTC (permalink / raw)
  To: isar-users; +Cc: Claudius Heine, Jan Kiszka, Henning Schild

When setting a password, having to always do so in encrypted form seems
a little overkill. We often see the clear-text as comment above the
encrypted version anyways. Allowing to set the password as clear-text
makes it more obvious that things might not be super-secure, while
making a layer more readable ... say you are looking for the password an
image asks for.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 doc/user_manual.md                           |  1 +
 meta-isar/conf/local.conf.sample             |  3 +++
 meta/classes/image-account-extension.bbclass | 10 +++++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index cf7dc2fee35e..1da0e9d4ee98 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -633,6 +633,7 @@ The `USERS` and `USER_<username>` variable works similar to the `GROUPS` and `GR
    - `create-home` - `useradd` will be called with `-m` to force creation of the users home directory.
    - `system` - `useradd` will be called with `--system`.
    - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password.
+   - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it.
 
 #### Home directory contents prefilling
 
diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 6cf1656d8b01..96a8beb31196 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -217,5 +217,8 @@ USER_isar[home] = "/var/lib/isar"
 USER_isar[comment] = "My isar user"
 USER_isar[flags] = "system create-home"
 
+USER_isar[password] = "isar"
+USER_isar[flags] += "clear-text-password"
+
 # Uncomment the below line to debug WIC.
 # WIC_CREATE_EXTRA_ARGS += "-D"
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index 70c2bfa2b6f2..c9bebe85c2b5 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -8,7 +8,7 @@
 USERS ??= ""
 
 #USERS += "root"
-#USER_root[password] = "" # Encrypted password
+#USER_root[password] = "" # Encrypted password, or clear-text when [flags] = "clear-text-password"
 #USER_root[expire] = ""
 #USER_root[inactive] = ""
 #USER_root[uid] = ""
@@ -17,7 +17,7 @@ USERS ??= ""
 #USER_root[home] = "/home/root"
 #USER_root[shell] = "/bin/sh"
 #USER_root[groups] = "audio video"
-#USER_root[flags] = "no-create-home create-home system allow-empty-password"
+#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password"
 
 GROUPS ??= ""
 
@@ -252,8 +252,12 @@ image_configure_accounts() {
 
         # Set password:
         if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then
+            chpasswd_args="-e"
+            if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then
+                chpasswd_args=""
+            fi
             printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
-                /usr/sbin/chpasswd -e
+                /usr/sbin/chpasswd $chpasswd_args
         fi
     done
 }
-- 
2.31.1


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-24 13:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-09 14:45 [PATCH] meta: image-account-extension: allow clear-text-passwords Henning Schild
2021-08-24 13:47 ` Anton Mikanovich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox