Expired root user

Expired root user

[Gylstorff Quirin]

Hi all,

in meta-iot2050[1] the password of the root user is set to expired to 
force the user to reset the password during the first boot. This 
currently done in a postinst [2] by calling:

```
passwd --expire root
```

An alternative way would be the setting:

```
USER_root[expire] = "1970-01-01"
```

Both variants have the issue that the installation of packages which add
new users will fail with a error message similar to:

```
Setting up systemd (247.3-7) ...
Created symlink 
/etc/systemd/system/getty.target.wants/getty@tty1.service -> 
/lib/systemd/system/getty@.service.
Created symlink 
/etc/systemd/system/multi-user.target.wants/remote-fs.target -> 
/lib/systemd/system/remote-fs.target.
Created symlink 
/etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> 
/lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Your account has expired; please contact your system administrator.
chfn: PAM: Authentication failure
adduser: `/bin/chfn -f systemd Network Management systemd-network' 
returned error code 1. Exiting.
dpkg: error processing package systemd (--configure):
installed systemd package post-installation script subprocess returned 
error exit status 1
Setting up dmsetup (2:1.02.175-2.1) ...
Errors were encountered while processing:
systemd
E: Sub-process /usr/bin/dpkg returned an error code (1)
WARNING: exit code 100 from a shell command.
```

Possible solutions are:
- moving the account creation / modification to the rootfs postprocessing
- using the systemd first boot service[3] for changing the root password

Claudius was there are reason why the accounts are created/modified 
before installing the rootfs? You add the functionality with
163f50 meta/classes: add image-account-extension class

Quirin

[1]: https://github.com/siemens/meta-iot2050
[2]: 
https://github.com/siemens/meta-iot2050/blob/master/recipes-core/customizations-example/files/postinst
[3]: 
https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html#

Re: Expired root user

[Claudius Heine]

Hi Quirin,

On 2022-05-05 17:27, Gylstorff Quirin wrote:
[...]
> 
> Possible solutions are:
> - moving the account creation / modification to the rootfs postprocessing
> - using the systemd first boot service[3] for changing the root password
> 
> Claudius was there are reason why the accounts are created/modified 
> before installing the rootfs? You add the functionality with
> 163f50 meta/classes: add image-account-extension class

TBH, I don't remember, so I would have to guess. It might be that some 
packages that where build by isar and installed later might rely on 
those users and groups existence, but why they can not create their own 
stuff in a pre/postinst or via sysusers.d [1], I currently don't 
remember. Maybe because certain GIDs and UIDs need to fixed to specific 
users/groups over any builds, and adding them dynamically in packages 
might change them depending on the order they are installed.

I guess just moving it to the postprocess step, build some projects and 
see if anything breaks is probably necessary at this point, if you don't 
see any reason for it.

Sorry that I am not that helpful.

kind regards,
Claudius,

[1] https://manpages.debian.org/buster/systemd/sysusers.d.5.en.html