| Message ID | 20130702085224.GA25620@berrier.lan |
|---|---|
| State | Rejected |
| Headers | show |
Wade, All,
On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
> No need to replace the password in etc/shadow with a blank password.
How do you differentiate between those two cases:
- use an empty password,
- do not change the existing password?
My opinion is that we do want to be able to set an empty pasword,
especially in the case of a custom skeleton. This makes it systematic,
so the user knows what to expect.
If you want to not use the config option to handle the root password,
then you can use either:
- a post-build script, or
- a skeleton overlay.
(If I read the Makefiles correctly, skeleton overlays are handled during
target-finalize, which is called after target-root-passwd, so the
overlay should take precedence over the root password option. To be
confirmed...)
Regards,
Yann E. MORIN.
Hello, On Jul 02 19:31, Yann E. MORIN wrote: > Wade, All, > > On 2013-07-02 02:52 -0600, Wade Berrier spake thusly: > > No need to replace the password in etc/shadow with a blank password. > > How do you differentiate between those two cases: > - use an empty password, > - do not change the existing password? > > My opinion is that we do want to be able to set an empty pasword, > especially in the case of a custom skeleton. This makes it systematic, > so the user knows what to expect. If that's desired, then yes, my patch isn't a good solution. > > If you want to not use the config option to handle the root password, > then you can use either: > - a post-build script, or > - a skeleton overlay. > > (If I read the Makefiles correctly, skeleton overlays are handled during > target-finalize, which is called after target-root-passwd, so the > overlay should take precedence over the root password option. To be > confirmed...) I guess one real issue is that mkpasswd on redhat fails and returns an empty hash, which is inserted into the shadow file. Maybe the thing to do to work across distros would be to compile the correct mkpasswd as a host- package? In the meantime I think your suggestions of using a custom overlay or post build script should work great. Thanks, Wade
Hi, On Wed, Jul 3, 2013 at 6:46 AM, Wade Berrier <wberrier@gmail.com> wrote: > Hello, > > On Jul 02 19:31, Yann E. MORIN wrote: >> Wade, All, >> >> On 2013-07-02 02:52 -0600, Wade Berrier spake thusly: >> > No need to replace the password in etc/shadow with a blank password. >> >> How do you differentiate between those two cases: >> - use an empty password, >> - do not change the existing password? >> >> My opinion is that we do want to be able to set an empty pasword, >> especially in the case of a custom skeleton. This makes it systematic, >> so the user knows what to expect. > > If that's desired, then yes, my patch isn't a good solution. > >> >> If you want to not use the config option to handle the root password, >> then you can use either: >> - a post-build script, or >> - a skeleton overlay. >> >> (If I read the Makefiles correctly, skeleton overlays are handled during >> target-finalize, which is called after target-root-passwd, so the >> overlay should take precedence over the root password option. To be >> confirmed...) > > I guess one real issue is that mkpasswd on redhat fails and returns an empty > hash, which is inserted into the shadow file. > > Maybe the thing to do to work across distros would be to compile the correct > mkpasswd as a host- package? Recently, another mkpasswd related problem popped up: seems that on (some?) Slackware boxes, mkpasswd does not support -m <method>, and buildroot fails. See http://lists.busybox.net/pipermail/buildroot/2013-July/075771.html. Making sure we always use the same mkpasswd would help in both cases. Should we create a separate host-mkpasswd package based on the whois sources? (https://github.com/rfc1036/whois) Or should we add the whois package, and depend on that? To me, the former seems more appropriate... Best regards, Thomas
Dear Thomas De Schampheleire, On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote: > Should we create a separate host-mkpasswd package based on the whois > sources? (https://github.com/rfc1036/whois) > Or should we add the whois package, and depend on that? > To me, the former seems more appropriate... If we can make a very simple host-mkpasswd package like we have the host-makedevs package (with the source code included in package/<dir>/), I think it would be good. Thomas
Hi Wade, On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote: > Dear Thomas De Schampheleire, > > On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote: > >> Should we create a separate host-mkpasswd package based on the whois >> sources? (https://github.com/rfc1036/whois) >> Or should we add the whois package, and depend on that? >> To me, the former seems more appropriate... > > If we can make a very simple host-mkpasswd package like we have the > host-makedevs package (with the source code included in > package/<dir>/), I think it would be good. > Since a host-mkpasswd package has been merged now, which should fix problems on some Redhat and Slackware machines, and given the comments given by Yann, do you agree to drop this patch? Best regards, Thomas
Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com> wrote: >Hi Wade, > >On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni ><thomas.petazzoni@free-electrons.com> wrote: >> Dear Thomas De Schampheleire, >> >> On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote: >> >>> Should we create a separate host-mkpasswd package based on the whois >>> sources? (https://github.com/rfc1036/whois) >>> Or should we add the whois package, and depend on that? >>> To me, the former seems more appropriate... >> >> If we can make a very simple host-mkpasswd package like we have the >> host-makedevs package (with the source code included in >> package/<dir>/), I think it would be good. >> > >Since a host-mkpasswd package has been merged now, which should fix >problems on some Redhat and Slackware machines, and given the comments >given by Yann, do you agree to drop this patch? > >Best regards, >Thomas Yes, looking forward to trying the host package out. Thanks!
diff --git a/system/system.mk b/system/system.mk index 50c86ad..fa98532 100644 --- a/system/system.mk +++ b/system/system.mk @@ -57,7 +57,9 @@ TARGETS += target-generic-issue endif ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) +ifneq ($(TARGET_GENERIC_ROOT_PASSWD),) TARGETS += target-root-passwd +endif ifneq ($(TARGET_GENERIC_GETTY),) TARGETS += target-generic-getty-$(if $(BR2_PACKAGE_SYSVINIT),sysvinit,busybox)
No need to replace the password in etc/shadow with a blank password. This also helps alleviate the situation when etc/shadow contains a password which isn't meant to be blown away with a blank root password because mkpasswd is non-functioning (rhel6). This is somewhat of a workaround for distros (rhel6, and maybe fedora?) that don't have a compatible mkpasswd. They have grub-crypt, but it doesn't appear to be as script friendly. Signed-off-by: Wade Berrier <wberrier@gmail.com> --- system/system.mk | 2 ++ 1 file changed, 2 insertions(+)