From patchwork Sat Dec 29 00:07:33 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yann E. MORIN" X-Patchwork-Id: 208607 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from hemlock.osuosl.org (hemlock.osuosl.org [140.211.166.133]) by ozlabs.org (Postfix) with ESMTP id 2C9C52C00F4 for ; Sat, 29 Dec 2012 11:07:58 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id B9864A0135; Sat, 29 Dec 2012 00:07:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NlsfZt9pR+U; Sat, 29 Dec 2012 00:07:54 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 3C5E1A0047; Sat, 29 Dec 2012 00:07:54 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (whitealder.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 382548F74B for ; Sat, 29 Dec 2012 00:07:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 67C5080A28 for ; Sat, 29 Dec 2012 00:07:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZiPosv80t3Bs for ; Sat, 29 Dec 2012 00:07:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) by whitealder.osuosl.org (Postfix) with ESMTPS id 2D2FC80011 for ; Sat, 29 Dec 2012 00:07:44 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id hm11so8538783wib.2 for ; Fri, 28 Dec 2012 16:07:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:from:to:cc:subject:date:message-id:x-mailer :in-reply-to:references:in-reply-to:references; bh=JxLpa2gjB/GeYFRbyEDoQRL/Jpw9lB846p3uPXgVXmY=; b=XXe5/gJ5otqjQwlHWvHXxj5SOPtnD1RU/RspFrs8/zRRDGFunMFzuLv1IO1O5CX6HD tjx6yZjIx1z2Y3BqhFmvd3QyO3B6hGgKK31XCVXQ/w0yD9GIFUOKU4rJUOEgE+w5Q1aN INQjorvWm+oFMGDIMS6l0VcxRWWgoES2t7ckQ2q8lfmN+UpvgZU4EpAgY2tw9zRxr8pd Jxg12FQ/2DSQVJ77hv4G5Tdr6jK0d62CPuIsyjmx1xLGU5yoKi+cobMcpn53TDyB94Eo 8TT7Kz4qjjCgJrNmgYdS8+FHXOq5Fs0ZvcInBNRnsSgVjl5FQIwLIJ0ssoEJoq+RZqRo Kefw== X-Received: by 10.194.179.34 with SMTP id dd2mr56092663wjc.1.1356739662463; Fri, 28 Dec 2012 16:07:42 -0800 (PST) Received: from localhost.localdomain (ARennes-256-1-131-98.w90-32.abo.wanadoo.fr. [90.32.242.98]) by mx.google.com with ESMTPS id bd7sm57218462wib.8.2012.12.28.16.07.40 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Dec 2012 16:07:41 -0800 (PST) From: "Yann E. MORIN" To: buildroot@busybox.net Date: Sat, 29 Dec 2012 01:07:33 +0100 Message-Id: <0e6cac687daa80382f614d38c6394947eab5d892.1356739565.git.yann.morin.1998@free.fr> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: References: In-Reply-To: References: Cc: Thomas Petazzoni , "Yann E. MORIN" Subject: [Buildroot] [PATCH 1/2] target: add option to set the root password X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: buildroot-bounces@busybox.net Add an option in the menuconfig to specify a root password. If set to empty, no root password is created; otherwise, the password is encrypted using MD5 (MD5 is not the default for crypt(3), DES-56 is, but MD5 is widely available, not-so-strong, but not-so-weak either). Add a check for 'mkpasswd' as a new dependency. Signed-off-by: "Yann E. MORIN" Cc: Arnout Vandecappelle Cc: Thomas Petazzoni --- Switched to using MD5 as per Arnout's suggestion: http://lists.busybox.net/pipermail/buildroot/2012-September/058712.html --- support/dependencies/dependencies.sh | 9 +++++++++ system/Config.in | 21 +++++++++++++++++++++ system/system.mk | 14 ++++++++++++++ 3 files changed, 44 insertions(+), 0 deletions(-) diff --git a/support/dependencies/dependencies.sh b/support/dependencies/dependencies.sh index 7a02512..eb5a481 100755 --- a/support/dependencies/dependencies.sh +++ b/support/dependencies/dependencies.sh @@ -158,6 +158,7 @@ if grep ^BR2_TOOLCHAIN_BUILDROOT=y $CONFIG_FILE > /dev/null && \ exit 1 ; fi fi + if grep -q ^BR2_PACKAGE_CLASSPATH=y $CONFIG_FILE ; then for prog in javac jar; do if ! which $prog > /dev/null ; then @@ -166,3 +167,11 @@ if grep -q ^BR2_PACKAGE_CLASSPATH=y $CONFIG_FILE ; then fi done fi + +if grep -E '^BR2_TARGET_GENERIC_ROOT_PASSWD=".+"$' $CONFIG_FILE > /dev/null 2>&1; then + if ! which mkpasswd > /dev/null 2>&1; then + /bin/echo -e "\nYou need the 'mkpasswd' utility to set the root password\n" + /bin/echo -e "(in Debian/ubuntu, 'mkpasswd' provided by the whois package)\n" + exit 1 + fi +fi diff --git a/system/Config.in b/system/Config.in index a557ea0..deead86 100644 --- a/system/Config.in +++ b/system/Config.in @@ -12,6 +12,27 @@ config BR2_TARGET_GENERIC_ISSUE help Select system banner (/etc/issue) to be displayed at login. +config BR2_TARGET_GENERIC_ROOT_PASSWD + string "root password" + default "" + help + Set the initial root password (in clear). It will be md5-encrypted. + + If set to empty (the default), then no root password will be set, + and root will need no password to log in. + + WARNING! WARNING! + Although pretty strong, MD5 is now an old hash function, and + suffers from som weaknesses, which makes it susceptible to attacks. + It is showing its age, so this root password should not be trusted + to properly secure any product that can be shipped to the wide, + hostile world. + + WARNING! WARNING! + The password appears in clear in the .config file, and may appear + in the build log! Avoid using a valuable password if either the + .config file or the build log may be distributed! + choice prompt "/dev management" default BR2_ROOTFS_DEVICE_CREATION_STATIC diff --git a/system/system.mk b/system/system.mk index 353d0ba..a23feef 100644 --- a/system/system.mk +++ b/system/system.mk @@ -1,5 +1,6 @@ TARGET_GENERIC_HOSTNAME:=$(call qstrip,$(BR2_TARGET_GENERIC_HOSTNAME)) TARGET_GENERIC_ISSUE:=$(call qstrip,$(BR2_TARGET_GENERIC_ISSUE)) +TARGET_GENERIC_ROOT_PASSWD:=$(call qstrip,$(BR2_TARGET_GENERIC_ROOT_PASSWD)) TARGET_GENERIC_GETTY:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT)) TARGET_GENERIC_GETTY_BAUDRATE:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE)) TARGET_GENERIC_GETTY_TERM:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_TERM)) @@ -14,6 +15,13 @@ target-generic-issue: mkdir -p $(TARGET_DIR)/etc echo "$(TARGET_GENERIC_ISSUE)" > $(TARGET_DIR)/etc/issue +target-no-root-passwd: + $(SED) "s/^root:[^:]*:/root::/" $(TARGET_DIR)/etc/shadow + +target-root-passwd: + root_passwd="$$( mkpasswd -m md5 "$(TARGET_GENERIC_ROOT_PASSWD)" )"; \ + $(SED) "s,^root::,root:$${root_passwd}:," $(TARGET_DIR)/etc/shadow + target-generic-getty-busybox: $(SED) '/# GENERIC_SERIAL$$/s~^.*#~$(TARGET_GENERIC_GETTY)::respawn:/sbin/getty -L $(TARGET_GENERIC_GETTY) $(TARGET_GENERIC_GETTY_BAUDRATE) $(TARGET_GENERIC_GETTY_TERM) #~' \ $(TARGET_DIR)/etc/inittab @@ -40,6 +48,12 @@ ifneq ($(TARGET_GENERIC_ISSUE),) TARGETS += target-generic-issue endif +ifneq ($(TARGET_GENERIC_ROOT_PASSWD),) +TARGETS += target-root-passwd +else +TARGETS += target-no-root-passwd +endif + ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) ifeq ($(BR2_PACKAGE_SYSVINIT),y) TARGETS += target-generic-getty-sysvinit