Patchwork system: only set the root password if it's not empty

login
register
mail settings
Submitter Wade Berrier
Date July 2, 2013, 8:52 a.m.
Message ID <20130702085224.GA25620@berrier.lan>
Download mbox | patch
Permalink /patch/256303/
State Rejected
Headers show

Comments

Wade Berrier - July 2, 2013, 8:52 a.m.
No need to replace the password in etc/shadow with a blank password.

This also helps alleviate the situation when etc/shadow contains a password
which isn't meant to be blown away with a blank root password because mkpasswd
is non-functioning (rhel6).

This is somewhat of a workaround for distros (rhel6, and maybe fedora?) that
don't have a compatible mkpasswd.  They have grub-crypt, but it doesn't appear
to be as script friendly.

Signed-off-by: Wade Berrier <wberrier@gmail.com>
---
 system/system.mk |    2 ++
 1 file changed, 2 insertions(+)
Yann E. MORIN - July 2, 2013, 5:31 p.m.
Wade, All,

On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
> No need to replace the password in etc/shadow with a blank password.

How do you differentiate between those two cases:
  - use an empty password,
  - do not change the existing password?

My opinion is that we do want to be able to set an empty pasword,
especially in the case of a custom skeleton. This makes it systematic,
so the user knows what to expect.

If you want to not use the config option to handle the root password,
then you can use either:
  - a post-build script, or
  - a skeleton overlay.

(If I read the Makefiles correctly, skeleton overlays are handled during
target-finalize, which is called after target-root-passwd, so the
overlay should take precedence over the root password option. To be
confirmed...)

Regards,
Yann E. MORIN.
Wade Berrier - July 3, 2013, 4:46 a.m.
Hello,

On Jul 02 19:31, Yann E. MORIN wrote:
> Wade, All,
> 
> On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
> > No need to replace the password in etc/shadow with a blank password.
> 
> How do you differentiate between those two cases:
>   - use an empty password,
>   - do not change the existing password?
> 
> My opinion is that we do want to be able to set an empty pasword,
> especially in the case of a custom skeleton. This makes it systematic,
> so the user knows what to expect.

If that's desired, then yes, my patch isn't a good solution.

> 
> If you want to not use the config option to handle the root password,
> then you can use either:
>   - a post-build script, or
>   - a skeleton overlay.
> 
> (If I read the Makefiles correctly, skeleton overlays are handled during
> target-finalize, which is called after target-root-passwd, so the
> overlay should take precedence over the root password option. To be
> confirmed...)

I guess one real issue is that mkpasswd on redhat fails and returns an empty
hash, which is inserted into the shadow file.

Maybe the thing to do to work across distros would be to compile the correct
mkpasswd as a host- package?

In the meantime I think your suggestions of using a custom overlay or post build
script should work great.

Thanks,

Wade
Thomas De Schampheleire - July 28, 2013, 8:40 a.m.
Hi,

On Wed, Jul 3, 2013 at 6:46 AM, Wade Berrier <wberrier@gmail.com> wrote:
> Hello,
>
> On Jul 02 19:31, Yann E. MORIN wrote:
>> Wade, All,
>>
>> On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
>> > No need to replace the password in etc/shadow with a blank password.
>>
>> How do you differentiate between those two cases:
>>   - use an empty password,
>>   - do not change the existing password?
>>
>> My opinion is that we do want to be able to set an empty pasword,
>> especially in the case of a custom skeleton. This makes it systematic,
>> so the user knows what to expect.
>
> If that's desired, then yes, my patch isn't a good solution.
>
>>
>> If you want to not use the config option to handle the root password,
>> then you can use either:
>>   - a post-build script, or
>>   - a skeleton overlay.
>>
>> (If I read the Makefiles correctly, skeleton overlays are handled during
>> target-finalize, which is called after target-root-passwd, so the
>> overlay should take precedence over the root password option. To be
>> confirmed...)
>
> I guess one real issue is that mkpasswd on redhat fails and returns an empty
> hash, which is inserted into the shadow file.
>
> Maybe the thing to do to work across distros would be to compile the correct
> mkpasswd as a host- package?

Recently, another mkpasswd related problem popped up: seems that on
(some?) Slackware boxes, mkpasswd does not support -m <method>, and
buildroot fails. See
http://lists.busybox.net/pipermail/buildroot/2013-July/075771.html.
Making sure we always use the same mkpasswd would help in both cases.

Should we create a separate host-mkpasswd package based on the whois
sources? (https://github.com/rfc1036/whois)
Or should we add the whois package, and depend on that?
To me, the former seems more appropriate...

Best regards,
Thomas
Thomas Petazzoni - July 28, 2013, 1:06 p.m.
Dear Thomas De Schampheleire,

On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:

> Should we create a separate host-mkpasswd package based on the whois
> sources? (https://github.com/rfc1036/whois)
> Or should we add the whois package, and depend on that?
> To me, the former seems more appropriate...

If we can make a very simple host-mkpasswd package like we have the
host-makedevs package (with the source code included in
package/<dir>/), I think it would be good.

Thomas
Thomas De Schampheleire - Sept. 5, 2013, 7:24 a.m.
Hi Wade,

On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Thomas De Schampheleire,
>
> On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:
>
>> Should we create a separate host-mkpasswd package based on the whois
>> sources? (https://github.com/rfc1036/whois)
>> Or should we add the whois package, and depend on that?
>> To me, the former seems more appropriate...
>
> If we can make a very simple host-mkpasswd package like we have the
> host-makedevs package (with the source code included in
> package/<dir>/), I think it would be good.
>

Since a host-mkpasswd package has been merged now, which should fix
problems on some Redhat and Slackware machines, and given the comments
given by Yann, do you agree to drop this patch?

Best regards,
Thomas
Wade Berrier - Sept. 8, 2013, 5:44 a.m.
Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com> wrote:
>Hi Wade,
>
>On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni
><thomas.petazzoni@free-electrons.com> wrote:
>> Dear Thomas De Schampheleire,
>>
>> On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:
>>
>>> Should we create a separate host-mkpasswd package based on the whois
>>> sources? (https://github.com/rfc1036/whois)
>>> Or should we add the whois package, and depend on that?
>>> To me, the former seems more appropriate...
>>
>> If we can make a very simple host-mkpasswd package like we have the
>> host-makedevs package (with the source code included in
>> package/<dir>/), I think it would be good.
>>
>
>Since a host-mkpasswd package has been merged now, which should fix
>problems on some Redhat and Slackware machines, and given the comments
>given by Yann, do you agree to drop this patch?
>
>Best regards,
>Thomas

Yes, looking forward to trying the host package out.  Thanks!

Patch

diff --git a/system/system.mk b/system/system.mk
index 50c86ad..fa98532 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -57,7 +57,9 @@  TARGETS += target-generic-issue
 endif
 
 ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
+ifneq ($(TARGET_GENERIC_ROOT_PASSWD),)
 TARGETS += target-root-passwd
+endif
 
 ifneq ($(TARGET_GENERIC_GETTY),)
 TARGETS += target-generic-getty-$(if $(BR2_PACKAGE_SYSVINIT),sysvinit,busybox)