From patchwork Tue Mar 24 18:54:16 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yann E. MORIN" X-Patchwork-Id: 453985 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from hemlock.osuosl.org (hemlock.osuosl.org [140.211.166.133]) by ozlabs.org (Postfix) with ESMTP id 6FF6F1400F1 for ; Wed, 25 Mar 2015 05:54:27 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="verification failed; unprotected key" header.d=gmail.com header.i=@gmail.com header.b=VCKTebDs; dkim-adsp=none (unprotected policy); dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id B696A95224; Tue, 24 Mar 2015 18:54:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaEDwqmX6wsX; Tue, 24 Mar 2015 18:54:26 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id F30D89518A; Tue, 24 Mar 2015 18:54:25 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (silver.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id B53B91C1E95 for ; Tue, 24 Mar 2015 18:54:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B0BF331312 for ; Tue, 24 Mar 2015 18:54:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYH5Q7gLJLSM for ; Tue, 24 Mar 2015 18:54:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by silver.osuosl.org (Postfix) with ESMTPS id 5EEBC2F295 for ; Tue, 24 Mar 2015 18:54:21 +0000 (UTC) Received: by wgra20 with SMTP id a20so1570653wgr.3 for ; Tue, 24 Mar 2015 11:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=IarW8BantQifi0PvdadSuZdEYoPhkc930HxGIAES/I0=; b=VCKTebDspYVvKvITSk5HA0Zu0jwCvx2d7jYSBfFYirMqYvZv9kk1Nekjk+/FJTqp53 Rx3qO+tsINXXd2rBWtj6LNZ1h6GggXZ9WBQDVK3JWCibNjVMNbb2FennYP7cJK/oatNE 7390ZmcCjXPBkxayJc/oVSczlOk1QKb/II+wF7m9LUYqwfNJ/6jDEG7HxAAIKPNOe6jK 4YCRZNJyCAE/Dqf7gRTvE+lkQ8K6tr2qFRuxt46Z9JjiK8LRNxEK7dyLoLoZT654C5Vj 3mAdIg3s/CHgHXvMNfrMA/hHL9BoRJWfbcEEGdAEk+b3YnPzC0BOjyXVkT7GpgIqXCfr /WGA== X-Received: by 10.180.198.110 with SMTP id jb14mr30997980wic.57.1427223260001; Tue, 24 Mar 2015 11:54:20 -0700 (PDT) Received: from gourin.bzh.lan (ns304657.ip-46-105-103.eu. [46.105.103.66]) by mx.google.com with ESMTPSA id f15sm783088wik.2.2015.03.24.11.54.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 Mar 2015 11:54:19 -0700 (PDT) From: "Yann E. MORIN" To: buildroot@buildroot.org Date: Tue, 24 Mar 2015 19:54:16 +0100 Message-Id: X-Mailer: git-send-email 1.9.1 In-Reply-To: References: Cc: Lorenzo Catucci , "Yann E. MORIN" Subject: [Buildroot] [PATCH 2/2 v4] system: allow/disallow root login, accept encoded passwords X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Lorenzo Catucci Currently, there is only three possibilities regarding the root account: - it is enabled with no password (the default) - it is enabled, using a clear-text, user-provided password - it is disabled if the user sets the clear-text password to '*' This is deemed insufficient in many cases, especially when the .config file has to be published (e.g. for the GPL compliance, or any other reason.). Fix that in two ways: - add a bolean option that allows/diesaloows root login altogether, which defaults to 'y' to keep backward compatibility; - accept already-encoded passwords, which we recognise as starting with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512). For backward-compatibility, we stil accept '*' to disable the account. Signed-off-by: Lorenzo M. Catucci [yann.morin.1998@free.fr: - don't add a choice to select between clear-text/encoded password, use a single prompt; - differentiate in the password hook itself; - rewrite parts of the help entry; - rewrite and expand the commit log ] Signed-off-by: Yann E. MORIN --- Note: this can only go in if DES encoded is ditched, because its character-space is the same as for clear-text passwords. --- system/Config.in | 28 +++++++++++++++++++--------- system/system.mk | 24 ++++++++++++++++++++---- 2 files changed, 39 insertions(+), 13 deletions(-) diff --git a/system/Config.in b/system/Config.in index 8621def..17a626b 100644 --- a/system/Config.in +++ b/system/Config.in @@ -179,26 +179,36 @@ endif if BR2_ROOTFS_SKELETON_DEFAULT +config BR2_TARGET_ENABLE_ROOT_LOGIN + bool "Enable root login" + default "y" + help + Enable root login password + config BR2_TARGET_GENERIC_ROOT_PASSWD string "Root password" default "" + depends on BR2_TARGET_ENABLE_ROOT_LOGIN help - Set the initial root password (in clear). It will be md5-encrypted. + Set the initial root password. If set to empty (the default), then no root password will be set, and root will need no password to log in. - WARNING! WARNING! - Although pretty strong, MD5 is now an old hash function, and - suffers from some weaknesses, which makes it susceptible to attacks. - It is showing its age, so this root password should not be trusted - to properly secure any product that can be shipped to the wide, - hostile world. + If the password starts with any of $1$, $5$ or $6$, it is considered + to be already crypt-encoded with respectively md5, sha256 or sha512. + Any other value is taken to be a clear-text value, and is crypt-encoded + as per the "Passwords encoding" scheme, above. + + Note: "$" signs in the hashed password must be doubled. For example, + if the hashed password is "$1$longsalt$v35DIIeMo4yUfI23yditq0", then + you must enter it as "$$1$$longsalt$$v35DIIeMo4yUfI23yditq0". WARNING! WARNING! - The password appears in clear in the .config file, and may appear + The password appears as-is in the .config file, and may appear in the build log! Avoid using a valuable password if either the - .config file or the build log may be distributed! + .config file or the build log may be distributed, or at the + very least use a strong cryptographic hash for your password! choice bool "/bin/sh" diff --git a/system/system.mk b/system/system.mk index 4a1eb4a..2ac5d08 100644 --- a/system/system.mk +++ b/system/system.mk @@ -34,7 +34,7 @@ endef TARGET_FINALIZE_HOOKS += SYSTEM_ISSUE endif -ifneq ($(TARGET_GENERIC_ROOT_PASSWD),) +ifneq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),) TARGETS += host-mkpasswd endif @@ -70,9 +70,25 @@ TARGET_FINALIZE_HOOKS += SET_NETWORK ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) define SYSTEM_ROOT_PASSWD - [ -n "$(TARGET_GENERIC_ROOT_PASSWD)" ] && \ - TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ - $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow + if [ "$(BR2_TARGET_ENABLE_ROOT_LOGIN)" = "y" ]; then \ + case '$(TARGET_GENERIC_ROOT_PASSWD)' in \ + ("") \ + ROOT_PASSWD=""; \ + ;; \ + ("$$1$$"*|"$$5$$"*|"$$6$$"*) \ + ROOT_PASSWD='$(TARGET_GENERIC_ROOT_PASSWD)'; \ + ;; \ + ('*') \ + ROOT_PASSWD='*'; \ + ;; \ + (*) \ + ROOT_PASSWD=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ + ;; \ + esac; \ + else \ + ROOT_PASSWD='*'; \ + fi; \ + $(SED) "s,^root:[^:]*:,root:$${ROOT_PASSWD}:," $(TARGET_DIR)/etc/shadow endef TARGET_FINALIZE_HOOKS += SYSTEM_ROOT_PASSWD