| Message ID | 1450277955-123805-1-git-send-email-openwrt@daniel.thecshore.com |
|---|---|
| State | Superseded |
| Headers | show |
I am reworking this (requiring console login) as couple of packages for the packages feed, although it may require an image.mk or packages Makefile hook in order to embed an appropriate inittab into the image (since the inittab will need to be modified and we need to guarantee the correct order of actions; and inittab comes from base-files which is last thing done in the packages Makefile). Regards, Daniel On 16/12/15 09:59 AM, openwrt@daniel.thecshore.com wrote: > From: Daniel Dickinson <openwrt@daniel.thecshore.com> > > Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to > get hardware console access than a typical router scenario and therefore really > ought to require login even on hardware console rather than a hardware console > granting passwordless root access. > > Since we're at it, we also make requiring login on hardware console an > easily configured build-time option. > > Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> > --- > config/Config-build.in | 17 ++++++++++++++++ > package/base-files/Makefile | 23 +++++++++++++++++++++- > package/utils/busybox/Config-defaults.in | 3 +++ > .../linux/adm5120/base-files-console/etc/inittab | 5 +++++ > .../base-files-console/etc/uci-defaults/inittab | 6 ++++++ > .../linux/brcm2708/base-files-console/etc/inittab | 4 ++++ > .../linux/ipq806x/base-files-console/etc/inittab | 4 ++++ > target/linux/lantiq/base-files-console/etc/inittab | 3 +++ > target/linux/malta/base-files-console/etc/inittab | 7 +++++++ > .../linux/mediatek/base-files-console/etc/inittab | 3 +++ > target/linux/mxs/base-files-console/etc/inittab | 3 +++ > target/linux/omap/base-files-console/etc/inittab | 5 +++++ > .../linux/omap24xx/base-files-console/etc/inittab | 5 +++++ > target/linux/ppc44x/base-files-console/etc/inittab | 4 ++++ > .../linux/realview/base-files-console/etc/inittab | 5 +++++ > target/linux/sunxi/base-files-console/etc/inittab | 5 +++++ > target/linux/x86/base-files-console/etc/inittab | 4 ++++ > 17 files changed, 105 insertions(+), 1 deletion(-) > create mode 100644 target/linux/adm5120/base-files-console/etc/inittab > create mode 100644 target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab > create mode 100644 target/linux/brcm2708/base-files-console/etc/inittab > create mode 100644 target/linux/ipq806x/base-files-console/etc/inittab > create mode 100644 target/linux/lantiq/base-files-console/etc/inittab > create mode 100644 target/linux/malta/base-files-console/etc/inittab > create mode 100644 target/linux/mediatek/base-files-console/etc/inittab > create mode 100644 target/linux/mxs/base-files-console/etc/inittab > create mode 100644 target/linux/omap/base-files-console/etc/inittab > create mode 100644 target/linux/omap24xx/base-files-console/etc/inittab > create mode 100644 target/linux/ppc44x/base-files-console/etc/inittab > create mode 100644 target/linux/realview/base-files-console/etc/inittab > create mode 100644 target/linux/sunxi/base-files-console/etc/inittab > create mode 100644 target/linux/x86/base-files-console/etc/inittab > > diff --git a/config/Config-build.in b/config/Config-build.in > index 1a35c5d..f975d45 100644 > --- a/config/Config-build.in > +++ b/config/Config-build.in > @@ -75,6 +75,23 @@ menu "Global build settings" > encrypted and unencrypted flavours, even when the encryption library > is a 'heavier' one such as OpenSSL. > > + config CONSOLE_LOGIN > + bool > + prompt "Require login even on hardware/serial console" > + default y if (TARGET_x86_generic || TARGET_x86_64 || TARGET_brcm2708) > + default n > + help > + Enables Busybox applets getty and login and uses them instead of default > + respawn of ash on hardware/serial consoles. This is made the default for > + targets which are fairly easy to gain hardware console access compared to > + a typical router (which generally require more electronics skill or at least > + equipment that than is common except with electronics enthusiasts and > + professionals). This includes the Raspberry Pi/Pi2 (built in HDMI and USB > + support making adding a console trivial), and *generic* x86 32-bit and > + 64-bit systems (typically physical PCs for which it is also usually trivial > + to add a keyboard and monitor without even rebooting). > + > + > comment "Kernel build options" > > source "config/Config-kernel.in" > diff --git a/package/base-files/Makefile b/package/base-files/Makefile > index 1367fa9..b4fe806 100644 > --- a/package/base-files/Makefile > +++ b/package/base-files/Makefile > @@ -112,25 +112,46 @@ define Package/base-files/install > if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ > $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ > fi > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(GENERIC_PLATFORM_DIR)/base-files-console/. ]; then \ > + $(CP) $(GENERIC_PLATFORM_DIR)/base-files-console/* $(1)/; \ > + fi) > if [ -d $(PLATFORM_DIR)/base-files/. ]; then \ > $(CP) $(PLATFORM_DIR)/base-files/* $(1)/; \ > fi > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/base-files-console/. ]; then \ > + $(CP) $(PLATFORM_DIR)/base-files-console/* $(1)/; \ > + fi) > if [ -d $(PLATFORM_DIR)/base-files-$(PROFILE)/. ]; then \ > $(CP) $(PLATFORM_DIR)/base-files-$(PROFILE)/* $(1)/; \ > fi > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/base-files-console-$(PROFILE)/. ]; then \ > + $(CP) $(PLATFORM_DIR)/base-files-console-$(PROFILE)/* $(1)/; \ > + fi) > if [ -d $(PLATFORM_DIR)/$(PROFILE)/base-files/. ]; then \ > $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files/* $(1)/; \ > fi > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/$(PROFILE)/base-files-console/. ]; then \ > + $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files-console/* $(1)/; \ > + fi) > $(if $(filter-out $(PLATFORM_DIR),$(PLATFORM_SUBDIR)), \ > if [ -d $(PLATFORM_SUBDIR)/base-files/. ]; then \ > $(CP) $(PLATFORM_SUBDIR)/base-files/* $(1)/; \ > fi; \ > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/base-files-console/. ]; then \ > + $(CP) $(PLATFORM_SUBDIR)/base-files-console/* $(1)/; \ > + fi;) \ > if [ -d $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/. ]; then \ > $(CP) $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/* $(1)/; \ > fi; \ > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/base-files-$(PROFILE)-console/. ]; then \ > + $(CP) $(PLATFORM_SUBDIR)/base-files-console-$(PROFILE)/* $(1)/; \ > + fi;) \ > if [ -d $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/. ]; then \ > $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/* $(1)/; \ > - fi \ > + fi; \ > + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/. ]; then \ > + $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/* $(1)/; \ > + fi) \ > ) > > $(VERSION_SED) \ > diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in > index 7a7b4a6..0986302 100644 > --- a/package/utils/busybox/Config-defaults.in > +++ b/package/utils/busybox/Config-defaults.in > @@ -1210,12 +1210,15 @@ config BUSYBOX_DEFAULT_FEATURE_DEL_USER_FROM_GROUP > default n > config BUSYBOX_DEFAULT_GETTY > bool > + default y if CONSOLE_LOGIN > default n > config BUSYBOX_DEFAULT_LOGIN > bool > + default y if CONSOLE_LOGIN > default n > config BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD > bool > + default y if CONSOLE_LOGIN > default n > config BUSYBOX_DEFAULT_LOGIN_SCRIPTS > bool > diff --git a/target/linux/adm5120/base-files-console/etc/inittab b/target/linux/adm5120/base-files-console/etc/inittab > new file mode 100644 > index 0000000..fb677d6 > --- /dev/null > +++ b/target/linux/adm5120/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyAM0::respawn:/sbin/getty -L 115200 ttyAM0 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab > new file mode 100644 > index 0000000..97a31b1 > --- /dev/null > +++ b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab > @@ -0,0 +1,6 @@ > +#!/bin/sh > + > +CONSOLE="$(sed -e 's/^.*console=\(.*\),[0-9][0-9]*.*$/\1/' /proc/cmdline)" > +SPEED="$(sed -e 's/^.*console=.*,\([0-9][0-9]*\).*$/\2/' /proc/cmdline)" > +sed -i -e "s/::askconsole:\/bin\/ash --login/${CONSOLE:-ttyS0}::respawn:\/sbin\/getty -L ${SPEED:-115200} ${CONSOLE:-ttyS0}/" /etc/inittab > + > diff --git a/target/linux/brcm2708/base-files-console/etc/inittab b/target/linux/brcm2708/base-files-console/etc/inittab > new file mode 100644 > index 0000000..4e62ec9 > --- /dev/null > +++ b/target/linux/brcm2708/base-files-console/etc/inittab > @@ -0,0 +1,4 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/ipq806x/base-files-console/etc/inittab b/target/linux/ipq806x/base-files-console/etc/inittab > new file mode 100644 > index 0000000..3886602 > --- /dev/null > +++ b/target/linux/ipq806x/base-files-console/etc/inittab > @@ -0,0 +1,4 @@ > +# Copyright (c) 2013 The Linux Foundation. All rights reserved. > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyMSM0::respawn:/sbin/getty -L 115200 ttyMSM0 > diff --git a/target/linux/lantiq/base-files-console/etc/inittab b/target/linux/lantiq/base-files-console/etc/inittab > new file mode 100644 > index 0000000..5e9d0ca > --- /dev/null > +++ b/target/linux/lantiq/base-files-console/etc/inittab > @@ -0,0 +1,3 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K stop > +ttyLTQ0::respawn:/sbin/getty -L 11520 ttyLTQ0 > diff --git a/target/linux/malta/base-files-console/etc/inittab b/target/linux/malta/base-files-console/etc/inittab > new file mode 100644 > index 0000000..5fb3c2f > --- /dev/null > +++ b/target/linux/malta/base-files-console/etc/inittab > @@ -0,0 +1,7 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 > +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 > +ttyS2::respawn:/sbin/getty -L 115200 ttyS2 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/mediatek/base-files-console/etc/inittab b/target/linux/mediatek/base-files-console/etc/inittab > new file mode 100644 > index 0000000..2f00c85 > --- /dev/null > +++ b/target/linux/mediatek/base-files-console/etc/inittab > @@ -0,0 +1,3 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 > diff --git a/target/linux/mxs/base-files-console/etc/inittab b/target/linux/mxs/base-files-console/etc/inittab > new file mode 100644 > index 0000000..f66e29c > --- /dev/null > +++ b/target/linux/mxs/base-files-console/etc/inittab > @@ -0,0 +1,3 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 > diff --git a/target/linux/omap/base-files-console/etc/inittab b/target/linux/omap/base-files-console/etc/inittab > new file mode 100644 > index 0000000..69a7f69 > --- /dev/null > +++ b/target/linux/omap/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyO0::respawn:/sbin/getty -L 115200 ttyO0 > +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/omap24xx/base-files-console/etc/inittab b/target/linux/omap24xx/base-files-console/etc/inittab > new file mode 100644 > index 0000000..bf19849 > --- /dev/null > +++ b/target/linux/omap24xx/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/ppc44x/base-files-console/etc/inittab b/target/linux/ppc44x/base-files-console/etc/inittab > new file mode 100644 > index 0000000..23206fa > --- /dev/null > +++ b/target/linux/ppc44x/base-files-console/etc/inittab > @@ -0,0 +1,4 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 > +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 > diff --git a/target/linux/realview/base-files-console/etc/inittab b/target/linux/realview/base-files-console/etc/inittab > new file mode 100644 > index 0000000..a14f90f > --- /dev/null > +++ b/target/linux/realview/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/sunxi/base-files-console/etc/inittab b/target/linux/sunxi/base-files-console/etc/inittab > new file mode 100644 > index 0000000..b4c80de > --- /dev/null > +++ b/target/linux/sunxi/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 > +tty1::respawn:/sbin/getty -L 115200 tty1 > diff --git a/target/linux/x86/base-files-console/etc/inittab b/target/linux/x86/base-files-console/etc/inittab > new file mode 100644 > index 0000000..060cd53 > --- /dev/null > +++ b/target/linux/x86/base-files-console/etc/inittab > @@ -0,0 +1,4 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 > +tty1::respawn:/sbin/getty -L 115200 tty1 >
Hello Daniel, my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial console . I could not find this device in the getty commands of the inittab that you create in the patch below. I would feel more comfortable having a password verification on my router. Shouldn't this be default on all targets? Best regards Heinrich Schuchardt On 23.12.2015 07:58, Daniel Dickinson wrote: > I am reworking this (requiring console login) as couple of packages for > the packages feed, although it may require an image.mk or packages > Makefile hook in order to embed an appropriate inittab into the image > (since the inittab will need to be modified and we need to guarantee the > correct order of actions; and inittab comes from base-files which is > last thing done in the packages Makefile). > > Regards, > > Daniel > > On 16/12/15 09:59 AM, openwrt@daniel.thecshore.com wrote: >> From: Daniel Dickinson <openwrt@daniel.thecshore.com> >> >> Some devices like generic PC's and Raspberry Pi/Pi2 are much more >> trivial to >> get hardware console access than a typical router scenario and >> therefore really >> ought to require login even on hardware console rather than a hardware >> console >> granting passwordless root access. >> >> Since we're at it, we also make requiring login on hardware console an >> easily configured build-time option. >> >> Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> >> --- >> config/Config-build.in | 17 >> ++++++++++++++++ >> package/base-files/Makefile | 23 >> +++++++++++++++++++++- >> package/utils/busybox/Config-defaults.in | 3 +++ >> .../linux/adm5120/base-files-console/etc/inittab | 5 +++++ >> .../base-files-console/etc/uci-defaults/inittab | 6 ++++++ >> .../linux/brcm2708/base-files-console/etc/inittab | 4 ++++ >> .../linux/ipq806x/base-files-console/etc/inittab | 4 ++++ >> target/linux/lantiq/base-files-console/etc/inittab | 3 +++ >> target/linux/malta/base-files-console/etc/inittab | 7 +++++++ >> .../linux/mediatek/base-files-console/etc/inittab | 3 +++ >> target/linux/mxs/base-files-console/etc/inittab | 3 +++ >> target/linux/omap/base-files-console/etc/inittab | 5 +++++ >> .../linux/omap24xx/base-files-console/etc/inittab | 5 +++++ >> target/linux/ppc44x/base-files-console/etc/inittab | 4 ++++ >> .../linux/realview/base-files-console/etc/inittab | 5 +++++ >> target/linux/sunxi/base-files-console/etc/inittab | 5 +++++ >> target/linux/x86/base-files-console/etc/inittab | 4 ++++ >> 17 files changed, 105 insertions(+), 1 deletion(-) >> create mode 100644 target/linux/adm5120/base-files-console/etc/inittab >> create mode 100644 >> target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab >> create mode 100644 target/linux/brcm2708/base-files-console/etc/inittab >> create mode 100644 target/linux/ipq806x/base-files-console/etc/inittab >> create mode 100644 target/linux/lantiq/base-files-console/etc/inittab >> create mode 100644 target/linux/malta/base-files-console/etc/inittab >> create mode 100644 target/linux/mediatek/base-files-console/etc/inittab >> create mode 100644 target/linux/mxs/base-files-console/etc/inittab >> create mode 100644 target/linux/omap/base-files-console/etc/inittab >> create mode 100644 target/linux/omap24xx/base-files-console/etc/inittab >> create mode 100644 target/linux/ppc44x/base-files-console/etc/inittab >> create mode 100644 target/linux/realview/base-files-console/etc/inittab >> create mode 100644 target/linux/sunxi/base-files-console/etc/inittab >> create mode 100644 target/linux/x86/base-files-console/etc/inittab >> >> diff --git a/config/Config-build.in b/config/Config-build.in >> index 1a35c5d..f975d45 100644 >> --- a/config/Config-build.in >> +++ b/config/Config-build.in >> @@ -75,6 +75,23 @@ menu "Global build settings" >> encrypted and unencrypted flavours, even when the >> encryption library >> is a 'heavier' one such as OpenSSL. >> >> + config CONSOLE_LOGIN >> + bool >> + prompt "Require login even on hardware/serial console" >> + default y if (TARGET_x86_generic || TARGET_x86_64 || >> TARGET_brcm2708) >> + default n >> + help >> + Enables Busybox applets getty and login and uses them >> instead of default >> + respawn of ash on hardware/serial consoles. This is made >> the default for >> + targets which are fairly easy to gain hardware console >> access compared to >> + a typical router (which generally require more electronics >> skill or at least >> + equipment that than is common except with >> electronics enthusiasts and >> + professionals). This includes the Raspberry Pi/Pi2 >> (built in HDMI and USB >> + support making adding a console trivial), and *generic* x86 >> 32-bit and >> + 64-bit systems (typically physical PCs for which it is also >> usually trivial >> + to add a keyboard and monitor without even rebooting). >> + >> + >> comment "Kernel build options" >> >> source "config/Config-kernel.in" >> diff --git a/package/base-files/Makefile b/package/base-files/Makefile >> index 1367fa9..b4fe806 100644 >> --- a/package/base-files/Makefile >> +++ b/package/base-files/Makefile >> @@ -112,25 +112,46 @@ define Package/base-files/install >> if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ >> $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ >> fi >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(GENERIC_PLATFORM_DIR)/base-files-console/. ]; then \ >> + $(CP) $(GENERIC_PLATFORM_DIR)/base-files-console/* $(1)/; \ >> + fi) >> if [ -d $(PLATFORM_DIR)/base-files/. ]; then \ >> $(CP) $(PLATFORM_DIR)/base-files/* $(1)/; \ >> fi >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_DIR)/base-files-console/. ]; then \ >> + $(CP) $(PLATFORM_DIR)/base-files-console/* $(1)/; \ >> + fi) >> if [ -d $(PLATFORM_DIR)/base-files-$(PROFILE)/. ]; then \ >> $(CP) $(PLATFORM_DIR)/base-files-$(PROFILE)/* $(1)/; \ >> fi >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_DIR)/base-files-console-$(PROFILE)/. ]; then \ >> + $(CP) $(PLATFORM_DIR)/base-files-console-$(PROFILE)/* $(1)/; \ >> + fi) >> if [ -d $(PLATFORM_DIR)/$(PROFILE)/base-files/. ]; then \ >> $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files/* $(1)/; \ >> fi >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_DIR)/$(PROFILE)/base-files-console/. ]; then \ >> + $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files-console/* $(1)/; \ >> + fi) >> $(if $(filter-out $(PLATFORM_DIR),$(PLATFORM_SUBDIR)), \ >> if [ -d $(PLATFORM_SUBDIR)/base-files/. ]; then \ >> $(CP) $(PLATFORM_SUBDIR)/base-files/* $(1)/; \ >> fi; \ >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_SUBDIR)/base-files-console/. ]; then \ >> + $(CP) $(PLATFORM_SUBDIR)/base-files-console/* $(1)/; \ >> + fi;) \ >> if [ -d $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/. ]; then \ >> $(CP) $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/* $(1)/; \ >> fi; \ >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_SUBDIR)/base-files-$(PROFILE)-console/. ]; then \ >> + $(CP) $(PLATFORM_SUBDIR)/base-files-console-$(PROFILE)/* >> $(1)/; \ >> + fi;) \ >> if [ -d $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/. ]; then \ >> $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/* $(1)/; \ >> - fi \ >> + fi; \ >> + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d >> $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/. ]; then \ >> + $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/* >> $(1)/; \ >> + fi) \ >> ) >> >> $(VERSION_SED) \ >> diff --git a/package/utils/busybox/Config-defaults.in >> b/package/utils/busybox/Config-defaults.in >> index 7a7b4a6..0986302 100644 >> --- a/package/utils/busybox/Config-defaults.in >> +++ b/package/utils/busybox/Config-defaults.in >> @@ -1210,12 +1210,15 @@ config >> BUSYBOX_DEFAULT_FEATURE_DEL_USER_FROM_GROUP >> default n >> config BUSYBOX_DEFAULT_GETTY >> bool >> + default y if CONSOLE_LOGIN >> default n >> config BUSYBOX_DEFAULT_LOGIN >> bool >> + default y if CONSOLE_LOGIN >> default n >> config BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD >> bool >> + default y if CONSOLE_LOGIN >> default n >> config BUSYBOX_DEFAULT_LOGIN_SCRIPTS >> bool >> diff --git a/target/linux/adm5120/base-files-console/etc/inittab >> b/target/linux/adm5120/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..fb677d6 >> --- /dev/null >> +++ b/target/linux/adm5120/base-files-console/etc/inittab >> @@ -0,0 +1,5 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +tts/0::respawn:/sbin/getty -L 115200 tts/0 >> +ttyAM0::respawn:/sbin/getty -L 115200 ttyAM0 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git >> a/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab >> b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab >> new file mode 100644 >> index 0000000..97a31b1 >> --- /dev/null >> +++ b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab >> @@ -0,0 +1,6 @@ >> +#!/bin/sh >> + >> +CONSOLE="$(sed -e 's/^.*console=\(.*\),[0-9][0-9]*.*$/\1/' >> /proc/cmdline)" >> +SPEED="$(sed -e 's/^.*console=.*,\([0-9][0-9]*\).*$/\2/' /proc/cmdline)" >> +sed -i -e "s/::askconsole:\/bin\/ash >> --login/${CONSOLE:-ttyS0}::respawn:\/sbin\/getty -L ${SPEED:-115200} >> ${CONSOLE:-ttyS0}/" /etc/inittab >> + >> diff --git a/target/linux/brcm2708/base-files-console/etc/inittab >> b/target/linux/brcm2708/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..4e62ec9 >> --- /dev/null >> +++ b/target/linux/brcm2708/base-files-console/etc/inittab >> @@ -0,0 +1,4 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/ipq806x/base-files-console/etc/inittab >> b/target/linux/ipq806x/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..3886602 >> --- /dev/null >> +++ b/target/linux/ipq806x/base-files-console/etc/inittab >> @@ -0,0 +1,4 @@ >> +# Copyright (c) 2013 The Linux Foundation. All rights reserved. >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyMSM0::respawn:/sbin/getty -L 115200 ttyMSM0 >> diff --git a/target/linux/lantiq/base-files-console/etc/inittab >> b/target/linux/lantiq/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..5e9d0ca >> --- /dev/null >> +++ b/target/linux/lantiq/base-files-console/etc/inittab >> @@ -0,0 +1,3 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K stop >> +ttyLTQ0::respawn:/sbin/getty -L 11520 ttyLTQ0 >> diff --git a/target/linux/malta/base-files-console/etc/inittab >> b/target/linux/malta/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..5fb3c2f >> --- /dev/null >> +++ b/target/linux/malta/base-files-console/etc/inittab >> @@ -0,0 +1,7 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +tts/0::respawn:/sbin/getty -L 115200 tts/0 >> +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 >> +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 >> +ttyS2::respawn:/sbin/getty -L 115200 ttyS2 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/mediatek/base-files-console/etc/inittab >> b/target/linux/mediatek/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..2f00c85 >> --- /dev/null >> +++ b/target/linux/mediatek/base-files-console/etc/inittab >> @@ -0,0 +1,3 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 >> diff --git a/target/linux/mxs/base-files-console/etc/inittab >> b/target/linux/mxs/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..f66e29c >> --- /dev/null >> +++ b/target/linux/mxs/base-files-console/etc/inittab >> @@ -0,0 +1,3 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 >> diff --git a/target/linux/omap/base-files-console/etc/inittab >> b/target/linux/omap/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..69a7f69 >> --- /dev/null >> +++ b/target/linux/omap/base-files-console/etc/inittab >> @@ -0,0 +1,5 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyO0::respawn:/sbin/getty -L 115200 ttyO0 >> +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/omap24xx/base-files-console/etc/inittab >> b/target/linux/omap24xx/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..bf19849 >> --- /dev/null >> +++ b/target/linux/omap24xx/base-files-console/etc/inittab >> @@ -0,0 +1,5 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +tts/0::respawn:/sbin/getty -L 115200 tts/0 >> +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/ppc44x/base-files-console/etc/inittab >> b/target/linux/ppc44x/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..23206fa >> --- /dev/null >> +++ b/target/linux/ppc44x/base-files-console/etc/inittab >> @@ -0,0 +1,4 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 >> +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 >> diff --git a/target/linux/realview/base-files-console/etc/inittab >> b/target/linux/realview/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..a14f90f >> --- /dev/null >> +++ b/target/linux/realview/base-files-console/etc/inittab >> @@ -0,0 +1,5 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +tts/0::respawn:/sbin/getty -L 115200 tts/0 >> +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/sunxi/base-files-console/etc/inittab >> b/target/linux/sunxi/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..b4c80de >> --- /dev/null >> +++ b/target/linux/sunxi/base-files-console/etc/inittab >> @@ -0,0 +1,5 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +tts/0::respawn:/sbin/getty -L 115200 tts/0 >> +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> diff --git a/target/linux/x86/base-files-console/etc/inittab >> b/target/linux/x86/base-files-console/etc/inittab >> new file mode 100644 >> index 0000000..060cd53 >> --- /dev/null >> +++ b/target/linux/x86/base-files-console/etc/inittab >> @@ -0,0 +1,4 @@ >> +::sysinit:/etc/init.d/rcS S boot >> +::shutdown:/etc/init.d/rcS K shutdown >> +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 >> +tty1::respawn:/sbin/getty -L 115200 tty1 >> > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
On 12/23/2015 08:54 AM, Daniel Dickinson wrote: > On 23/12/15 02:44 AM, Heinrich Schuchardt wrote: >> Hello Daniel, >> >> my TP-LINK MR3020 (AR71XX, OpenWrt 15.05) uses /dev/ttyATH0 as serial >> console . >> >> I could not find this device in the getty commands of the inittab that >> you create in the patch below. > > For that patch for ar71xx it is somewhat tricky because different boards > have different serial devices so it is necessary to use an uci-default > scriptlet that modifies inittab based on the actual console device > (which on ar71xx is on kernel commandline). > > However, I don't particularly like that solution and am investigating > alternative measures that allow to embed a working inittab in the > squashfs (basically I'm hoping I'm reading agetty docs right and I can > 'cheat' and sidestep the question of the name of the console device; but > will test; fortunately I have ar71xx since that's the hardest one, > although ramips I couldn't find what the serial console was either, so > it may actually need this even more). > >> >> I would feel more comfortable having a password verification on my >> router. Shouldn't this be default on all targets? > > Not my call. If the core devs want to do that once I get this resolved > that is up to them. Dear core devs, A case that has to be opened does not provide any real security at all. A password for console access is a necessity. Every non-free router has a console password, why not OpenWrt? > > Besides having passwordless serial console on a typical router is not a > significant issue because you have to hack the hardware to get a serial > attached (at least opening the case being required is the norm). The > reason I create this patch was more for situations like running OpenWrt > on generic PC's or Raspberry Pi/Pi2 where it's trivial to get hardware > console access (even for someone with basically no skills or specialized > equipment). A Raspberry typically is also in a case which has to be opened to get access to the serial port: https://www.raspberrypi.org/blog/raspberry-pi-official-case/ Regards Heinrich Schuchardt
Hi Daniel, On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson <openwrt@daniel.thecshore.com> wrote: > I am reworking this (requiring console login) as couple of packages for > the packages feed, although it may require an image.mk or packages > Makefile hook in order to embed an appropriate inittab into the image > (since the inittab will need to be modified and we need to guarantee the > correct order of actions; and inittab comes from base-files which is > last thing done in the packages Makefile). I hope the other devs will chime in, but FWIW I would make this enabled unconditionally across all targets. As we already have a way to do a "factory reset" using the reset button, IMHO failsafe should also enforce login passwords everywhere, including the serial console. Imre
On 23/12/2015 13:05, Imre Kaloz wrote: > Hi Daniel, > > On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson > <openwrt@daniel.thecshore.com> wrote: > >> I am reworking this (requiring console login) as couple of packages >> for the packages feed, although it may require an image.mk or packages >> Makefile hook in order to embed an appropriate inittab into the image >> (since the inittab will need to be modified and we need to guarantee >> the correct order of actions; and inittab comes from base-files which >> is last thing done in the packages Makefile). > > I hope the other devs will chime in, but FWIW I would make this enabled > unconditionally across all targets. As we already have a way to do a > "factory reset" using the reset button, IMHO failsafe should also > enforce login passwords everywhere, including the serial console. > default on, once root passwd is set sounds good. an optional opt-out feature would be nice to avoid people having to add dirty hacks to get rid of the login prompt on tty shells. this could be hidden inside a wrapper script called by inittab.
Hi Imre, Thanks for this! This indeed would be my preference, I just thought there wouldn't be any appetite for it on the grounds I mentioned. Before I work up a version of the patch that isn't as desirable from a security perspective, I have another concept that ought to solve the ar71xx problem of unknown serial console for purposes of inittab in squashfs (leaving ramips as the one platform that I don't know if the serial console is known but and just wasn't considered required for inittab, or if the reason not in inittab is that you can't predict the serial device). Regards, Daniel On 23/12/15 07:05 AM, Imre Kaloz wrote: > Hi Daniel, > > On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson > <openwrt@daniel.thecshore.com> wrote: > >> I am reworking this (requiring console login) as couple of packages >> for the packages feed, although it may require an image.mk or packages >> Makefile hook in order to embed an appropriate inittab into the image >> (since the inittab will need to be modified and we need to guarantee >> the correct order of actions; and inittab comes from base-files which >> is last thing done in the packages Makefile). > > I hope the other devs will chime in, but FWIW I would make this enabled > unconditionally across all targets. As we already have a way to do a > "factory reset" using the reset button, IMHO failsafe should also > enforce login passwords everywhere, including the serial console. > > > Imre > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
Actually once root password is set is unncessary. Busybox login with no password set allows passwordless login, so there is no issue. Regards, Daniel On 23/12/15 07:24 AM, John Crispin wrote: > > > On 23/12/2015 13:05, Imre Kaloz wrote: >> Hi Daniel, >> >> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson >> <openwrt@daniel.thecshore.com> wrote: >> >>> I am reworking this (requiring console login) as couple of packages >>> for the packages feed, although it may require an image.mk or packages >>> Makefile hook in order to embed an appropriate inittab into the image >>> (since the inittab will need to be modified and we need to guarantee >>> the correct order of actions; and inittab comes from base-files which >>> is last thing done in the packages Makefile). >> >> I hope the other devs will chime in, but FWIW I would make this enabled >> unconditionally across all targets. As we already have a way to do a >> "factory reset" using the reset button, IMHO failsafe should also >> enforce login passwords everywhere, including the serial console. >> > > default on, once root passwd is set sounds good. an optional opt-out > feature would be nice to avoid people having to add dirty hacks to get > rid of the login prompt on tty shells. this could be hidden inside a > wrapper script called by inittab. > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
I'm inclined to make the opt-out an image generation time decision rather than configurable on the overlayfs for what I think are obvious reasons. Regards, Daniel On 23/12/15 07:24 AM, John Crispin wrote: > > > On 23/12/2015 13:05, Imre Kaloz wrote: >> Hi Daniel, >> >> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson >> <openwrt@daniel.thecshore.com> wrote: >> >>> I am reworking this (requiring console login) as couple of packages >>> for the packages feed, although it may require an image.mk or packages >>> Makefile hook in order to embed an appropriate inittab into the image >>> (since the inittab will need to be modified and we need to guarantee >>> the correct order of actions; and inittab comes from base-files which >>> is last thing done in the packages Makefile). >> >> I hope the other devs will chime in, but FWIW I would make this enabled >> unconditionally across all targets. As we already have a way to do a >> "factory reset" using the reset button, IMHO failsafe should also >> enforce login passwords everywhere, including the serial console. >> > > default on, once root passwd is set sounds good. an optional opt-out > feature would be nice to avoid people having to add dirty hacks to get > rid of the login prompt on tty shells. this could be hidden inside a > wrapper script called by inittab. > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
On 23/12/2015 13:32, Daniel Dickinson wrote: > I'm inclined to make the opt-out an image generation time decision > rather than configurable on the overlayfs for what I think are obvious > reasons. yep, that would be the best choice. > > Regards, > > Daniel > > On 23/12/15 07:24 AM, John Crispin wrote: >> >> >> On 23/12/2015 13:05, Imre Kaloz wrote: >>> Hi Daniel, >>> >>> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson >>> <openwrt@daniel.thecshore.com> wrote: >>> >>>> I am reworking this (requiring console login) as couple of packages >>>> for the packages feed, although it may require an image.mk or packages >>>> Makefile hook in order to embed an appropriate inittab into the image >>>> (since the inittab will need to be modified and we need to guarantee >>>> the correct order of actions; and inittab comes from base-files which >>>> is last thing done in the packages Makefile). >>> >>> I hope the other devs will chime in, but FWIW I would make this enabled >>> unconditionally across all targets. As we already have a way to do a >>> "factory reset" using the reset button, IMHO failsafe should also >>> enforce login passwords everywhere, including the serial console. >>> >> >> default on, once root passwd is set sounds good. an optional opt-out >> feature would be nice to avoid people having to add dirty hacks to get >> rid of the login prompt on tty shells. this could be hidden inside a >> wrapper script called by inittab. >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >> > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Oh, and I think that initially this should be default off configuration option that people who are able to flash firmware via bootloader in case of getting locked out encourage to test before pushing this as default. I'd hate to have some corner case result in bricked routers for people who have no means of recovering from a bad flash. Regards, Daniel On 23/12/15 07:35 AM, John Crispin wrote: > > > On 23/12/2015 13:32, Daniel Dickinson wrote: >> I'm inclined to make the opt-out an image generation time decision >> rather than configurable on the overlayfs for what I think are obvious >> reasons. > > yep, that would be the best choice. > > >> >> Regards, >> >> Daniel >> >> On 23/12/15 07:24 AM, John Crispin wrote: >>> >>> >>> On 23/12/2015 13:05, Imre Kaloz wrote: >>>> Hi Daniel, >>>> >>>> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson >>>> <openwrt@daniel.thecshore.com> wrote: >>>> >>>>> I am reworking this (requiring console login) as couple of packages >>>>> for the packages feed, although it may require an image.mk or packages >>>>> Makefile hook in order to embed an appropriate inittab into the image >>>>> (since the inittab will need to be modified and we need to guarantee >>>>> the correct order of actions; and inittab comes from base-files which >>>>> is last thing done in the packages Makefile). >>>> >>>> I hope the other devs will chime in, but FWIW I would make this enabled >>>> unconditionally across all targets. As we already have a way to do a >>>> "factory reset" using the reset button, IMHO failsafe should also >>>> enforce login passwords everywhere, including the serial console. >>>> >>> >>> default on, once root passwd is set sounds good. an optional opt-out >>> feature would be nice to avoid people having to add dirty hacks to get >>> rid of the login prompt on tty shells. this could be hidden inside a >>> wrapper script called by inittab. >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >>> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
On Wed, 23 Dec 2015 13:43:14 +0100, Daniel Dickinson <openwrt@daniel.thecshore.com> wrote: > Oh, and I think that initially this should be default off configuration > option that people who are able to flash firmware via bootloader in case > of getting locked out encourage to test before pushing this as default. > > I'd hate to have some corner case result in bricked routers for people > who have no means of recovering from a bad flash. You can reflash from the bootloader all the time, we are talking about userland here. IMHO this should be just a normal change, like dropping telnet. Enforcing login should be on by default, specially since if one forgets the password they can just reset everything to defaults keeping the reset button pressed. Imre
* Imre Kaloz <kaloz@openwrt.org> [23.12.2015 16:22]: > >I'd hate to have some corner case result in bricked routers for > >people who have no means of recovering from a bad flash. > > You can reflash from the bootloader all the time, we are talking > about userland here. IMHO this should be just a normal change, like > dropping telnet. Enforcing login should be on by default, specially > since if one forgets the password they can just reset everything to > defaults keeping the reset button pressed. I am against asking for a password in failsafe mode: failsafe is failsafe is failsafe. You have to run mount_root which does _things_ and can break. bye, bastian
On 2015-12-16 15:59, openwrt@daniel.thecshore.com wrote: > From: Daniel Dickinson <openwrt@daniel.thecshore.com> > > Some devices like generic PC's and Raspberry Pi/Pi2 are much more trivial to > get hardware console access than a typical router scenario and therefore really > ought to require login even on hardware console rather than a hardware console > granting passwordless root access. > > Since we're at it, we also make requiring login on hardware console an > easily configured build-time option. > > Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> > diff --git a/target/linux/adm5120/base-files-console/etc/inittab b/target/linux/adm5120/base-files-console/etc/inittab > new file mode 100644 > index 0000000..fb677d6 > --- /dev/null > +++ b/target/linux/adm5120/base-files-console/etc/inittab > @@ -0,0 +1,5 @@ > +::sysinit:/etc/init.d/rcS S boot > +::shutdown:/etc/init.d/rcS K shutdown > +tts/0::respawn:/sbin/getty -L 115200 tts/0 > +ttyAM0::respawn:/sbin/getty -L 115200 ttyAM0 > +tty1::respawn:/sbin/getty -L 115200 tty1 NACK on this kind of inittab change. We intentionally made the code auto-detect the console based on what the kernel provides. Please find a way to use this autodetection for login, e.g. by making a wrapper that either spawns a shell or runs getty. This would even be a nice way to make this feature runtime-configurable. - Felix
On 2015-12-23 16:27, Bastian Bittorf wrote: > * Imre Kaloz <kaloz@openwrt.org> [23.12.2015 16:22]: >> >I'd hate to have some corner case result in bricked routers for >> >people who have no means of recovering from a bad flash. >> >> You can reflash from the bootloader all the time, we are talking >> about userland here. IMHO this should be just a normal change, like >> dropping telnet. Enforcing login should be on by default, specially >> since if one forgets the password they can just reset everything to >> defaults keeping the reset button pressed. > > I am against asking for a password in failsafe mode: > failsafe is failsafe is failsafe. > > You have to run mount_root which does _things_ and can break. I completely agree with this. Failsafe needs to be robust. - Felix
* Daniel Curran-Dickinson <daniel@daniel.thecshore.com> [23.12.2015 17:27]: > I'm implementing without mount_root - that means passwordless > failsafe unless user has preconfigured passwords in their image. > OTOH if they have configured passwords in their image then they will > be required. ok, this sounds good. while we are at it: what about including default private keys for SSH till the real keys are generated? it can last several minutes on some routers and it feels like the box is broken. also: if really something goes wrong during key generating we can at least login. bye, bastian
On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau <nbd@openwrt.org> wrote: > On 2015-12-23 16:27, Bastian Bittorf wrote: >> * Imre Kaloz <kaloz@openwrt.org> [23.12.2015 16:22]: >>> >I'd hate to have some corner case result in bricked routers for >>> >people who have no means of recovering from a bad flash. >>> >>> You can reflash from the bootloader all the time, we are talking >>> about userland here. IMHO this should be just a normal change, like >>> dropping telnet. Enforcing login should be on by default, specially >>> since if one forgets the password they can just reset everything to >>> defaults keeping the reset button pressed. >> >> I am against asking for a password in failsafe mode: >> failsafe is failsafe is failsafe. >> >> You have to run mount_root which does _things_ and can break. > I completely agree with this. Failsafe needs to be robust. Failsafe can be triggered both locally and through the network and gives straight root access. This doesn't make it robust, it makes it insecure. Imre
On Wed, 23 Dec 2015 17:32:06 +0100, Bastian Bittorf <bittorf@bluebottle.com> wrote: > * Daniel Curran-Dickinson <daniel@daniel.thecshore.com> [23.12.2015 > 17:27]: >> I'm implementing without mount_root - that means passwordless >> failsafe unless user has preconfigured passwords in their image. >> OTOH if they have configured passwords in their image then they will >> be required. > > ok, this sounds good. > > while we are at it: what about including default private keys for SSH > till the real keys are generated? it can last several minutes on some > routers and it feels like the box is broken. also: if really something > goes wrong during key generating we can at least login. So make it double unsafe - great idea ;) Imre
On 2015-12-24 00:38, Imre Kaloz wrote: > On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau <nbd@openwrt.org> wrote: > >> On 2015-12-23 16:27, Bastian Bittorf wrote: >>> * Imre Kaloz <kaloz@openwrt.org> [23.12.2015 16:22]: >>>> >I'd hate to have some corner case result in bricked routers for >>>> >people who have no means of recovering from a bad flash. >>>> >>>> You can reflash from the bootloader all the time, we are talking >>>> about userland here. IMHO this should be just a normal change, like >>>> dropping telnet. Enforcing login should be on by default, specially >>>> since if one forgets the password they can just reset everything to >>>> defaults keeping the reset button pressed. >>> >>> I am against asking for a password in failsafe mode: >>> failsafe is failsafe is failsafe. >>> >>> You have to run mount_root which does _things_ and can break. >> I completely agree with this. Failsafe needs to be robust. > > Failsafe can be triggered both locally and through the network and gives > straight root access. This doesn't make it robust, it makes it insecure. How can it be triggered through the network? - Felix
On 23/12/15 06:49 PM, Felix Fietkau wrote: > On 2015-12-24 00:38, Imre Kaloz wrote: >> On Wed, 23 Dec 2015 17:27:37 +0100, Felix Fietkau <nbd@openwrt.org> wrote: >> >>> On 2015-12-23 16:27, Bastian Bittorf wrote: >>>> * Imre Kaloz <kaloz@openwrt.org> [23.12.2015 16:22]: >>>>>> I'd hate to have some corner case result in bricked routers for >>>>>> people who have no means of recovering from a bad flash. >>>>> >>>>> You can reflash from the bootloader all the time, we are talking >>>>> about userland here. IMHO this should be just a normal change, like >>>>> dropping telnet. Enforcing login should be on by default, specially >>>>> since if one forgets the password they can just reset everything to >>>>> defaults keeping the reset button pressed. >>>> >>>> I am against asking for a password in failsafe mode: >>>> failsafe is failsafe is failsafe. >>>> >>>> You have to run mount_root which does _things_ and can break. >>> I completely agree with this. Failsafe needs to be robust. >> >> Failsafe can be triggered both locally and through the network and gives >> straight root access. This doesn't make it robust, it makes it insecure. > How can it be triggered through the network? I'm thinking that's a case if mis-speaking (although Imre may correct me). Based on what I remember doing for failsafe, and what looks like to still be the case in /lib/preinit, failsafe is *triggered* by a) reset button b) OR serial console at which point is may be accessed (previously without password) via: a) serial console b) previously telnet, recently dropbear (i.e. network). The telnet version was passwordless, which is what I think Imre is referring too. I think the dropbear version is only passwordless if the router has been factory reset because based on my testing of the adding the login wrapper to failsafe instead of dropping straight to passwordless root shell, if a password has been configured on the router, it gets used, and I didn't do anything to make that happen, so either the procd work, or the dropear work added mount_root to failsafe sometime ago. Regards, Daniel
On 23/12/2015 17:32, Bastian Bittorf wrote: > * Daniel Curran-Dickinson <daniel@daniel.thecshore.com> [23.12.2015 17:27]: >> I'm implementing without mount_root - that means passwordless >> failsafe unless user has preconfigured passwords in their image. >> OTOH if they have configured passwords in their image then they will >> be required. > > ok, this sounds good. > > while we are at it: what about including default private keys for SSH > till the real keys are generated? it can last several minutes on some > routers and it feels like the box is broken. also: if really something > goes wrong during key generating we can at least login. > you have a very bizarre understanding of securing a device. John > bye, bastian > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
Hi Imre, On 23/12/15 07:05 AM, Imre Kaloz wrote: > Hi Daniel, > > On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson > <openwrt@daniel.thecshore.com> wrote: > >> I am reworking this (requiring console login) as couple of packages >> for the packages feed, although it may require an image.mk or packages >> Makefile hook in order to embed an appropriate inittab into the image >> (since the inittab will need to be modified and we need to guarantee >> the correct order of actions; and inittab comes from base-files which >> is last thing done in the packages Makefile). > > I hope the other devs will chime in, but FWIW I would make this enabled > unconditionally across all targets. As we already have a way to do a > "factory reset" using the reset button, IMHO failsafe should also > enforce login passwords everywhere, including the serial console. > At the present time it is actually not possible to using /bin/login from within the preinit context and therefore making passwords required during failsafe is not currently possible. There are two problems: The first issue is that others have pointed out, using passwords not embedded in the squashfs would require using mount_root, but one of the objectives of failsafe is to provide a why to recover when mount_root produces bad behaviour or just doesn't work. The second (well and third) is that /bin/login issues vhangup (to prevent password sniffing) but that means any surrounding shell loses the tty and exits. The only way around that issue (in failsafe) is exec /bin/login BUT preinit is 'the' init which means login replaces init and it is impossible for commands like mount_root to execute because they depend on being able to talk to the actual init not something that has exec'd init and isn't listening for them. Basically failsafe/preinit is operating single user mode and that really limits what you can do to work around the issue. If you added getty into the mix it might be possible make failsafe use login, but that's work for another day. Regards, Daniel
* Imre Kaloz <kaloz@openwrt.org> [24.12.2015 21:15]: > >while we are at it: what about including default private keys for SSH > >till the real keys are generated? it can last several minutes on some > >routers and it feels like the box is broken. also: if really something > >goes wrong during key generating we can at least login. > > So make it double unsafe - great idea ;) please say more about this. the initial keygenerating is only active when the password is still unset. i dont see an unsecure thing here, do you? bye, bastian
Daniel Dickinson <openwrt@daniel.thecshore.com> wrote: > At the present time it is actually not possible to using /bin/login from > within the preinit context and therefore making passwords required during > failsafe is not currently possible. It sounds like we really need /bin/singleuserlogin. Could we use a password (or hash) stored in eeprom? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
* John Crispin <blogic@openwrt.org> [24.12.2015 21:15]: > > while we are at it: what about including default private keys for SSH > > till the real keys are generated? it can last several minutes on some > > routers and it feels like the box is broken. also: if really something > > goes wrong during key generating we can at least login. > > you have a very bizarre understanding of securing a device. in this stage the box is still without password. the only issue i can think of is, that one can read on the wire to which password somebody changes with 'passwd' - but i'am pretty sure this is not the case, because each session has it's own privacy. please say more about your doubts. bye, bastian
Bastian Bittorf <bittorf@bluebottle.com> wrote: >> >while we are at it: what about including default private keys for SSH >> >till the real keys are generated? it can last several minutes on some >> >routers and it feels like the box is broken. also: if really something >> >goes wrong during key generating we can at least login. >> >> So make it double unsafe - great idea ;) > please say more about this. the initial keygenerating is only > active when the password is still unset. i dont see an unsecure > thing here, do you? 1) when the "default" key is being used, the box can be impersonated. 2) if the user is "used" to a key mismatch, and they type their password in, the password has just been compromised. 3) if the user accepts the default keys, when the correct ones are generated, the user then has a key mismatch, again opening the possibility of an impersonation. A better approach is that the ssh daemon should start, open port 22, and then do SSHv2 transport mode up to the key-exchange, and then just respond to keep alives, ideally with a message to "Please stand by", if we can find a way to do that in-protocol. (wow. it's been 18 years since I worked at ssh...) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
Bastian Bittorf <bittorf@bluebottle.com> wrote: >> > while we are at it: what about including default private keys for SSH >> > till the real keys are generated? it can last several minutes on some >> > routers and it feels like the box is broken. also: if really something >> > goes wrong during key generating we can at least login. >> >> you have a very bizarre understanding of securing a device. > in this stage the box is still without password. okay. So the impersonator machine lets the user in without a password, and the impersonator machine has ALREADY connected to the new machine with no password, and trojan'ed some binaries. > the only issue i can think of is, that one can > read on the wire to which password somebody changes > with 'passwd' - but i'am pretty sure this is not > the case, because each session has it's own privacy. No, since the impersonator (MITM) has involved itself with the session. Effectively, the MITM creates: ssh mitm 'tee /badguy | ssh target' (but, bidirectionally, and inside the SSH transport layer) A new ICMP port-unreachable code would be nice to have here. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
* Michael Richardson <mcr@sandelman.ca> [24.12.2015 22:14]: > 1) when the "default" key is being used, the box can be impersonated. hmmm, it can - but you need another box on the same wire with the same IP 192.168.1.1 > 2) if the user is "used" to a key mismatch, and they type their password in, > the password has just been compromised. at the moment the user *is* used to a key mismatch, because every box comes up with 192.168.1.1 and another key. > 3) if the user accepts the default keys, when the correct ones are generated, > the user then has a key mismatch, again opening the possibility of > an impersonation. no - usually you change the IP and then you have to accept the new key. i'am still not convinced that the "pre-key" is a bad idea. bye, bastian
* Michael Richardson <mcr@sandelman.ca> [24.12.2015 22:14]: > >> > till the real keys are generated? it can last several minutes on some > >> > routers and it feels like the box is broken. also: if really something > >> > goes wrong during key generating we can at least login. > >> > >> you have a very bizarre understanding of securing a device. > > > in this stage the box is still without password. > > okay. So the impersonator machine lets the user in without a password, and > the impersonator machine has ALREADY connected to the new machine with no > password, and trojan'ed some binaries. yes, if somebody wants to upload some binaries it's possible. > > the only issue i can think of is, that one can > > read on the wire to which password somebody changes > > with 'passwd' - but i'am pretty sure this is not > > the case, because each session has it's own privacy. > > No, since the impersonator (MITM) has involved itself with the session. > Effectively, the MITM creates: > > ssh mitm 'tee /badguy | ssh target' > > (but, bidirectionally, and inside the SSH transport layer) > > A new ICMP port-unreachable code would be nice to have here. interesting idea, but this is also possible with the current approach. the user has to accept a new unknown key and has no idea from which box it comes from. but really, this is really hypothetical - normally you have 1 box on your desk and you are connected via wire to it. what is your usecase? bye, bastian
* Michael Richardson <mcr@sandelman.ca> [24.12.2015 22:14]: > 2) if the user is "used" to a key mismatch, and they type their password in, > the password has just been compromised. this is indeed true for IPv6/linklocal > A better approach is that the ssh daemon should start, open port 22, and then > do SSHv2 transport mode up to the key-exchange, and then just respond to > keep alives, ideally with a message to "Please stand by", if we can find > a way to do that in-protocol. (wow. it's been 18 years since I worked at ssh...) this is very interesting. i'am not sure how big this impact is to the dropbear codebase, but i like it. thanks for your feedback. bye, bastian
-1 to default key... > at the moment the user *is* used to a key mismatch, because > every box comes up with 192.168.1.1 and another key. No need to generate another weak point just because there can be another similar one... More general, should a bad guy have physical access to an device, be it embedded router or full server, the game is mostly lost at that point already... He can allways take out the hard disk and boot own linux and read the contents etc... I could see the point of serial connection asking password in normal boot, but no point with that in failsafe... for same reasons than above... mr bad guy can even flash own bootloader to do stuff should he need access to embedded device contents... So, to recap, bad guy + physical access = game over, no matter what you try to do... mine .02, Sami Olmari On Thu, Dec 24, 2015 at 11:33 PM, Bastian Bittorf <bittorf@bluebottle.com> wrote: > * Michael Richardson <mcr@sandelman.ca> [24.12.2015 22:14]: > > >> > till the real keys are generated? it can last several minutes > on some > > >> > routers and it feels like the box is broken. also: if really > something > > >> > goes wrong during key generating we can at least login. > > >> > > >> you have a very bizarre understanding of securing a device. > > > > > in this stage the box is still without password. > > > > okay. So the impersonator machine lets the user in without a password, > and > > the impersonator machine has ALREADY connected to the new machine with no > > password, and trojan'ed some binaries. > > yes, if somebody wants to upload some binaries it's possible. > > > > the only issue i can think of is, that one can > > > read on the wire to which password somebody changes > > > with 'passwd' - but i'am pretty sure this is not > > > the case, because each session has it's own privacy. > > > > No, since the impersonator (MITM) has involved itself with the session. > > Effectively, the MITM creates: > > > > ssh mitm 'tee /badguy | ssh target' > > > > (but, bidirectionally, and inside the SSH transport layer) > > > > A new ICMP port-unreachable code would be nice to have here. > > interesting idea, but this is also possible with the current > approach. the user has to accept a new unknown key and has no > idea from which box it comes from. > > but really, this is really hypothetical - normally you have > 1 box on your desk and you are connected via wire to it. what > is your usecase? > > bye, bastian > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
Security is ultimately all about making it cost too much (of at least time, money, effort, requirements, social factors) to break in. Even so-called 'real' security vs. security in depth and security by obscurity is really on the same spectrum. That is why those who make bald statements about there being no point to security that isn't what they deem 'real' security, miss the reality that they're just talking about different points on the same spectrum. Not that one should rely on *soley* on security by obscurity, but the reality is that even security by obscurity has it uses and can at least reduce attack surface. For that matter the much vaunted example of DVD encryption shows that as much as weak security can be broken, it can achieve the ultimate objective well enough for long enough. (In this case the objective is big media profits; dvd encryption prevented ordinary people from circumventing for long enough for them to make profit, therefore it actually succeeded at what it was designed for). People tend to assume the objective of security is always absolute 'keep everyone out, even extremely well-funded antagonists', but that is not always actually the case. Most of the time, the objectives are much more modest, and expecting people to prevent physical access to their home router or other devices running openwrt is rather unrealistic, but that doesn't mean we should leave it as trivial for someone to walk up to the device and gain passwordless root access. It's all about managing the real risk of real situation using means that are not too onerous for benefit gained. Like much of life, security is not nearly as black and white as many like to paint it (same with 'green' energy vs. fossil fuels; there is truly 'green' energy except not using energy, there are only degrees, and one needs to assess the full set impacts to really make an good decision about what's the right course of action). Regards, Daniel On 24/12/15 04:51 PM, Sami Olmari wrote: > -1 to default key... > > > at the moment the user *is* used to a key mismatch, because >> every box comes up with 192.168.1.1 and another key. > > No need to generate another weak point just because there can be another > similar one... > > More general, should a bad guy have physical access to an device, be it > embedded router or full server, the game is mostly lost at that point > already... He can allways take out the hard disk and boot own linux and > read the contents etc... > > I could see the point of serial connection asking password in normal > boot, but no point with that in failsafe... for same reasons than > above... mr bad guy can even flash own bootloader to do stuff should he > need access to embedded device contents... > > So, to recap, bad guy + physical access = game over, no matter what you > try to do... > > mine .02, Sami Olmari > > On Thu, Dec 24, 2015 at 11:33 PM, Bastian Bittorf > <bittorf@bluebottle.com <mailto:bittorf@bluebottle.com>> wrote: > > * Michael Richardson <mcr@sandelman.ca <mailto:mcr@sandelman.ca>> > [24.12.2015 22:14]: > > >> > till the real keys are generated? it can last several minutes on some > > >> > routers and it feels like the box is broken. also: if really something > > >> > goes wrong during key generating we can at least login. > > >> > > >> you have a very bizarre understanding of securing a device. > > > > > in this stage the box is still without password. > > > > okay. So the impersonator machine lets the user in without a password, and > > the impersonator machine has ALREADY connected to the new machine with no > > password, and trojan'ed some binaries. > > yes, if somebody wants to upload some binaries it's possible. > > > > the only issue i can think of is, that one can > > > read on the wire to which password somebody changes > > > with 'passwd' - but i'am pretty sure this is not > > > the case, because each session has it's own privacy. > > > > No, since the impersonator (MITM) has involved itself with the session. > > Effectively, the MITM creates: > > > > ssh mitm 'tee /badguy | ssh target' > > > > (but, bidirectionally, and inside the SSH transport layer) > > > > A new ICMP port-unreachable code would be nice to have here. > > interesting idea, but this is also possible with the current > approach. the user has to accept a new unknown key and has no > idea from which box it comes from. > > but really, this is really hypothetical - normally you have > 1 box on your desk and you are connected via wire to it. what > is your usecase? > > bye, bastian > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org <mailto:openwrt-devel@lists.openwrt.org> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > > > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
Sami Olmari <sami@olmari.fi> wrote: >> at the moment the user *is* used to a key mismatch, because >> every box comes up with 192.168.1.1 and another key. > No need to generate another weak point just because there can be another > similar one... And, there is work at the IETF and the IEEE that could make this much less of a problem, and IPv6 link-local addresses are not all 192.168.1.1. > More general, should a bad guy have physical access to an device, be it > embedded router or full server, the game is mostly lost at that point > already... He can allways take out the hard disk and boot own linux and read > the contents etc... True, but given wifi, the attacker doesn't have to have physical access to the device. Given that people want to put devices in all sort of places where physical access may be easy... > So, to recap, bad guy + physical access = game over, no matter what you try > to do... probably. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
diff --git a/config/Config-build.in b/config/Config-build.in index 1a35c5d..f975d45 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -75,6 +75,23 @@ menu "Global build settings" encrypted and unencrypted flavours, even when the encryption library is a 'heavier' one such as OpenSSL. + config CONSOLE_LOGIN + bool + prompt "Require login even on hardware/serial console" + default y if (TARGET_x86_generic || TARGET_x86_64 || TARGET_brcm2708) + default n + help + Enables Busybox applets getty and login and uses them instead of default + respawn of ash on hardware/serial consoles. This is made the default for + targets which are fairly easy to gain hardware console access compared to + a typical router (which generally require more electronics skill or at least + equipment that than is common except with electronics enthusiasts and + professionals). This includes the Raspberry Pi/Pi2 (built in HDMI and USB + support making adding a console trivial), and *generic* x86 32-bit and + 64-bit systems (typically physical PCs for which it is also usually trivial + to add a keyboard and monitor without even rebooting). + + comment "Kernel build options" source "config/Config-kernel.in" diff --git a/package/base-files/Makefile b/package/base-files/Makefile index 1367fa9..b4fe806 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -112,25 +112,46 @@ define Package/base-files/install if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ fi + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(GENERIC_PLATFORM_DIR)/base-files-console/. ]; then \ + $(CP) $(GENERIC_PLATFORM_DIR)/base-files-console/* $(1)/; \ + fi) if [ -d $(PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(PLATFORM_DIR)/base-files/* $(1)/; \ fi + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/base-files-console/. ]; then \ + $(CP) $(PLATFORM_DIR)/base-files-console/* $(1)/; \ + fi) if [ -d $(PLATFORM_DIR)/base-files-$(PROFILE)/. ]; then \ $(CP) $(PLATFORM_DIR)/base-files-$(PROFILE)/* $(1)/; \ fi + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/base-files-console-$(PROFILE)/. ]; then \ + $(CP) $(PLATFORM_DIR)/base-files-console-$(PROFILE)/* $(1)/; \ + fi) if [ -d $(PLATFORM_DIR)/$(PROFILE)/base-files/. ]; then \ $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files/* $(1)/; \ fi + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_DIR)/$(PROFILE)/base-files-console/. ]; then \ + $(CP) $(PLATFORM_DIR)/$(PROFILE)/base-files-console/* $(1)/; \ + fi) $(if $(filter-out $(PLATFORM_DIR),$(PLATFORM_SUBDIR)), \ if [ -d $(PLATFORM_SUBDIR)/base-files/. ]; then \ $(CP) $(PLATFORM_SUBDIR)/base-files/* $(1)/; \ fi; \ + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/base-files-console/. ]; then \ + $(CP) $(PLATFORM_SUBDIR)/base-files-console/* $(1)/; \ + fi;) \ if [ -d $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/. ]; then \ $(CP) $(PLATFORM_SUBDIR)/base-files-$(PROFILE)/* $(1)/; \ fi; \ + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/base-files-$(PROFILE)-console/. ]; then \ + $(CP) $(PLATFORM_SUBDIR)/base-files-console-$(PROFILE)/* $(1)/; \ + fi;) \ if [ -d $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/. ]; then \ $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files/* $(1)/; \ - fi \ + fi; \ + $(if $(CONFIG_CONSOLE_LOGIN),if [ -d $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/. ]; then \ + $(CP) $(PLATFORM_SUBDIR)/$(PROFILE)/base-files-console/* $(1)/; \ + fi) \ ) $(VERSION_SED) \ diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index 7a7b4a6..0986302 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -1210,12 +1210,15 @@ config BUSYBOX_DEFAULT_FEATURE_DEL_USER_FROM_GROUP default n config BUSYBOX_DEFAULT_GETTY bool + default y if CONSOLE_LOGIN default n config BUSYBOX_DEFAULT_LOGIN bool + default y if CONSOLE_LOGIN default n config BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD bool + default y if CONSOLE_LOGIN default n config BUSYBOX_DEFAULT_LOGIN_SCRIPTS bool diff --git a/target/linux/adm5120/base-files-console/etc/inittab b/target/linux/adm5120/base-files-console/etc/inittab new file mode 100644 index 0000000..fb677d6 --- /dev/null +++ b/target/linux/adm5120/base-files-console/etc/inittab @@ -0,0 +1,5 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +tts/0::respawn:/sbin/getty -L 115200 tts/0 +ttyAM0::respawn:/sbin/getty -L 115200 ttyAM0 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab new file mode 100644 index 0000000..97a31b1 --- /dev/null +++ b/target/linux/ar71xx/base-files-console/etc/uci-defaults/inittab @@ -0,0 +1,6 @@ +#!/bin/sh + +CONSOLE="$(sed -e 's/^.*console=\(.*\),[0-9][0-9]*.*$/\1/' /proc/cmdline)" +SPEED="$(sed -e 's/^.*console=.*,\([0-9][0-9]*\).*$/\2/' /proc/cmdline)" +sed -i -e "s/::askconsole:\/bin\/ash --login/${CONSOLE:-ttyS0}::respawn:\/sbin\/getty -L ${SPEED:-115200} ${CONSOLE:-ttyS0}/" /etc/inittab + diff --git a/target/linux/brcm2708/base-files-console/etc/inittab b/target/linux/brcm2708/base-files-console/etc/inittab new file mode 100644 index 0000000..4e62ec9 --- /dev/null +++ b/target/linux/brcm2708/base-files-console/etc/inittab @@ -0,0 +1,4 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/ipq806x/base-files-console/etc/inittab b/target/linux/ipq806x/base-files-console/etc/inittab new file mode 100644 index 0000000..3886602 --- /dev/null +++ b/target/linux/ipq806x/base-files-console/etc/inittab @@ -0,0 +1,4 @@ +# Copyright (c) 2013 The Linux Foundation. All rights reserved. +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyMSM0::respawn:/sbin/getty -L 115200 ttyMSM0 diff --git a/target/linux/lantiq/base-files-console/etc/inittab b/target/linux/lantiq/base-files-console/etc/inittab new file mode 100644 index 0000000..5e9d0ca --- /dev/null +++ b/target/linux/lantiq/base-files-console/etc/inittab @@ -0,0 +1,3 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K stop +ttyLTQ0::respawn:/sbin/getty -L 11520 ttyLTQ0 diff --git a/target/linux/malta/base-files-console/etc/inittab b/target/linux/malta/base-files-console/etc/inittab new file mode 100644 index 0000000..5fb3c2f --- /dev/null +++ b/target/linux/malta/base-files-console/etc/inittab @@ -0,0 +1,7 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +tts/0::respawn:/sbin/getty -L 115200 tts/0 +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 +ttyS2::respawn:/sbin/getty -L 115200 ttyS2 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/mediatek/base-files-console/etc/inittab b/target/linux/mediatek/base-files-console/etc/inittab new file mode 100644 index 0000000..2f00c85 --- /dev/null +++ b/target/linux/mediatek/base-files-console/etc/inittab @@ -0,0 +1,3 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 diff --git a/target/linux/mxs/base-files-console/etc/inittab b/target/linux/mxs/base-files-console/etc/inittab new file mode 100644 index 0000000..f66e29c --- /dev/null +++ b/target/linux/mxs/base-files-console/etc/inittab @@ -0,0 +1,3 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 diff --git a/target/linux/omap/base-files-console/etc/inittab b/target/linux/omap/base-files-console/etc/inittab new file mode 100644 index 0000000..69a7f69 --- /dev/null +++ b/target/linux/omap/base-files-console/etc/inittab @@ -0,0 +1,5 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyO0::respawn:/sbin/getty -L 115200 ttyO0 +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/omap24xx/base-files-console/etc/inittab b/target/linux/omap24xx/base-files-console/etc/inittab new file mode 100644 index 0000000..bf19849 --- /dev/null +++ b/target/linux/omap24xx/base-files-console/etc/inittab @@ -0,0 +1,5 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +tts/0::respawn:/sbin/getty -L 115200 tts/0 +ttyO2::respawn:/sbin/getty -L 115200 ttyO2 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/ppc44x/base-files-console/etc/inittab b/target/linux/ppc44x/base-files-console/etc/inittab new file mode 100644 index 0000000..23206fa --- /dev/null +++ b/target/linux/ppc44x/base-files-console/etc/inittab @@ -0,0 +1,4 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 +ttyS1::respawn:/sbin/getty -L 115200 ttyS1 diff --git a/target/linux/realview/base-files-console/etc/inittab b/target/linux/realview/base-files-console/etc/inittab new file mode 100644 index 0000000..a14f90f --- /dev/null +++ b/target/linux/realview/base-files-console/etc/inittab @@ -0,0 +1,5 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +tts/0::respawn:/sbin/getty -L 115200 tts/0 +ttyAMA0::respawn:/sbin/getty -L 115200 ttyAMA0 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/sunxi/base-files-console/etc/inittab b/target/linux/sunxi/base-files-console/etc/inittab new file mode 100644 index 0000000..b4c80de --- /dev/null +++ b/target/linux/sunxi/base-files-console/etc/inittab @@ -0,0 +1,5 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +tts/0::respawn:/sbin/getty -L 115200 tts/0 +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 +tty1::respawn:/sbin/getty -L 115200 tty1 diff --git a/target/linux/x86/base-files-console/etc/inittab b/target/linux/x86/base-files-console/etc/inittab new file mode 100644 index 0000000..060cd53 --- /dev/null +++ b/target/linux/x86/base-files-console/etc/inittab @@ -0,0 +1,4 @@ +::sysinit:/etc/init.d/rcS S boot +::shutdown:/etc/init.d/rcS K shutdown +ttyS0::respawn:/sbin/getty -L 115200 ttyS0 +tty1::respawn:/sbin/getty -L 115200 tty1