[PATCH 0/1] Enable the ability to force a password change on boot

[PATCH 0/1] Enable the ability to force a password change on boot

[Mark Hatle]

As noted in the commit message, the shadow(5) indicates that the third
parameter of the /etc/shadow file, when set to 0, can be used to force
a password change on login.  Note, a login program that supports this
behavior is required.

It was added to extrausers.bbclass as it has the same dependencies as
the other components of extrausers and should often be used in with
adding/creating new accounts.

This was verified by adding the following to the conf/local.conf:

INHERIT += "extrausers"

EXTRA_FORCE_PASSWORD_CHANGE_append = " root"

$ bitbake core-image-minimal
$ runqemu

Login as root, and it should prompt for a password change.

This was further verified by setting a default root password, as well
as adding a new user to the system.  In both cases it worked as expected.

Finally adding an invalid user to the list, and an appropriate error is
generated.


Mark Hatle (1):
  extrausers: Add ability to force password change on first login

 meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
 meta/conf/documentation.conf    |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

-- 
2.17.1

[PATCH 1/1] extrausers: Add ability to force password change on first login

[Mark Hatle]

From: Mark Hatle <mark.hatle@xilinx.com>

As documented in shadow(5), the third parameter is the last login time.  A
special value of '0' is defined which causes the password system to force
a password change on next login.

Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
user names, we can use this to adjust the shadow file's third value for the
listed users.

Note: This does have the same dependencies as other usages of extrausers,
specifically base-passwd and shadow.

Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
---
 meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
 meta/conf/documentation.conf    |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
index 90811bfe2a..e9d9358bef 100644
--- a/meta/classes/extrausers.bbclass
+++ b/meta/classes/extrausers.bbclass
@@ -14,10 +14,10 @@
 
 inherit useradd_base
 
-PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
+PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
 
 # Image level user / group settings
-ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
+ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
 
 # Image level user / group settings
 set_user_group () {
@@ -66,6 +66,31 @@ set_user_group () {
 	done
 }
 
+# Image level force a specific user/users to reset their password on first login
+# Note: this requires shadow passwords and login programs that respect the shadow
+# expiration field.
+ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' force_password_change;'][bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
+
+# Works by setting 'date of last password change' to 0, which has a special
+# meaning of 'user should change her password the next time she will log in the
+# system' See: shadow (5)
+force_password_change () {
+	if [ ! -e ${IMAGE_ROOTFS}/etc/shadow ]; then
+		bberror "/etc/shadow does not exist in the image, unable to set password change on login."
+		return
+	fi
+	passwd_change_users="${EXTRA_FORCE_PASSWORD_CHANGE}"
+	export PSEUDO="${FAKEROOTENV} ${STAGING_DIR_NATIVE}${bindir}/pseudo"
+	for name in $passwd_change_users; do
+		if ! grep -q '^'$name':' ${IMAGE_ROOTFS}/etc/shadow ; then
+			bberror "Unable to find user $name in /etc/shadow, unable to set password change on login."
+		fi
+		bbnote "Set user $name to need a password change on first login."
+		cmd="sed -i ${IMAGE_ROOTFS}/etc/shadow -e 's,^'$name':\\([^:]*\\):[^:]*:,'$name':\\1:0:,'"
+		eval flock -x ${IMAGE_ROOTFS}${sysconfdir} -c \"$PSEUDO $cmd\" || true
+	done
+}
+
 USERADDEXTENSION ?= ""
 
 inherit ${USERADDEXTENSION}
diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
index c5a38b0764..d1c5b8b1a3 100644
--- a/meta/conf/documentation.conf
+++ b/meta/conf/documentation.conf
@@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
 EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
 EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
 EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
+EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
 
 #F
 
-- 
2.17.1

Re: [OE-core] [PATCH 1/1] extrausers: Add ability to force password change on first login

[Khem Raj]

On 3/8/21 10:08 AM, Mark Hatle wrote:
> From: Mark Hatle <mark.hatle@xilinx.com>
> 
> As documented in shadow(5), the third parameter is the last login time.  A
> special value of '0' is defined which causes the password system to force
> a password change on next login.
> 
> Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
> user names, we can use this to adjust the shadow file's third value for the
> listed users.
> 
> Note: This does have the same dependencies as other usages of extrausers,
> specifically base-passwd and shadow.
> 

I think it should check for r/w rootfs feature perhaps. unrelated to 
this change but it seems it adds a dep on shadow disregarding DISTRO 
policies where user might have chosen a different login managager, it 
should perhaps warn about it.

> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
> ---
>   meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
>   meta/conf/documentation.conf    |  1 +
>   2 files changed, 28 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
> index 90811bfe2a..e9d9358bef 100644
> --- a/meta/classes/extrausers.bbclass
> +++ b/meta/classes/extrausers.bbclass
> @@ -14,10 +14,10 @@
>   
>   inherit useradd_base
>   
> -PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
> +PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>   
>   # Image level user / group settings
> -ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>   
>   # Image level user / group settings
>   set_user_group () {
> @@ -66,6 +66,31 @@ set_user_group () {
>   	done
>   }
>   
> +# Image level force a specific user/users to reset their password on first login
> +# Note: this requires shadow passwords and login programs that respect the shadow
> +# expiration field.
> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' force_password_change;'][bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
> +
> +# Works by setting 'date of last password change' to 0, which has a special
> +# meaning of 'user should change her password the next time she will log in the
> +# system' See: shadow (5)
> +force_password_change () {
> +	if [ ! -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> +		bberror "/etc/shadow does not exist in the image, unable to set password change on login."
> +		return
> +	fi
> +	passwd_change_users="${EXTRA_FORCE_PASSWORD_CHANGE}"
> +	export PSEUDO="${FAKEROOTENV} ${STAGING_DIR_NATIVE}${bindir}/pseudo"
> +	for name in $passwd_change_users; do
> +		if ! grep -q '^'$name':' ${IMAGE_ROOTFS}/etc/shadow ; then
> +			bberror "Unable to find user $name in /etc/shadow, unable to set password change on login."
> +		fi
> +		bbnote "Set user $name to need a password change on first login."
> +		cmd="sed -i ${IMAGE_ROOTFS}/etc/shadow -e 's,^'$name':\\([^:]*\\):[^:]*:,'$name':\\1:0:,'"
> +		eval flock -x ${IMAGE_ROOTFS}${sysconfdir} -c \"$PSEUDO $cmd\" || true
> +	done
> +}
> +
>   USERADDEXTENSION ?= ""
>   
>   inherit ${USERADDEXTENSION}
> diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
> index c5a38b0764..d1c5b8b1a3 100644
> --- a/meta/conf/documentation.conf
> +++ b/meta/conf/documentation.conf
> @@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
>   EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
>   EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
>   EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
> +EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
>   
>   #F
>   
> 
> 
> 
> 
> 

Re: [OE-core] [PATCH 1/1] extrausers: Add ability to force password change on first login

[Mark Hatle]

On 3/8/21 12:50 PM, Khem Raj wrote:
> 
> 
> On 3/8/21 10:08 AM, Mark Hatle wrote:
>> From: Mark Hatle <mark.hatle@xilinx.com>
>>
>> As documented in shadow(5), the third parameter is the last login time.  A
>> special value of '0' is defined which causes the password system to force
>> a password change on next login.
>>
>> Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
>> user names, we can use this to adjust the shadow file's third value for the
>> listed users.
>>
>> Note: This does have the same dependencies as other usages of extrausers,
>> specifically base-passwd and shadow.
>>
> 
> I think it should check for r/w rootfs feature perhaps. unrelated to 

Is there a standard way to check for a r/w roots?  If there is, easy to add.

> this change but it seems it adds a dep on shadow disregarding DISTRO 
> policies where user might have chosen a different login managager, it 
> should perhaps warn about it.

The dep on shadow is the same as any extrauser call.  The dependency sets the
minimum login manager, but any login manager that supports proper shadow
password handling will work.  If it doesn't support shadow password handling
then nothing breaks -- it just won't do anything.  (Really nothing here that can
be enforced in this code block.)

util-linux login + pam for instance used to work.  (I've not tested it though in
a few years.)

--Mark

>> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
>> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
>> ---
>>   meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
>>   meta/conf/documentation.conf    |  1 +
>>   2 files changed, 28 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
>> index 90811bfe2a..e9d9358bef 100644
>> --- a/meta/classes/extrausers.bbclass
>> +++ b/meta/classes/extrausers.bbclass
>> @@ -14,10 +14,10 @@
>>   
>>   inherit useradd_base
>>   
>> -PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>> +PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>>   
>>   # Image level user / group settings
>> -ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
>> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>>   
>>   # Image level user / group settings
>>   set_user_group () {
>> @@ -66,6 +66,31 @@ set_user_group () {
>>   	done
>>   }
>>   
>> +# Image level force a specific user/users to reset their password on first login
>> +# Note: this requires shadow passwords and login programs that respect the shadow
>> +# expiration field.
>> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' force_password_change;'][bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>> +
>> +# Works by setting 'date of last password change' to 0, which has a special
>> +# meaning of 'user should change her password the next time she will log in the
>> +# system' See: shadow (5)
>> +force_password_change () {
>> +	if [ ! -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>> +		bberror "/etc/shadow does not exist in the image, unable to set password change on login."
>> +		return
>> +	fi
>> +	passwd_change_users="${EXTRA_FORCE_PASSWORD_CHANGE}"
>> +	export PSEUDO="${FAKEROOTENV} ${STAGING_DIR_NATIVE}${bindir}/pseudo"
>> +	for name in $passwd_change_users; do
>> +		if ! grep -q '^'$name':' ${IMAGE_ROOTFS}/etc/shadow ; then
>> +			bberror "Unable to find user $name in /etc/shadow, unable to set password change on login."
>> +		fi
>> +		bbnote "Set user $name to need a password change on first login."
>> +		cmd="sed -i ${IMAGE_ROOTFS}/etc/shadow -e 's,^'$name':\\([^:]*\\):[^:]*:,'$name':\\1:0:,'"
>> +		eval flock -x ${IMAGE_ROOTFS}${sysconfdir} -c \"$PSEUDO $cmd\" || true
>> +	done
>> +}
>> +
>>   USERADDEXTENSION ?= ""
>>   
>>   inherit ${USERADDEXTENSION}
>> diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
>> index c5a38b0764..d1c5b8b1a3 100644
>> --- a/meta/conf/documentation.conf
>> +++ b/meta/conf/documentation.conf
>> @@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
>>   EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
>>   EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
>>   EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
>> +EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
>>   
>>   #F
>>   
>>
>>
>>
>>
>>
>>
>>
>> 
>>

Re: [OE-core] [PATCH 1/1] extrausers: Add ability to force password change on first login

[Chen Qi]

[-- Attachment #1: Type: text/plain, Size: 4197 bytes --]

Hi Mark,

Is it something similar to 'passwd-expire' in this extrausers.bbclass?

Best Regards,
Chen Qi

On 03/09/2021 02:08 AM, Mark Hatle wrote:
> As documented in shadow(5), the third parameter is the last login time.  A
> special value of '0' is defined which causes the password system to force
> a password change on next login.
>
> Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
> user names, we can use this to adjust the shadow file's third value for the
> listed users.
>
> Note: This does have the same dependencies as other usages of extrausers,
> specifically base-passwd and shadow.
>
> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
> ---
>   meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
>   meta/conf/documentation.conf    |  1 +
>   2 files changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
> index 90811bfe2a..e9d9358bef 100644
> --- a/meta/classes/extrausers.bbclass
> +++ b/meta/classes/extrausers.bbclass
> @@ -14,10 +14,10 @@
>   
>   inherit useradd_base
>   
> -PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
> +PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>   
>   # Image level user / group settings
> -ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>   
>   # Image level user / group settings
>   set_user_group () {
> @@ -66,6 +66,31 @@ set_user_group () {
>   	done
>   }
>   
> +# Image level force a specific user/users to reset their password on first login
> +# Note: this requires shadow passwords and login programs that respect the shadow
> +# expiration field.
> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' force_password_change;'][bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
> +
> +# Works by setting 'date of last password change' to 0, which has a special
> +# meaning of 'user should change her password the next time she will log in the
> +# system' See: shadow (5)
> +force_password_change () {
> +	if [ ! -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> +		bberror "/etc/shadow does not exist in the image, unable to set password change on login."
> +		return
> +	fi
> +	passwd_change_users="${EXTRA_FORCE_PASSWORD_CHANGE}"
> +	export PSEUDO="${FAKEROOTENV} ${STAGING_DIR_NATIVE}${bindir}/pseudo"
> +	for name in $passwd_change_users; do
> +		if ! grep -q '^'$name':' ${IMAGE_ROOTFS}/etc/shadow ; then
> +			bberror "Unable to find user $name in /etc/shadow, unable to set password change on login."
> +		fi
> +		bbnote "Set user $name to need a password change on first login."
> +		cmd="sed -i ${IMAGE_ROOTFS}/etc/shadow -e 's,^'$name':\\([^:]*\\):[^:]*:,'$name':\\1:0:,'"
> +		eval flock -x ${IMAGE_ROOTFS}${sysconfdir} -c \"$PSEUDO $cmd\" || true
> +	done
> +}
> +
>   USERADDEXTENSION ?= ""
>   
>   inherit ${USERADDEXTENSION}
> diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
> index c5a38b0764..d1c5b8b1a3 100644
> --- a/meta/conf/documentation.conf
> +++ b/meta/conf/documentation.conf
> @@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
>   EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
>   EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
>   EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
> +EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
>   
>   #F
>   
>
>
> 
>


[-- Attachment #2: Type: text/html, Size: 5168 bytes --]

Re: [OE-core] [PATCH 1/1] extrausers: Add ability to force password change on first login

[Quentin Schulz]

Hi Mark,

On Mon, Mar 08, 2021 at 12:08:36PM -0600, Mark Hatle wrote:
> From: Mark Hatle <mark.hatle@xilinx.com>
> 
> As documented in shadow(5), the third parameter is the last login time.  A
> special value of '0' is defined which causes the password system to force
> a password change on next login.
> 
> Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
> user names, we can use this to adjust the shadow file's third value for the
> listed users.
> 
> Note: This does have the same dependencies as other usages of extrausers,
> specifically base-passwd and shadow.
> 
> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
> ---
>  meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
>  meta/conf/documentation.conf    |  1 +
>  2 files changed, 28 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
> index 90811bfe2a..e9d9358bef 100644
> --- a/meta/classes/extrausers.bbclass
> +++ b/meta/classes/extrausers.bbclass
> @@ -14,10 +14,10 @@
>  
>  inherit useradd_base
>  
> -PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
> +PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>  
>  # Image level user / group settings
> -ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>  

Am i the only one having a hard time reading this for what seems to be a
simple if condition?

Would the following work/make more sense?

${@'set_user_group;' if d.getVar('EXTRA_USERS_PARAMS'} else ''}?

Not saying there is a need to change, since I can see you merely
modified the original implementation, just wondering about the story
behind this choice.

[...]

> diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
> index c5a38b0764..d1c5b8b1a3 100644
> --- a/meta/conf/documentation.conf
> +++ b/meta/conf/documentation.conf
> @@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
>  EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
>  EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
>  EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
> +EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
>  

The actual reason for this mail below :)

Could you send a patch to yocto-docs to add this new variable to
ref-manual/variables and ref-classes/extrausers when this gets merged
please?

Thanks!
Quentin

Re: [OE-core] [PATCH 1/1] extrausers: Add ability to force password change on first login

[Mark Hatle]

On 3/8/21 8:02 PM, Chen Qi wrote:
> Hi Mark,
> 
> Is it something similar to 'passwd-expire' in this extrausers.bbclass?

I wasn't aware of that evening existing.  Yes it looks like it does the same thing.

I can withdraw my change then, but we may want to considering adding something
to the documentation about security practices.  For accounts that are created by
the build system, it's best practices to either not make them able to be logged
in with (login locked out '-P *' on the adduser) or force the password to be
reset on next login (using passwd-expire).

--Mark

> Best Regards,
> Chen Qi
> 
> On 03/09/2021 02:08 AM, Mark Hatle wrote:
>> As documented in shadow(5), the third parameter is the last login time.  A
>> special value of '0' is defined which causes the password system to force
>> a password change on next login.
>>
>> Adding the variable "EXTRA_FORCE_PASSWORD_CHANGE", a space separated list of
>> user names, we can use this to adjust the shadow file's third value for the
>> listed users.
>>
>> Note: This does have the same dependencies as other usages of extrausers,
>> specifically base-passwd and shadow.
>>
>> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
>> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
>> ---
>>  meta/classes/extrausers.bbclass | 29 +++++++++++++++++++++++++++--
>>  meta/conf/documentation.conf    |  1 +
>>  2 files changed, 28 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass
>> index 90811bfe2a..e9d9358bef 100644
>> --- a/meta/classes/extrausers.bbclass
>> +++ b/meta/classes/extrausers.bbclass
>> @@ -14,10 +14,10 @@
>>  
>>  inherit useradd_base
>>  
>> -PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>> +PACKAGE_INSTALL_append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS')) or bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>>  
>>  # Image level user / group settings
>> -ROOTFS_POSTPROCESS_COMMAND_append = " set_user_group;"
>> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', ' set_user_group;'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}"
>>  
>>  # Image level user / group settings
>>  set_user_group () {
>> @@ -66,6 +66,31 @@ set_user_group () {
>>  	done
>>  }
>>  
>> +# Image level force a specific user/users to reset their password on first login
>> +# Note: this requires shadow passwords and login programs that respect the shadow
>> +# expiration field.
>> +ROOTFS_POSTPROCESS_COMMAND_append = "${@['', '
>> force_password_change;'][bool(d.getVar('EXTRA_FORCE_PASSWORD_CHANGE'))]}"
>> +
>> +# Works by setting 'date of last password change' to 0, which has a special
>> +# meaning of 'user should change her password the next time she will log in the
>> +# system' See: shadow (5)
>> +force_password_change () {
>> +	if [ ! -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>> +		bberror "/etc/shadow does not exist in the image, unable to set password change on login."
>> +		return
>> +	fi
>> +	passwd_change_users="${EXTRA_FORCE_PASSWORD_CHANGE}"
>> +	export PSEUDO="${FAKEROOTENV} ${STAGING_DIR_NATIVE}${bindir}/pseudo"
>> +	for name in $passwd_change_users; do
>> +		if ! grep -q '^'$name':' ${IMAGE_ROOTFS}/etc/shadow ; then
>> +			bberror "Unable to find user $name in /etc/shadow, unable to set password change on login."
>> +		fi
>> +		bbnote "Set user $name to need a password change on first login."
>> +		cmd="sed -i ${IMAGE_ROOTFS}/etc/shadow -e 's,^'$name':\\([^:]*\\):[^:]*:,'$name':\\1:0:,'"
>> +		eval flock -x ${IMAGE_ROOTFS}${sysconfdir} -c \"$PSEUDO $cmd\" || true
>> +	done
>> +}
>> +
>>  USERADDEXTENSION ?= ""
>>  
>>  inherit ${USERADDEXTENSION}
>> diff --git a/meta/conf/documentation.conf b/meta/conf/documentation.conf
>> index c5a38b0764..d1c5b8b1a3 100644
>> --- a/meta/conf/documentation.conf
>> +++ b/meta/conf/documentation.conf
>> @@ -169,6 +169,7 @@ EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable spec
>>  EXTRA_QMAKEVARS_POST[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be after the .pro file list on the command line."
>>  EXTRA_QMAKEVARS_PRE[doc] = "Configuration variables or options you want to pass to qmake when the arguments need to be before the .pro file list on the command line."
>>  EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
>> +EXTRA_FORCE_PASSWORD_CHANGE[doc] = "When a recipe inherits the extrausers class, this variable causes the specified users to require a password change on first login."
>>  
>>  #F
>>  
>>
>>
> 
> 
> 
> 
> 

Re: [PATCH 1/1] extrausers: Add ability to force password change on first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 439 bytes --]

Hi!

I am using honister release in Xilinx Yocto (meta-petalinux), my experience is that my root user's password is expired in default and i need to change it in first login. My final root password is pre-configured by usermod -p <hash_pass> and i am not using the new passwd-expire command.

Can i disable somehow that default "force password change on first login"? I would like to use my final settings from my EXTRA_USERS_PARAMS.

[-- Attachment #2: Type: text/html, Size: 714 bytes --]

Re: [PATCH 1/1] extrausers: Add ability to force password change on first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 374 bytes --]

Finaly, i found the problem and i could solve it. SHA-256 is too weak to make a password hash, this is why on first login we need to change password always.

Please fix it in Yocto manual ( https://docs.yoctoproject.org/singleindex.html#term-EXTRA_USERS_PARAMS ). When i set it to generate sha512crypt hash it works fine, there are no any change request on first login.

[-- Attachment #2: Type: text/html, Size: 431 bytes --]