[meta-arago][master/kirkstone][PATCH 1/2] initscript-telnetd: Remove this package

[meta-arago][master/kirkstone][PATCH 1/2] initscript-telnetd: Remove this package

[Andrew Davis]

Signed-off-by: Andrew Davis <afd@ti.com>
---
 .../initscript-telnetd/initscript-telnetd.bb  | 18 ---------
 .../initscript-telnetd/telnetd                | 40 -------------------
 .../packagegroups/packagegroup-arago-base.bb  |  1 -
 3 files changed, 59 deletions(-)
 delete mode 100644 meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
 delete mode 100644 meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd

diff --git a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb b/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
deleted file mode 100644
index e492119b..00000000
--- a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
+++ /dev/null
@@ -1,18 +0,0 @@
-DESCRIPTION = "Initscripts for telnetd"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://telnetd;beginline=2;endline=18;md5=d134d0d385c53f9201a270fef8448f29"
-PR ="r1"
-
-SRC_URI = "file://telnetd"
-
-S = "${WORKDIR}"
-
-INITSCRIPT_NAME = "telnetd"
-INITSCRIPT_PARAMS = "defaults 10"
-
-inherit update-rc.d
-
-do_install () {
-	install -d ${D}${sysconfdir}/init.d/
-	install -c -m 755 ${S}/telnetd ${D}${sysconfdir}/init.d/telnetd
-}
diff --git a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd b/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd
deleted file mode 100644
index a99f23ef..00000000
--- a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-#Permission is hereby granted, free of charge, to any person obtaining a copy
-#of this software and associated documentation files (the "Software"), to deal
-#in the Software without restriction, including without limitation the rights
-#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-#copies of the Software, and to permit persons to whom the Software is
-#furnished to do so, subject to the following conditions:
-#
-#The above copyright notice and this permission notice shall be included in
-#all copies or substantial portions of the Software.
-#
-#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-#THE SOFTWARE.
-
-telnetd=/usr/sbin/telnetd
-
-test -x "$telnetd" || exit 0
-
-case "$1" in
-  start)
-    echo -n "Starting telnet daemon"
-    start-stop-daemon --start --quiet --exec $telnetd
-    echo "."
-    ;;
-  stop)
-    echo -n "Stopping telnet daemon"
-    start-stop-daemon --stop --quiet --exec $telnetd
-    echo "."
-    ;;
-  *)
-    echo "Usage: /etc/init.d/telnetd {start|stop}"
-    exit 1
-esac
-
-exit 0
diff --git a/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb b/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
index 1f63a7d0..5e528846 100644
--- a/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
+++ b/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
@@ -16,7 +16,6 @@ ARAGO_BASE = "\
     mtd-utils \
     mtd-utils-ubifs \
     curl \
-    initscript-telnetd \
     ethtool \
     thermal-init \
     bash \
-- 
2.39.2

[meta-arago][master/kirkstone][PATCH 2/2] shadow-securetty: Do not allow root login over telnet

[Andrew Davis]

I'm sure I don't have to explain why this was a bad idea..

Signed-off-by: Andrew Davis <afd@ti.com>
---
 .../shadow/shadow-securetty_%.bbappend            | 15 ---------------
 1 file changed, 15 deletions(-)
 delete mode 100644 meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend

diff --git a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
deleted file mode 100644
index 62999d2a..00000000
--- a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
+++ /dev/null
@@ -1,15 +0,0 @@
-PR:append = ".arago0"
-
-do_install:append () {
-    # Allow telnet sessions to login as root
-    securetty_file=${D}${sysconfdir}/securetty
-
-    echo '' >> $securetty_file
-    echo '# Allow 5 telnet login' >> $securetty_file
-    echo 'pts/0' >> $securetty_file
-    echo 'pts/1' >> $securetty_file
-    echo 'pts/2' >> $securetty_file
-    echo 'pts/3' >> $securetty_file
-    echo 'pts/4' >> $securetty_file
-
-}
-- 
2.39.2

Re: [EXTERNAL] [meta-arago][master/kirkstone][PATCH 2/2] shadow-securetty: Do not allow root login over telnet

[Chirag Shilwant]

On 17/10/23 02:48, Andrew Davis via lists.yoctoproject.org wrote:
> I'm sure I don't have to explain why this was a bad idea..

Still, It will be good to have a commit message explaining it :)

>
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>   .../shadow/shadow-securetty_%.bbappend            | 15 ---------------
>   1 file changed, 15 deletions(-)
>   delete mode 100644 meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
>
> diff --git a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
> deleted file mode 100644
> index 62999d2a..00000000
> --- a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -PR:append = ".arago0"
> -
> -do_install:append () {
> -    # Allow telnet sessions to login as root
> -    securetty_file=${D}${sysconfdir}/securetty
> -
> -    echo '' >> $securetty_file
> -    echo '# Allow 5 telnet login' >> $securetty_file
> -    echo 'pts/0' >> $securetty_file
> -    echo 'pts/1' >> $securetty_file
> -    echo 'pts/2' >> $securetty_file
> -    echo 'pts/3' >> $securetty_file
> -    echo 'pts/4' >> $securetty_file
> -
> -}

Re: [EXTERNAL] [meta-arago][master/kirkstone][PATCH 2/2] shadow-securetty: Do not allow root login over telnet

[Denys Dmytriyenko]

On Tue, Oct 17, 2023 at 02:52:43PM +0530, Chirag Shilwant wrote:
> 
> On 17/10/23 02:48, Andrew Davis via lists.yoctoproject.org wrote:
> >I'm sure I don't have to explain why this was a bad idea..
> 
> Still, It will be good to have a commit message explaining it :)

It is a very obvious major security weakness and is definitely a very bad 
idea for an end product!

But, there was never a clear definition of what meta-arago is - is it an 
end product distribution or simply a test environment for the BSP/SDK.

This was added over 10 years ago as part of AM-SDK for ease of testing. 
Even though the commit does not explain it [1], we had a discussion and 
the security implications of sending telnet passwords in clear text were 
questioned.

The counter-argument here is that we build "debug" images w/o root password 
anyway by default, so allowing password-less root logins over telnet is 
rather a moot point, as we already allow the same for ssh.

Mayve instead of completely removing this, it should be conditional and 
only enabled when "debug-tweaks" is enabled in EXTRA_IMAGE_FEATURES, 
similar to allowing ssh root logins w/o a password.

[1] https://git.yoctoproject.org/meta-arago/commit/?id=98b6209a3010e32da963a0f6f53fceebbc37f8f9


> >Signed-off-by: Andrew Davis <afd@ti.com>
> >---
> >  .../shadow/shadow-securetty_%.bbappend            | 15 ---------------
> >  1 file changed, 15 deletions(-)
> >  delete mode 100644 meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
> >
> >diff --git a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
> >deleted file mode 100644
> >index 62999d2a..00000000
> >--- a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
> >+++ /dev/null
> >@@ -1,15 +0,0 @@
> >-PR:append = ".arago0"
> >-
> >-do_install:append () {
> >-    # Allow telnet sessions to login as root
> >-    securetty_file=${D}${sysconfdir}/securetty
> >-
> >-    echo '' >> $securetty_file
> >-    echo '# Allow 5 telnet login' >> $securetty_file
> >-    echo 'pts/0' >> $securetty_file
> >-    echo 'pts/1' >> $securetty_file
> >-    echo 'pts/2' >> $securetty_file
> >-    echo 'pts/3' >> $securetty_file
> >-    echo 'pts/4' >> $securetty_file
> >-
> >-}

Re: [EXTERNAL] [meta-arago][master/kirkstone][PATCH 2/2] shadow-securetty: Do not allow root login over telnet

[Ryan Eatmon]

On 10/17/2023 12:28 PM, Denys Dmytriyenko wrote:
> On Tue, Oct 17, 2023 at 02:52:43PM +0530, Chirag Shilwant wrote:
>>
>> On 17/10/23 02:48, Andrew Davis via lists.yoctoproject.org wrote:
>>> I'm sure I don't have to explain why this was a bad idea..
>>
>> Still, It will be good to have a commit message explaining it :)
> 
> It is a very obvious major security weakness and is definitely a very bad
> idea for an end product!
> 
> But, there was never a clear definition of what meta-arago is - is it an
> end product distribution or simply a test environment for the BSP/SDK.
> 
> This was added over 10 years ago as part of AM-SDK for ease of testing.
> Even though the commit does not explain it [1], we had a discussion and
> the security implications of sending telnet passwords in clear text were
> questioned.
> 
> The counter-argument here is that we build "debug" images w/o root password
> anyway by default, so allowing password-less root logins over telnet is
> rather a moot point, as we already allow the same for ssh.
> 
> Mayve instead of completely removing this, it should be conditional and
> only enabled when "debug-tweaks" is enabled in EXTRA_IMAGE_FEATURES,
> similar to allowing ssh root logins w/o a password.
> 
> [1] https://git.yoctoproject.org/meta-arago/commit/?id=98b6209a3010e32da963a0f6f53fceebbc37f8f9
> 

Well, we have to keep this for now.  We will work to disable the telnet 
requirement in our testing flow and move to ssh.  At that point we can 
revisit this patch.


>>> Signed-off-by: Andrew Davis <afd@ti.com>
>>> ---
>>>   .../shadow/shadow-securetty_%.bbappend            | 15 ---------------
>>>   1 file changed, 15 deletions(-)
>>>   delete mode 100644 meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
>>>
>>> diff --git a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
>>> deleted file mode 100644
>>> index 62999d2a..00000000
>>> --- a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
>>> +++ /dev/null
>>> @@ -1,15 +0,0 @@
>>> -PR:append = ".arago0"
>>> -
>>> -do_install:append () {
>>> -    # Allow telnet sessions to login as root
>>> -    securetty_file=${D}${sysconfdir}/securetty
>>> -
>>> -    echo '' >> $securetty_file
>>> -    echo '# Allow 5 telnet login' >> $securetty_file
>>> -    echo 'pts/0' >> $securetty_file
>>> -    echo 'pts/1' >> $securetty_file
>>> -    echo 'pts/2' >> $securetty_file
>>> -    echo 'pts/3' >> $securetty_file
>>> -    echo 'pts/4' >> $securetty_file
>>> -
>>> -}

-- 
Ryan Eatmon                reatmon@ti.com
-----------------------------------------
Texas Instruments, Inc.  -  LCPD  -  MGTS

Re: [meta-arago][master/kirkstone][PATCH 1/2] initscript-telnetd: Remove this package

[Ryan Eatmon]

Someone brought up a good point on another patch.  Even though we 
configure Arago to be systemd BY DEFAULT.  The user can always choose 
switch over to sysvinit.  So we should probably leave this in until we 
decide not not support telnet anymore.


On 10/16/2023 4:18 PM, Andrew Davis wrote:
> Signed-off-by: Andrew Davis <afd@ti.com>
> ---
>   .../initscript-telnetd/initscript-telnetd.bb  | 18 ---------
>   .../initscript-telnetd/telnetd                | 40 -------------------
>   .../packagegroups/packagegroup-arago-base.bb  |  1 -
>   3 files changed, 59 deletions(-)
>   delete mode 100644 meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
>   delete mode 100644 meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd
> 
> diff --git a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb b/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
> deleted file mode 100644
> index e492119b..00000000
> --- a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd.bb
> +++ /dev/null
> @@ -1,18 +0,0 @@
> -DESCRIPTION = "Initscripts for telnetd"
> -LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://telnetd;beginline=2;endline=18;md5=d134d0d385c53f9201a270fef8448f29"
> -PR ="r1"
> -
> -SRC_URI = "file://telnetd"
> -
> -S = "${WORKDIR}"
> -
> -INITSCRIPT_NAME = "telnetd"
> -INITSCRIPT_PARAMS = "defaults 10"
> -
> -inherit update-rc.d
> -
> -do_install () {
> -	install -d ${D}${sysconfdir}/init.d/
> -	install -c -m 755 ${S}/telnetd ${D}${sysconfdir}/init.d/telnetd
> -}
> diff --git a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd b/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd
> deleted file mode 100644
> index a99f23ef..00000000
> --- a/meta-arago-distro/recipes-connectivity/initscript-telnetd/initscript-telnetd/telnetd
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -#! /bin/sh
> -#Permission is hereby granted, free of charge, to any person obtaining a copy
> -#of this software and associated documentation files (the "Software"), to deal
> -#in the Software without restriction, including without limitation the rights
> -#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> -#copies of the Software, and to permit persons to whom the Software is
> -#furnished to do so, subject to the following conditions:
> -#
> -#The above copyright notice and this permission notice shall be included in
> -#all copies or substantial portions of the Software.
> -#
> -#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> -#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> -#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
> -#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> -#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> -#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> -#THE SOFTWARE.
> -
> -telnetd=/usr/sbin/telnetd
> -
> -test -x "$telnetd" || exit 0
> -
> -case "$1" in
> -  start)
> -    echo -n "Starting telnet daemon"
> -    start-stop-daemon --start --quiet --exec $telnetd
> -    echo "."
> -    ;;
> -  stop)
> -    echo -n "Stopping telnet daemon"
> -    start-stop-daemon --stop --quiet --exec $telnetd
> -    echo "."
> -    ;;
> -  *)
> -    echo "Usage: /etc/init.d/telnetd {start|stop}"
> -    exit 1
> -esac
> -
> -exit 0
> diff --git a/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb b/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
> index 1f63a7d0..5e528846 100644
> --- a/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
> +++ b/meta-arago-distro/recipes-core/packagegroups/packagegroup-arago-base.bb
> @@ -16,7 +16,6 @@ ARAGO_BASE = "\
>       mtd-utils \
>       mtd-utils-ubifs \
>       curl \
> -    initscript-telnetd \
>       ethtool \
>       thermal-init \
>       bash \

-- 
Ryan Eatmon                reatmon@ti.com
-----------------------------------------
Texas Instruments, Inc.  -  LCPD  -  MGTS