Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

From: "Robert Yang" <liezhi.yang@windriver.com>
To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
Date: Tue, 9 Mar 2021 16:32:00 +0800	[thread overview]
Message-ID: <975479fc-e8f4-dccd-56c9-3d830cc5dc54@windriver.com> (raw)
In-Reply-To: <f23d196c13f24731a5a7e00ff139aa42@XBOX03.axis.com>

Hi Peter,

On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Robert Yang
>> Sent: den 5 mars 2021 09:49
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
>>
>> Fixed:
>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>> $ bitbake core-image-minimal
>>
>> Then we can't login to the system with root without any messages. Add a warning
>> makes it easy to debug.
>>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>>   meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
>> index 1f27a3d07a..e4fe416ac9 100644
>> --- a/meta/classes/rootfs-postcommands.bbclass
>> +++ b/meta/classes/rootfs-postcommands.bbclass
>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>>   zap_empty_root_password () {
>>   	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>>   		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
>> -        fi
>> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> That will match any /etc/shadow file with "root:" in it. Change it to:
> 
> 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow

Thanks, I will update it.

> 
> And make this optional. We intentionally do not have a root password set in our

I don't quite understand about "optional", when the command is:

grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow

Then empty root password in shadow is:
root::

so empty root password won't be matched?

// Robert

> products when they are delivered due to the state law (SB-327) that went into
> effect on January 1, 2020 in California, which prohibits default passwords to
> be used in IoT products.
> 
>> +		if [ $? -eq 0 ]; then
>> +			bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
>> +		fi
>> +	fi
>>   	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>>   		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
>>   	fi
>> --
>> 2.17.1
> 
> //Peter
> 