* [PATCH 0/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
@ 2021-03-05 8:49 Robert Yang
2021-03-05 8:49 ` [PATCH 1/1] " Robert Yang
0 siblings, 1 reply; 7+ messages in thread
From: Robert Yang @ 2021-03-05 8:49 UTC (permalink / raw)
To: openembedded-core
The following changes since commit 6db24928d62aeb093a0e6da6619713eaca57a96f:
recipes-support: Add missing HOMEPAGE and DESCRIPTION for recipes (2021-03-02 20:35:08 +0000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib rbt/root
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=rbt/root
Robert Yang (1):
rootfs-postcommands.bbclass: Print a warning when login with root is
disabled
meta/classes/rootfs-postcommands.bbclass | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--
2.17.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-05 8:49 [PATCH 0/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled Robert Yang
@ 2021-03-05 8:49 ` Robert Yang
2021-03-05 10:18 ` [OE-core] " Peter Kjellerstedt
0 siblings, 1 reply; 7+ messages in thread
From: Robert Yang @ 2021-03-05 8:49 UTC (permalink / raw)
To: openembedded-core
Fixed:
EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
$ bitbake core-image-minimal
Then we can't login to the system with root without any messages. Add a warning
makes it easy to debug.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
meta/classes/rootfs-postcommands.bbclass | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index 1f27a3d07a..e4fe416ac9 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -147,7 +147,11 @@ read_only_rootfs_hook () {
zap_empty_root_password () {
if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
- fi
+ grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
+ if [ $? -eq 0 ]; then
+ bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
+ fi
+ fi
if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
fi
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-05 8:49 ` [PATCH 1/1] " Robert Yang
@ 2021-03-05 10:18 ` Peter Kjellerstedt
2021-03-09 8:32 ` Robert Yang
0 siblings, 1 reply; 7+ messages in thread
From: Peter Kjellerstedt @ 2021-03-05 10:18 UTC (permalink / raw)
To: Robert Yang, openembedded-core
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Robert Yang
> Sent: den 5 mars 2021 09:49
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
>
> Fixed:
> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> $ bitbake core-image-minimal
>
> Then we can't login to the system with root without any messages. Add a warning
> makes it easy to debug.
>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
> meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
> index 1f27a3d07a..e4fe416ac9 100644
> --- a/meta/classes/rootfs-postcommands.bbclass
> +++ b/meta/classes/rootfs-postcommands.bbclass
> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> zap_empty_root_password () {
> if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
> - fi
> + grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
That will match any /etc/shadow file with "root:" in it. Change it to:
grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
And make this optional. We intentionally do not have a root password set in our
products when they are delivered due to the state law (SB-327) that went into
effect on January 1, 2020 in California, which prohibits default passwords to
be used in IoT products.
> + if [ $? -eq 0 ]; then
> + bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
> + fi
> + fi
> if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
> fi
> --
> 2.17.1
//Peter
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-05 10:18 ` [OE-core] " Peter Kjellerstedt
@ 2021-03-09 8:32 ` Robert Yang
2021-03-12 14:13 ` Peter Kjellerstedt
0 siblings, 1 reply; 7+ messages in thread
From: Robert Yang @ 2021-03-09 8:32 UTC (permalink / raw)
To: Peter Kjellerstedt, openembedded-core
Hi Peter,
On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Robert Yang
>> Sent: den 5 mars 2021 09:49
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
>>
>> Fixed:
>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>> $ bitbake core-image-minimal
>>
>> Then we can't login to the system with root without any messages. Add a warning
>> makes it easy to debug.
>>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>> meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
>> index 1f27a3d07a..e4fe416ac9 100644
>> --- a/meta/classes/rootfs-postcommands.bbclass
>> +++ b/meta/classes/rootfs-postcommands.bbclass
>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>> zap_empty_root_password () {
>> if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>> sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
>> - fi
>> + grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
>
> That will match any /etc/shadow file with "root:" in it. Change it to:
>
> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
Thanks, I will update it.
>
> And make this optional. We intentionally do not have a root password set in our
I don't quite understand about "optional", when the command is:
grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
Then empty root password in shadow is:
root::
so empty root password won't be matched?
// Robert
> products when they are delivered due to the state law (SB-327) that went into
> effect on January 1, 2020 in California, which prohibits default passwords to
> be used in IoT products.
>
>> + if [ $? -eq 0 ]; then
>> + bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
>> + fi
>> + fi
>> if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>> sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
>> fi
>> --
>> 2.17.1
>
> //Peter
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-09 8:32 ` Robert Yang
@ 2021-03-12 14:13 ` Peter Kjellerstedt
2021-03-15 2:31 ` Robert Yang
0 siblings, 1 reply; 7+ messages in thread
From: Peter Kjellerstedt @ 2021-03-12 14:13 UTC (permalink / raw)
To: Robert Yang, openembedded-core
> -----Original Message-----
> From: Robert Yang <liezhi.yang@windriver.com>
> Sent: den 9 mars 2021 09:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
>
> Hi Peter,
>
> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: openembedded-core@lists.openembedded.org <openembedded-
> >> core@lists.openembedded.org> On Behalf Of Robert Yang
> >> Sent: den 5 mars 2021 09:49
> >> To: openembedded-core@lists.openembedded.org
> >> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> >>
> >> Fixed:
> >> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> >> $ bitbake core-image-minimal
> >>
> >> Then we can't login to the system with root without any messages. Add a
> warning
> >> makes it easy to debug.
> >>
> >> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> >> ---
> >> meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> >> 1 file changed, 5 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/meta/classes/rootfs-postcommands.bbclass
> b/meta/classes/rootfs-postcommands.bbclass
> >> index 1f27a3d07a..e4fe416ac9 100644
> >> --- a/meta/classes/rootfs-postcommands.bbclass
> >> +++ b/meta/classes/rootfs-postcommands.bbclass
> >> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> >> zap_empty_root_password () {
> >> if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> >> sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/shadow
> >> - fi
> >> + grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> >
> > That will match any /etc/shadow file with "root:" in it. Change it to:
> >
> > grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>
> Thanks, I will update it.
>
> >
> > And make this optional. We intentionally do not have a root password set
> in our
>
> I don't quite understand about "optional", when the command is:
>
> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>
> Then empty root password in shadow is:
> root::
>
> so empty root password won't be matched?
Sorry, I was unclear. We do not have an empty password, we have
"root:*:..." in /etc/shadow, and we obviously do not want this warning.
> // Robert
//Peter
> > products when they are delivered due to the state law (SB-327) that went
> into
> > effect on January 1, 2020 in California, which prohibits default
> passwords to
> > be used in IoT products.
> >
> >> + if [ $? -eq 0 ]; then
> >> + bbwarn "Login with root user is disabled
> since zap_empty_root_password is enabled"
> >> + fi
> >> + fi
> >> if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> >> sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/passwd
> >> fi
> >> --
> >> 2.17.1
> >
> > //Peter
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-12 14:13 ` Peter Kjellerstedt
@ 2021-03-15 2:31 ` Robert Yang
2021-03-15 11:14 ` Peter Kjellerstedt
0 siblings, 1 reply; 7+ messages in thread
From: Robert Yang @ 2021-03-15 2:31 UTC (permalink / raw)
To: Peter Kjellerstedt, openembedded-core
On 3/12/21 10:13 PM, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: Robert Yang <liezhi.yang@windriver.com>
>> Sent: den 9 mars 2021 09:32
>> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
>> core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
>> warning when login with root is disabled
>>
>> Hi Peter,
>>
>> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
>>>> -----Original Message-----
>>>> From: openembedded-core@lists.openembedded.org <openembedded-
>>>> core@lists.openembedded.org> On Behalf Of Robert Yang
>>>> Sent: den 5 mars 2021 09:49
>>>> To: openembedded-core@lists.openembedded.org
>>>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
>> warning when login with root is disabled
>>>>
>>>> Fixed:
>>>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>>>> $ bitbake core-image-minimal
>>>>
>>>> Then we can't login to the system with root without any messages. Add a
>> warning
>>>> makes it easy to debug.
>>>>
>>>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>>>> ---
>>>> meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>>>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta/classes/rootfs-postcommands.bbclass
>> b/meta/classes/rootfs-postcommands.bbclass
>>>> index 1f27a3d07a..e4fe416ac9 100644
>>>> --- a/meta/classes/rootfs-postcommands.bbclass
>>>> +++ b/meta/classes/rootfs-postcommands.bbclass
>>>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>>>> zap_empty_root_password () {
>>>> if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>>>> sed -i 's%^root::%root:*:%'
>> ${IMAGE_ROOTFS}/etc/shadow
>>>> - fi
>>>> + grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
>>>
>>> That will match any /etc/shadow file with "root:" in it. Change it to:
>>>
>>> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>>
>> Thanks, I will update it.
>>
>>>
>>> And make this optional. We intentionally do not have a root password set
>> in our
>>
>> I don't quite understand about "optional", when the command is:
>>
>> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>>
>> Then empty root password in shadow is:
>> root::
>>
>> so empty root password won't be matched?
>
> Sorry, I was unclear. We do not have an empty password, we have
> "root:*:..." in /etc/shadow, and we obviously do not want this warning.
Thanks, makes sense, then let's drop this patch, this patch is for debugging
only, it doesn't matter to drop it.
I wonder how to login when the line is "root:*:..." in /etc/shadow?
// Robert
>
>> // Robert
>
> //Peter
>
>>> products when they are delivered due to the state law (SB-327) that went
>> into
>>> effect on January 1, 2020 in California, which prohibits default
>> passwords to
>>> be used in IoT products.
>>>
>>>> + if [ $? -eq 0 ]; then
>>>> + bbwarn "Login with root user is disabled
>> since zap_empty_root_password is enabled"
>>>> + fi
>>>> + fi
>>>> if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>>>> sed -i 's%^root::%root:*:%'
>> ${IMAGE_ROOTFS}/etc/passwd
>>>> fi
>>>> --
>>>> 2.17.1
>>>
>>> //Peter
>>>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
2021-03-15 2:31 ` Robert Yang
@ 2021-03-15 11:14 ` Peter Kjellerstedt
0 siblings, 0 replies; 7+ messages in thread
From: Peter Kjellerstedt @ 2021-03-15 11:14 UTC (permalink / raw)
To: Robert Yang, openembedded-core
> -----Original Message-----
> From: Robert Yang <liezhi.yang@windriver.com>
> Sent: den 15 mars 2021 03:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
>
> On 3/12/21 10:13 PM, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: Robert Yang <liezhi.yang@windriver.com>
> >> Sent: den 9 mars 2021 09:32
> >> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> >> core@lists.openembedded.org
> >> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> >> warning when login with root is disabled
> >>
> >> Hi Peter,
> >>
> >> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
> >>>> -----Original Message-----
> >>>> From: openembedded-core@lists.openembedded.org <openembedded-
> >>>> core@lists.openembedded.org> On Behalf Of Robert Yang
> >>>> Sent: den 5 mars 2021 09:49
> >>>> To: openembedded-core@lists.openembedded.org
> >>>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> >> warning when login with root is disabled
> >>>>
> >>>> Fixed:
> >>>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> >>>> $ bitbake core-image-minimal
> >>>>
> >>>> Then we can't login to the system with root without any messages. Add
> >>>> a warning makes it easy to debug.
> >>>>
> >>>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> >>>> ---
> >>>> meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> >>>> 1 file changed, 5 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/meta/classes/rootfs-postcommands.bbclass
> >> b/meta/classes/rootfs-postcommands.bbclass
> >>>> index 1f27a3d07a..e4fe416ac9 100644
> >>>> --- a/meta/classes/rootfs-postcommands.bbclass
> >>>> +++ b/meta/classes/rootfs-postcommands.bbclass
> >>>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> >>>> zap_empty_root_password () {
> >>>> if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> >>>> sed -i 's%^root::%root:*:%' >> ${IMAGE_ROOTFS}/etc/shadow
> >>>> - fi
> >>>> + grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> >>>
> >>> That will match any /etc/shadow file with "root:" in it. Change it to:
> >>>
> >>> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> >>
> >> Thanks, I will update it.
> >>
> >>>
> >>> And make this optional. We intentionally do not have a root password
> >>> set in our
> >>
> >> I don't quite understand about "optional", when the command is:
> >>
> >> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> >>
> >> Then empty root password in shadow is:
> >> root::
> >>
> >> so empty root password won't be matched?
> >
> > Sorry, I was unclear. We do not have an empty password, we have
> > "root:*:..." in /etc/shadow, and we obviously do not want this warning.
>
> Thanks, makes sense, then let's drop this patch, this patch is for
> debugging only, it doesn't matter to drop it.
>
> I wonder how to login when the line is "root:*:..." in /etc/shadow?
In our case, you have to set a password the first time you access the product's
web page.
> // Robert
>
> >
> >> // Robert
> >
> > //Peter
> >
> >>> products when they are delivered due to the state law (SB-327) that
> >>> went into effect on January 1, 2020 in California, which prohibits
> >>> default passwords to be used in IoT products.
> >>>
> >>>> + if [ $? -eq 0 ]; then
> >>>> + bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
> >>>> + fi
> >>>> + fi
> >>>> if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> >>>> sed -i 's%^root::%root:*:%' >> ${IMAGE_ROOTFS}/etc/passwd
> >>>> fi
> >>>> --
> >>>> 2.17.1
> >>>
> >>> //Peter
//Peter
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-03-15 11:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-05 8:49 [PATCH 0/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled Robert Yang
2021-03-05 8:49 ` [PATCH 1/1] " Robert Yang
2021-03-05 10:18 ` [OE-core] " Peter Kjellerstedt
2021-03-09 8:32 ` Robert Yang
2021-03-12 14:13 ` Peter Kjellerstedt
2021-03-15 2:31 ` Robert Yang
2021-03-15 11:14 ` Peter Kjellerstedt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.