[PATCH 0/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[PATCH 0/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Robert Yang]

The following changes since commit 6db24928d62aeb093a0e6da6619713eaca57a96f:

  recipes-support: Add missing HOMEPAGE and DESCRIPTION for recipes (2021-03-02 20:35:08 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib rbt/root
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=rbt/root

Robert Yang (1):
  rootfs-postcommands.bbclass: Print a warning when login with root is
    disabled

 meta/classes/rootfs-postcommands.bbclass | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

-- 
2.17.1

[PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Robert Yang]

Fixed:
EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
$ bitbake core-image-minimal

Then we can't login to the system with root without any messages. Add a warning
makes it easy to debug.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 meta/classes/rootfs-postcommands.bbclass | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index 1f27a3d07a..e4fe416ac9 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -147,7 +147,11 @@ read_only_rootfs_hook () {
 zap_empty_root_password () {
 	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
 		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
-        fi
+		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
+		if [ $? -eq 0 ]; then
+			bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
+		fi
+	fi
 	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
 		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
 	fi
-- 
2.17.1

Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Robert Yang
> Sent: den 5 mars 2021 09:49
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
> 
> Fixed:
> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> $ bitbake core-image-minimal
> 
> Then we can't login to the system with root without any messages. Add a warning
> makes it easy to debug.
> 
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
>  meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
> index 1f27a3d07a..e4fe416ac9 100644
> --- a/meta/classes/rootfs-postcommands.bbclass
> +++ b/meta/classes/rootfs-postcommands.bbclass
> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>  zap_empty_root_password () {
>  	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>  		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
> -        fi
> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow

That will match any /etc/shadow file with "root:" in it. Change it to:

		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow

And make this optional. We intentionally do not have a root password set in our 
products when they are delivered due to the state law (SB-327) that went into 
effect on January 1, 2020 in California, which prohibits default passwords to 
be used in IoT products.

> +		if [ $? -eq 0 ]; then
> +			bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
> +		fi
> +	fi
>  	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>  		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
>  	fi
> --
> 2.17.1

//Peter

Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Robert Yang]

Hi Peter,

On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Robert Yang
>> Sent: den 5 mars 2021 09:49
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled
>>
>> Fixed:
>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>> $ bitbake core-image-minimal
>>
>> Then we can't login to the system with root without any messages. Add a warning
>> makes it easy to debug.
>>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>>   meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
>> index 1f27a3d07a..e4fe416ac9 100644
>> --- a/meta/classes/rootfs-postcommands.bbclass
>> +++ b/meta/classes/rootfs-postcommands.bbclass
>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>>   zap_empty_root_password () {
>>   	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>>   		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
>> -        fi
>> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> That will match any /etc/shadow file with "root:" in it. Change it to:
> 
> 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow

Thanks, I will update it.

> 
> And make this optional. We intentionally do not have a root password set in our

I don't quite understand about "optional", when the command is:

grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow

Then empty root password in shadow is:
root::

so empty root password won't be matched?

// Robert

> products when they are delivered due to the state law (SB-327) that went into
> effect on January 1, 2020 in California, which prohibits default passwords to
> be used in IoT products.
> 
>> +		if [ $? -eq 0 ]; then
>> +			bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
>> +		fi
>> +	fi
>>   	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>>   		sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
>>   	fi
>> --
>> 2.17.1
> 
> //Peter
> 

Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Peter Kjellerstedt]

> -----Original Message-----
> From: Robert Yang <liezhi.yang@windriver.com>
> Sent: den 9 mars 2021 09:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> 
> Hi Peter,
> 
> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: openembedded-core@lists.openembedded.org <openembedded-
> >> core@lists.openembedded.org> On Behalf Of Robert Yang
> >> Sent: den 5 mars 2021 09:49
> >> To: openembedded-core@lists.openembedded.org
> >> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> >>
> >> Fixed:
> >> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> >> $ bitbake core-image-minimal
> >>
> >> Then we can't login to the system with root without any messages. Add a
> warning
> >> makes it easy to debug.
> >>
> >> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> >> ---
> >>   meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> >>   1 file changed, 5 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/meta/classes/rootfs-postcommands.bbclass
> b/meta/classes/rootfs-postcommands.bbclass
> >> index 1f27a3d07a..e4fe416ac9 100644
> >> --- a/meta/classes/rootfs-postcommands.bbclass
> >> +++ b/meta/classes/rootfs-postcommands.bbclass
> >> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> >>   zap_empty_root_password () {
> >>   	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> >>   		sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/shadow
> >> -        fi
> >> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> >
> > That will match any /etc/shadow file with "root:" in it. Change it to:
> >
> > 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> Thanks, I will update it.
> 
> >
> > And make this optional. We intentionally do not have a root password set
> in our
> 
> I don't quite understand about "optional", when the command is:
> 
> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> Then empty root password in shadow is:
> root::
> 
> so empty root password won't be matched?

Sorry, I was unclear. We do not have an empty password, we have 
"root:*:..." in /etc/shadow, and we obviously do not want this warning.

> // Robert

//Peter

> > products when they are delivered due to the state law (SB-327) that went
> into
> > effect on January 1, 2020 in California, which prohibits default
> passwords to
> > be used in IoT products.
> >
> >> +		if [ $? -eq 0 ]; then
> >> +			bbwarn "Login with root user is disabled
> since zap_empty_root_password is enabled"
> >> +		fi
> >> +	fi
> >>   	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> >>   		sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/passwd
> >>   	fi
> >> --
> >> 2.17.1
> >
> > //Peter
> >

Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Robert Yang]

On 3/12/21 10:13 PM, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: Robert Yang <liezhi.yang@windriver.com>
>> Sent: den 9 mars 2021 09:32
>> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
>> core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
>> warning when login with root is disabled
>>
>> Hi Peter,
>>
>> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
>>>> -----Original Message-----
>>>> From: openembedded-core@lists.openembedded.org <openembedded-
>>>> core@lists.openembedded.org> On Behalf Of Robert Yang
>>>> Sent: den 5 mars 2021 09:49
>>>> To: openembedded-core@lists.openembedded.org
>>>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
>> warning when login with root is disabled
>>>>
>>>> Fixed:
>>>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>>>> $ bitbake core-image-minimal
>>>>
>>>> Then we can't login to the system with root without any messages. Add a
>> warning
>>>> makes it easy to debug.
>>>>
>>>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>>>> ---
>>>>    meta/classes/rootfs-postcommands.bbclass | 6 +++++-
>>>>    1 file changed, 5 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta/classes/rootfs-postcommands.bbclass
>> b/meta/classes/rootfs-postcommands.bbclass
>>>> index 1f27a3d07a..e4fe416ac9 100644
>>>> --- a/meta/classes/rootfs-postcommands.bbclass
>>>> +++ b/meta/classes/rootfs-postcommands.bbclass
>>>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
>>>>    zap_empty_root_password () {
>>>>    	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
>>>>    		sed -i 's%^root::%root:*:%'
>> ${IMAGE_ROOTFS}/etc/shadow
>>>> -        fi
>>>> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
>>>
>>> That will match any /etc/shadow file with "root:" in it. Change it to:
>>>
>>> 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>>
>> Thanks, I will update it.
>>
>>>
>>> And make this optional. We intentionally do not have a root password set
>> in our
>>
>> I don't quite understand about "optional", when the command is:
>>
>> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
>>
>> Then empty root password in shadow is:
>> root::
>>
>> so empty root password won't be matched?
> 
> Sorry, I was unclear. We do not have an empty password, we have
> "root:*:..." in /etc/shadow, and we obviously do not want this warning.

Thanks, makes sense, then let's drop this patch, this patch is for debugging 
only, it doesn't matter to drop it.

I wonder how to login when the line is "root:*:..." in /etc/shadow?

// Robert

> 
>> // Robert
> 
> //Peter
> 
>>> products when they are delivered due to the state law (SB-327) that went
>> into
>>> effect on January 1, 2020 in California, which prohibits default
>> passwords to
>>> be used in IoT products.
>>>
>>>> +		if [ $? -eq 0 ]; then
>>>> +			bbwarn "Login with root user is disabled
>> since zap_empty_root_password is enabled"
>>>> +		fi
>>>> +	fi
>>>>    	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
>>>>    		sed -i 's%^root::%root:*:%'
>> ${IMAGE_ROOTFS}/etc/passwd
>>>>    	fi
>>>> --
>>>> 2.17.1
>>>
>>> //Peter
>>>

Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

[Peter Kjellerstedt]

> -----Original Message-----
> From: Robert Yang <liezhi.yang@windriver.com>
> Sent: den 15 mars 2021 03:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> 
> On 3/12/21 10:13 PM, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: Robert Yang <liezhi.yang@windriver.com>
> >> Sent: den 9 mars 2021 09:32
> >> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> >> core@lists.openembedded.org
> >> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> >> warning when login with root is disabled
> >>
> >> Hi Peter,
> >>
> >> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
> >>>> -----Original Message-----
> >>>> From: openembedded-core@lists.openembedded.org <openembedded-
> >>>> core@lists.openembedded.org> On Behalf Of Robert Yang
> >>>> Sent: den 5 mars 2021 09:49
> >>>> To: openembedded-core@lists.openembedded.org
> >>>> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> >> warning when login with root is disabled
> >>>>
> >>>> Fixed:
> >>>> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> >>>> $ bitbake core-image-minimal
> >>>>
> >>>> Then we can't login to the system with root without any messages. Add
> >>>> a warning makes it easy to debug.
> >>>>
> >>>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> >>>> ---
> >>>>    meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> >>>>    1 file changed, 5 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/meta/classes/rootfs-postcommands.bbclass
> >> b/meta/classes/rootfs-postcommands.bbclass
> >>>> index 1f27a3d07a..e4fe416ac9 100644
> >>>> --- a/meta/classes/rootfs-postcommands.bbclass
> >>>> +++ b/meta/classes/rootfs-postcommands.bbclass
> >>>> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> >>>>    zap_empty_root_password () {
> >>>>    	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> >>>>    		sed -i 's%^root::%root:*:%' >> ${IMAGE_ROOTFS}/etc/shadow
> >>>> -        fi
> >>>> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> >>>
> >>> That will match any /etc/shadow file with "root:" in it. Change it to:
> >>>
> >>> 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> >>
> >> Thanks, I will update it.
> >>
> >>>
> >>> And make this optional. We intentionally do not have a root password
> >>> set in our
> >>
> >> I don't quite understand about "optional", when the command is:
> >>
> >> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> >>
> >> Then empty root password in shadow is:
> >> root::
> >>
> >> so empty root password won't be matched?
> >
> > Sorry, I was unclear. We do not have an empty password, we have
> > "root:*:..." in /etc/shadow, and we obviously do not want this warning.
> 
> Thanks, makes sense, then let's drop this patch, this patch is for
> debugging only, it doesn't matter to drop it.
> 
> I wonder how to login when the line is "root:*:..." in /etc/shadow?

In our case, you have to set a password the first time you access the product's 
web page.

> // Robert
> 
> >
> >> // Robert
> >
> > //Peter
> >
> >>> products when they are delivered due to the state law (SB-327) that
> >>> went into effect on January 1, 2020 in California, which prohibits 
> >>> default passwords to be used in IoT products.
> >>>
> >>>> +		if [ $? -eq 0 ]; then
> >>>> +			bbwarn "Login with root user is disabled since zap_empty_root_password is enabled"
> >>>> +		fi
> >>>> +	fi
> >>>>    	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> >>>>    		sed -i 's%^root::%root:*:%' >> ${IMAGE_ROOTFS}/etc/passwd
> >>>>    	fi
> >>>> --
> >>>> 2.17.1
> >>>
> >>> //Peter

//Peter