Thanks, I think this is fine. Alex
On Mon, 1 Dec 2025 at 06:25, Chen Qi via lists.openembedded.org <[email protected]> wrote: > > From: Chen Qi <[email protected]> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <[email protected]> > --- > meta/classes-recipe/rootfs-postcommands.bbclass | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass > b/meta/classes-recipe/rootfs-postcommands.bbclass > index f4fbc4c57e..f57782b87b 100644 > --- a/meta/classes-recipe/rootfs-postcommands.bbclass > +++ b/meta/classes-recipe/rootfs-postcommands.bbclass > @@ -5,7 +5,7 @@ > # > > # Zap the root password if empty-root-password feature is not enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "add_empty_root_password_note", > "zap_empty_root_password ",d)}' > +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "", "zap_empty_root_password ",d)}' > > # Allow dropbear/openssh to accept logins from accounts with an empty > password string if allow-empty-password is enabled > ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "allow-empty-password", "ssh_allow_empty_password ", "",d)}' > @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += > '${SORT_PASSWD_POSTPROCESS_COMMAND}' > # > ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' > > +# Check and add 'no root password' banner. > +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using > :append. > +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" > + > # Resolve the ID as described in the sysusers.d(5) manual: ID can be a > numeric > # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it > # automatic or it can be a path. In the latter, the uid/gid matches the > @@ -259,8 +263,12 @@ zap_empty_root_password () { > # This function adds a note to the login banner that the system is > configured for root logins without password > # > add_empty_root_password_note () { > - echo "Type 'root' to login with superuser privileges (no password > will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > - echo "" >> ${IMAGE_ROOTFS}/etc/issue > + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" > + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut > -d: -f3`" > + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then > + echo "Type 'root' to login with superuser privileges (no > password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > + echo "" >> ${IMAGE_ROOTFS}/etc/issue > + fi > } > > # > -- > 2.43.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227120): https://lists.openembedded.org/g/openembedded-core/message/227120 Mute This Topic: https://lists.openembedded.org/mt/116551793/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
