From: Chen Qi <[email protected]> It's possible that users use EXTRA_USERS_PARAMS to set password for root or explicitly expire root password. So we need to check these two cases to ensure the 'no password' banner is not misleading.
As an example, below are configurations to make an image requiring setting a root password on first boot, but without having to first enter a static initial password: In conf/toolcfg.cfg: OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password In local.conf: INHERIT += "extrausers" EXTRA_USERS_PARAMS += " passwd-expire root;" Checking and adding such a banner is ensured to run as last steps of ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, we want to ensure that the function runs after set_user_group function from extrausers.bbclass. So unlike other commands in this bbclass using the '+=', this function uses ':append'. Besides, adding such banner is only meaningful when base-passwd and baes-files are installed. In case of container image, they might not be installed (e.g., container-test-image). So add extra checking for it. With the above logic, we avoid breaking the following oe-selftest test case: containerimage.ContainerImageTests.test_expected_files Signed-off-by: Chen Qi <[email protected]> --- meta/classes-recipe/rootfs-postcommands.bbclass | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index f4fbc4c57e..8d7e5e7652 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -5,7 +5,7 @@ # # Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' # ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' +# Check and add 'no root password' banner. +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append. +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" + # Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it # automatic or it can be a path. In the latter, the uid/gid matches the @@ -259,8 +263,14 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue - echo "" >> ${IMAGE_ROOTFS}/etc/issue + if [ -e ${IMAGE_ROOTFS}/etc/shadow -a -e ${IMAGE_ROOTFS}/etc/issue ]; then + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue + echo "" >> ${IMAGE_ROOTFS}/etc/issue + fi + fi } # -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227276): https://lists.openembedded.org/g/openembedded-core/message/227276 Mute This Topic: https://lists.openembedded.org/mt/116609301/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
