Setting root password

Setting root password

[Jack Mitchell]

What is the best way to set the root password for an image during build
time?

I have come across this snippet:

ROOTFS_POSTPROCESS_COMMAND += " \
        sed 's%^root:[^:]*:%root:${PASSWD}:%' \
        < ${IMAGE_ROOTFS}/etc/shadow \
        > ${IMAGE_ROOTFS}/etc/shadow.new;\
        mv ${IMAGE_ROOTFS}/etc/shadow.new ${IMAGE_ROOTFS}/etc/shadow ;"

but it feels a bit hacky... is there no defined way to do this cleanly?

Cheers,
Jack.

Re: Setting root password

[Koen Kooi]

Op 11 okt. 2013, om 16:35 heeft Jack Mitchell <ml@communistcode.co.uk> het volgende geschreven:

> What is the best way to set the root password for an image during build
> time?
> 
> I have come across this snippet:
> 
> ROOTFS_POSTPROCESS_COMMAND += " \
>        sed 's%^root:[^:]*:%root:${PASSWD}:%' \
>        < ${IMAGE_ROOTFS}/etc/shadow \
>> ${IMAGE_ROOTFS}/etc/shadow.new;\
>        mv ${IMAGE_ROOTFS}/etc/shadow.new ${IMAGE_ROOTFS}/etc/shadow ;"
> 
> but it feels a bit hacky...

indeed, gnu sed has had a -i option for some years now, no needs to that intermediate file.

Re: Setting root password

[ChenQi]

On 10/11/2013 10:35 PM, Jack Mitchell wrote:
> What is the best way to set the root password for an image during build
> time?
>
> I have come across this snippet:
>
> ROOTFS_POSTPROCESS_COMMAND += " \
>          sed 's%^root:[^:]*:%root:${PASSWD}:%' \
>          < ${IMAGE_ROOTFS}/etc/shadow \
>          > ${IMAGE_ROOTFS}/etc/shadow.new;\
>          mv ${IMAGE_ROOTFS}/etc/shadow.new ${IMAGE_ROOTFS}/etc/shadow ;"
>
> but it feels a bit hacky... is there no defined way to do this cleanly?
>
> Cheers,
> Jack.
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
What about using EXTRA_USERS_PARAMS?

E.g.
1. Get the encrypted password.
(One way to get the encrypted password is using openssl, of course you 
can use other methods.)
openssl passwd -1 root
$1$QauDU/Ig$KEeg.OaCLFkNwSXW4xYRu1


2. Add to local.conf the following lines. Note the '$' sign should be 
escaped.

INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p '\$1\$QauDU/Ig\$KEeg.OaCLFkNwSXW4xYRu1' root;"


Best Regards,
Chen Qi

Setting root password

[Andy Pont]

Hello,

Looking around the web and reading the assorted documents it seems to be
that the defined way to set the root password is to remove "debug-tweaks"
from EXTRA_IMAGE_FEATURES and to add the following lines to local.conf:

require conf/distro/include/security_flags.inc
INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -P <encrypted_password> root;"

When I try to build core-image-minimal then the build fails with the
following:

| DEBUG: Executing shell function set_user_group
| NOTE: Performing usermod with [-R
XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
1.0-r0/rootfs -P Hkw6rBJlcfhvM root] and 1 times of retry
| Server refused shutdown.  Remaining client fds: 2
| Client pids: 3878 16245
| Server will shut down after all clients exit.
| WARNING: usermod command did not succeed. Retrying...
| ERROR: Tried running usermod command 1 times without success, giving up
| WARNING:
XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
1.0-r0/temp/run.set_user_group.3878:1 exit 1 from
|   exit 1
| DEBUG: Python function do_rootfs finished
| ERROR: Function failed: set_user_group (log file is located at
XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
1.0-r0/temp/log.do_rootfs.3878)

Any ideas on how to make this work?

Thanks,

Andy.

Re: Setting root password

[Daniel.]

[-- Attachment #1: Type: text/plain, Size: 2565 bytes --]

Hey Andy,

I didn't know about this EXTRA_USERS_PARAMS. What I do is adding this
function to
my image.

# This function sets the password for root based on ROOT_PASSWD variable
set_root_password () {
        local p=$(openssl passwd -1 -salt "My salt" "${ROOT_PASSWD}")
        sed -e "s/root:[^:]*:/root:${p}:/" -i ${IMAGE_ROOTFS}/etc/shadow
}

And append it to ROOTFS_POSTPROCESS_COMMAND:
ROOTFS_POSTPROCESS_COMMAND += "set_root_password; "

I did all this in a class file which I import on all my images, but since
you point me EXTRA_USERS_PARAMS I think I'll do that in your (the right)
way. About your problem, can you get the "usermod" error from log.do_rootfs
in your image WORKDIR/temp folder?

Cheers
- dhs

PS: Not all shells recognize the "local" keyword. Remove it if you have
problems.

2015-09-24 10:24 GMT-03:00 Andy Pont <andy.pont@sdcsystems.com>:

> Hello,
>
> Looking around the web and reading the assorted documents it seems to be
> that the defined way to set the root password is to remove "debug-tweaks"
> from EXTRA_IMAGE_FEATURES and to add the following lines to local.conf:
>
> require conf/distro/include/security_flags.inc
> INHERIT += "extrausers"
> EXTRA_USERS_PARAMS = "usermod -P <encrypted_password> root;"
>
> When I try to build core-image-minimal then the build fails with the
> following:
>
> | DEBUG: Executing shell function set_user_group
> | NOTE: Performing usermod with [-R
>
> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
> 1.0-r0/rootfs -P Hkw6rBJlcfhvM root] and 1 times of retry
> | Server refused shutdown.  Remaining client fds: 2
> | Client pids: 3878 16245
> | Server will shut down after all clients exit.
> | WARNING: usermod command did not succeed. Retrying...
> | ERROR: Tried running usermod command 1 times without success, giving up
> | WARNING:
>
> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
> 1.0-r0/temp/run.set_user_group.3878:1 exit 1 from
> |   exit 1
> | DEBUG: Python function do_rootfs finished
> | ERROR: Function failed: set_user_group (log file is located at
>
> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/
> 1.0-r0/temp/log.do_rootfs.3878)
>
> Any ideas on how to make this work?
>
> Thanks,
>
> Andy.
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
*"Do or do not. There is no try"*
  *Yoda Master*

[-- Attachment #2: Type: text/html, Size: 3542 bytes --]

Re: Setting root password

[Andy Pont]

Hi Daniel,

> I didn't know about this EXTRA_USERS_PARAMS. What I do is adding this function to
> my image. 
> # This function sets the password for root based on ROOT_PASSWD variable
> set_root_password () {
>         local p=$(openssl passwd -1 -salt "My salt" "${ROOT_PASSWD}")
>        sed -e "s/root:[^:]*:/root:${p}:/" -i ${IMAGE_ROOTFS}/etc/shadow
> }
> And append it to ROOTFS_POSTPROCESS_COMMAND:
> ROOTFS_POSTPROCESS_COMMAND += "set_root_password; "
> I did all this in a class file which I import on all my images, 

As your method works and the EXTRA_USERS_PARAMS appears not to be doing could you send me your class file to save me having to reinvent the wheel?

> About your problem, can you get the "usermod" error from log.do_rootfs 

The end of the log.do_roots file just contains the following:

NOTE: Executing set_user_group ...
DEBUG: Executing shell function set_user_group
NOTE: Performing usermod with [-R XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/rootfs -P Hkw6rBJlcfhvM root] and 1 times of retry
Server refused shutdown.  Remaining client fds: 2
Client pids: 3878 16245
Server will shut down after all clients exit.
WARNING: usermod command did not succeed. Retrying...
ERROR: Tried running usermod command 1 times without success, giving up
WARNING: XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/temp/run.set_user_group.3878:1 exit 1 from
  exit 1
DEBUG: Python function do_rootfs finished

Thanks,

Andy.

Re: Setting root password

[Daniel.]

[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]

My image .class file has includes a lot of recipes that I wrote for
specific reasons so it will not work as it is for you without that recipes,
instead here is the minimal you may need to get this working. I use a class
file because I have lot of images differing in little things, like which
kernel modules are auto loaded. So for your case I think this simple recipe
would suffice. If you want you can save this as .class file and import from
other images as I do.

http://pastebin.com/raw.php?i=1qds5hKF

Regards,
- dhs

2015-09-24 10:59 GMT-03:00 Andy Pont <andy.pont@sdcsystems.com>:

> Hi Daniel,
>
> > I didn't know about this EXTRA_USERS_PARAMS. What I do is adding this
> function to
> > my image.
> > # This function sets the password for root based on ROOT_PASSWD variable
> > set_root_password () {
> >         local p=$(openssl passwd -1 -salt "My salt" "${ROOT_PASSWD}")
> >        sed -e "s/root:[^:]*:/root:${p}:/" -i ${IMAGE_ROOTFS}/etc/shadow
> > }
> > And append it to ROOTFS_POSTPROCESS_COMMAND:
> > ROOTFS_POSTPROCESS_COMMAND += "set_root_password; "
> > I did all this in a class file which I import on all my images,
>
> As your method works and the EXTRA_USERS_PARAMS appears not to be doing
> could you send me your class file to save me having to reinvent the wheel?
>
> > About your problem, can you get the "usermod" error from log.do_rootfs
>
> The end of the log.do_roots file just contains the following:
>
> NOTE: Executing set_user_group ...
> DEBUG: Executing shell function set_user_group
> NOTE: Performing usermod with [-R
> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/rootfs
> -P Hkw6rBJlcfhvM root] and 1 times of retry
> Server refused shutdown.  Remaining client fds: 2
> Client pids: 3878 16245
> Server will shut down after all clients exit.
> WARNING: usermod command did not succeed. Retrying...
> ERROR: Tried running usermod command 1 times without success, giving up
> WARNING:
> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/temp/run.set_user_group.3878:1
> exit 1 from
>   exit 1
> DEBUG: Python function do_rootfs finished
>
> Thanks,
>
> Andy.
>
>


-- 
*"Do or do not. There is no try"*
  *Yoda Master*

[-- Attachment #2: Type: text/html, Size: 3078 bytes --]

Re: Setting root password

[Daniel.]

[-- Attachment #1: Type: text/plain, Size: 2652 bytes --]

Still, I think is a good ideia to understand what is going wrong with
EXTRA_USERS_PARAMS, other users may having the same problem.

Regards,
- dhs

2015-09-24 11:16 GMT-03:00 Daniel. <danielhilst@gmail.com>:

> My image .class file has includes a lot of recipes that I wrote for
> specific reasons so it will not work as it is for you without that recipes,
> instead here is the minimal you may need to get this working. I use a class
> file because I have lot of images differing in little things, like which
> kernel modules are auto loaded. So for your case I think this simple recipe
> would suffice. If you want you can save this as .class file and import from
> other images as I do.
>
> http://pastebin.com/raw.php?i=1qds5hKF
>
> Regards,
> - dhs
>
> 2015-09-24 10:59 GMT-03:00 Andy Pont <andy.pont@sdcsystems.com>:
>
>> Hi Daniel,
>>
>> > I didn't know about this EXTRA_USERS_PARAMS. What I do is adding this
>> function to
>> > my image.
>> > # This function sets the password for root based on ROOT_PASSWD variable
>> > set_root_password () {
>> >         local p=$(openssl passwd -1 -salt "My salt" "${ROOT_PASSWD}")
>> >        sed -e "s/root:[^:]*:/root:${p}:/" -i ${IMAGE_ROOTFS}/etc/shadow
>> > }
>> > And append it to ROOTFS_POSTPROCESS_COMMAND:
>> > ROOTFS_POSTPROCESS_COMMAND += "set_root_password; "
>> > I did all this in a class file which I import on all my images,
>>
>> As your method works and the EXTRA_USERS_PARAMS appears not to be doing
>> could you send me your class file to save me having to reinvent the wheel?
>>
>> > About your problem, can you get the "usermod" error from log.do_rootfs
>>
>> The end of the log.do_roots file just contains the following:
>>
>> NOTE: Executing set_user_group ...
>> DEBUG: Executing shell function set_user_group
>> NOTE: Performing usermod with [-R
>> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/rootfs
>> -P Hkw6rBJlcfhvM root] and 1 times of retry
>> Server refused shutdown.  Remaining client fds: 2
>> Client pids: 3878 16245
>> Server will shut down after all clients exit.
>> WARNING: usermod command did not succeed. Retrying...
>> ERROR: Tried running usermod command 1 times without success, giving up
>> WARNING:
>> XXXXX/build/tmp/work/intel_core2_32-poky-linux/core-image-minimal-initramfs/1.0-r0/temp/run.set_user_group.3878:1
>> exit 1 from
>>   exit 1
>> DEBUG: Python function do_rootfs finished
>>
>> Thanks,
>>
>> Andy.
>>
>>
>
>
> --
> *"Do or do not. There is no try"*
>   *Yoda Master*
>



-- 
*"Do or do not. There is no try"*
  *Yoda Master*

[-- Attachment #2: Type: text/html, Size: 3811 bytes --]

Re: Setting root password

[Rudolf J Streif]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

Hi Andy, Daniel

On Thursday, September 24, 2015 11:20:37 AM Daniel. wrote:


> Still, I think is a good ideia to understand what is going wrong with
> EXTRA_USERS_PARAMS, other users may having the same problem.


EXTRA_USERS_PARAMS works for me all the time. The stanza is what I am using in 
my image recipes:

EXTRA_USERS_PARAMS = "\groupadd developers; \useradd -p `openssl passwd 
${DEV_PASSWORD}` developer; \useradd -g developers developer; \
usermod -p `openssl passwd ${ROOT_PASSWORD}` root; \
"

If this is an accurate copy of what you are using\0 (from you first email)

> EXTRA_USERS_PARAMS = "usermod -P <encrypted_password> root;"

then the issue probably is the capital -P. It should be lowercase.

Cheers,
Rudi


[-- Attachment #2: Type: text/html, Size: 4220 bytes --]

Re: Setting root password

[Andy Pont]

Rudi wrote…

> > Still, I think is a good ideia to understand what is going wrong with
> > EXTRA_USERS_PARAMS, other users may having the same problem.
>
> EXTRA_USERS_PARAMS works for me all the time. The stanza is what I am
using 
> in my image recipes:
> 
> EXTRA_USERS_PARAMS = "\
> groupadd developers; \
> useradd -p `openssl passwd ${DEV_PASSWORD}` developer; \
> useradd -g developers developer; \
> usermod -p `openssl passwd ${ROOT_PASSWORD}` root; \
>"
>
> If this is an accurate copy of what you are using
>
> EXTRA_USERS_PARAMS = "usermod -P <encrypted_password> root;"
>
> then the issue probably is the capital -P. It should be lowercase.

Good spot.  I copied and pasted it from an article I found on the web!
Having changed it to lower case it now works as expected!

Thanks,

Andy.

Re: Setting root password

[Paul Eggleton]

On Thursday 24 September 2015 08:17:02 Rudolf J Streif wrote:
> On Thursday, September 24, 2015 11:20:37 AM Daniel. wrote:
> > Still, I think is a good ideia to understand what is going wrong with
> > EXTRA_USERS_PARAMS, other users may having the same problem.
> 
> EXTRA_USERS_PARAMS works for me all the time. The stanza is what I am using
> in my image recipes:
> 
> EXTRA_USERS_PARAMS = "\groupadd developers; \useradd -p `openssl passwd
> ${DEV_PASSWORD}` developer; \useradd -g developers developer; \
> usermod -p `openssl passwd ${ROOT_PASSWORD}` root; \
> "
> 
> If this is an accurate copy of what you are using\0 (from you first email)
> 
> > EXTRA_USERS_PARAMS = "usermod -P <encrypted_password> root;"
> 
> then the issue probably is the capital -P. It should be lowercase.

FYI the -P option is a custom option that we have patched into the native 
versions of the useradd/usermod commands that we build. It's the only way you 
can set a password in plain text rather than having to encrypt it first.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre