* [Buildroot] [PATCH v2] Allow setting the password for user default
@ 2014-06-03 9:29 Stephan Hoffmann
2014-06-04 6:16 ` Arnout Vandecappelle
2014-06-04 10:47 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Stephan Hoffmann @ 2014-06-03 9:29 UTC (permalink / raw)
To: buildroot
Signed-off-by: Stephan Hoffmann <sho@relinux.de>
---
Since we can set the password for root while configuring the system
it seems logical to have the same possibility for user "default".
Changes v1 -> v2
- remove rewording in help text for BR2_TARGET_GENERIC_ROOT_PASSWD
---
system/Config.in | 23 ++++++++++++++++++++++-
system/system.mk | 11 ++++++++++-
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/system/Config.in b/system/Config.in
index 53bca53..d5408e1 100644
--- a/system/Config.in
+++ b/system/Config.in
@@ -211,6 +211,27 @@ config BR2_TARGET_GENERIC_ROOT_PASSWD
in the build log! Avoid using a valuable password if either the
.config file or the build log may be distributed!
+config BR2_TARGET_GENERIC_DEFAULT_PASSWD
+ string "Password for user default"
+ default ""
+ help
+ Set the initial password for user default (in clear). It will be encrypted.
+
+ If set to empty (the default), then no password will be set,
+ and default will need no password to log in.
+
+ WARNING! WARNING!
+ Although pretty strong, MD5 is now an old hash function, and
+ suffers from some weaknesses, which makes it susceptible to attacks.
+ It is showing its age, so this root password should not be trusted
+ to properly secure any product that can be shipped to the wide,
+ hostile world.
+
+ WARNING! WARNING!
+ The password appears in clear in the .config file, and may appear
+ in the build log! Avoid using a valuable password if either the
+ .config file or the build log may be distributed!
+
config BR2_TARGET_GENERIC_GETTY
bool "Run a getty (login prompt) after boot"
default y
diff --git a/system/system.mk b/system/system.mk
index 01a6c3a..367a8c4 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -1,6 +1,7 @@
TARGET_GENERIC_HOSTNAME = $(call qstrip,$(BR2_TARGET_GENERIC_HOSTNAME))
TARGET_GENERIC_ISSUE = $(call qstrip,$(BR2_TARGET_GENERIC_ISSUE))
TARGET_GENERIC_ROOT_PASSWD = $(call qstrip,$(BR2_TARGET_GENERIC_ROOT_PASSWD))
+TARGET_GENERIC_DEFAULT_PASSWD:=$(call qstrip,$(BR2_TARGET_GENERIC_DEFAULT_PASSWD))
TARGET_GENERIC_PASSWD_METHOD = $(call qstrip,$(BR2_TARGET_GENERIC_PASSWD_METHOD))
TARGET_GENERIC_GETTY_PORT = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
TARGET_GENERIC_GETTY_BAUDRATE = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
@@ -29,6 +30,14 @@ target-root-passwd:
TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \
$(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow
+ifneq ($(TARGET_GENERIC_DEFAULT_PASSWD),)
+target-default-passwd: host-mkpasswd
+endif
+target-default-passwd:
+ [ -n "$(TARGET_GENERIC_DEFAULT_PASSWD)" ] && \
+ TARGET_GENERIC_DEFAULT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_DEFAULT_PASSWD)"); \
+ $(SED) "s,^default:[^:]*:,default:$$TARGET_GENERIC_DEFAULT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow
+
target-generic-getty-busybox:
$(SED) '/# GENERIC_SERIAL$$/s~^.*#~$(TARGET_GENERIC_GETTY_PORT)::respawn:/sbin/getty -L $(TARGET_GENERIC_GETTY_OPTIONS) $(TARGET_GENERIC_GETTY_PORT) $(TARGET_GENERIC_GETTY_BAUDRATE) $(TARGET_GENERIC_GETTY_TERM) #~' \
$(TARGET_DIR)/etc/inittab
@@ -60,7 +69,7 @@ TARGETS += target-generic-issue
endif
ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
-TARGETS += target-root-passwd
+TARGETS += target-root-passwd target-default-passwd
ifeq ($(BR2_TARGET_GENERIC_GETTY),y)
TARGETS += target-generic-getty-$(if $(BR2_PACKAGE_SYSVINIT),sysvinit,busybox)
--
2.0.0.rc2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH v2] Allow setting the password for user default
2014-06-03 9:29 [Buildroot] [PATCH v2] Allow setting the password for user default Stephan Hoffmann
@ 2014-06-04 6:16 ` Arnout Vandecappelle
2014-06-04 10:47 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle @ 2014-06-04 6:16 UTC (permalink / raw)
To: buildroot
On 06/03/14 11:29, Stephan Hoffmann wrote:
> Signed-off-by: Stephan Hoffmann <sho@relinux.de>
> ---
> Since we can set the password for root while configuring the system
> it seems logical to have the same possibility for user "default".
>
> Changes v1 -> v2
> - remove rewording in help text for BR2_TARGET_GENERIC_ROOT_PASSWD
> ---
> system/Config.in | 23 ++++++++++++++++++++++-
> system/system.mk | 11 ++++++++++-
> 2 files changed, 32 insertions(+), 2 deletions(-)
>
> diff --git a/system/Config.in b/system/Config.in
> index 53bca53..d5408e1 100644
> --- a/system/Config.in
> +++ b/system/Config.in
> @@ -211,6 +211,27 @@ config BR2_TARGET_GENERIC_ROOT_PASSWD
> in the build log! Avoid using a valuable password if either the
> .config file or the build log may be distributed!
>
> +config BR2_TARGET_GENERIC_DEFAULT_PASSWD
> + string "Password for user default"
> + default ""
> + help
> + Set the initial password for user default (in clear). It will be encrypted.
> +
> + If set to empty (the default), then no password will be set,
> + and default will need no password to log in.
> +
> + WARNING! WARNING!
> + Although pretty strong, MD5 is now an old hash function, and
> + suffers from some weaknesses, which makes it susceptible to attacks.
> + It is showing its age, so this root password should not be trusted
> + to properly secure any product that can be shipped to the wide,
> + hostile world.
Since we can now select the hash, this warning has no merit anymore.
With that fixed:
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
> +
> + WARNING! WARNING!
> + The password appears in clear in the .config file, and may appear
> + in the build log! Avoid using a valuable password if either the
> + .config file or the build log may be distributed!
> +
> config BR2_TARGET_GENERIC_GETTY
> bool "Run a getty (login prompt) after boot"
> default y
> diff --git a/system/system.mk b/system/system.mk
> index 01a6c3a..367a8c4 100644
> --- a/system/system.mk
> +++ b/system/system.mk
> @@ -1,6 +1,7 @@
> TARGET_GENERIC_HOSTNAME = $(call qstrip,$(BR2_TARGET_GENERIC_HOSTNAME))
> TARGET_GENERIC_ISSUE = $(call qstrip,$(BR2_TARGET_GENERIC_ISSUE))
> TARGET_GENERIC_ROOT_PASSWD = $(call qstrip,$(BR2_TARGET_GENERIC_ROOT_PASSWD))
> +TARGET_GENERIC_DEFAULT_PASSWD:=$(call qstrip,$(BR2_TARGET_GENERIC_DEFAULT_PASSWD))
> TARGET_GENERIC_PASSWD_METHOD = $(call qstrip,$(BR2_TARGET_GENERIC_PASSWD_METHOD))
> TARGET_GENERIC_GETTY_PORT = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
> TARGET_GENERIC_GETTY_BAUDRATE = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
> @@ -29,6 +30,14 @@ target-root-passwd:
> TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \
> $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow
>
> +ifneq ($(TARGET_GENERIC_DEFAULT_PASSWD),)
> +target-default-passwd: host-mkpasswd
> +endif
> +target-default-passwd:
> + [ -n "$(TARGET_GENERIC_DEFAULT_PASSWD)" ] && \
> + TARGET_GENERIC_DEFAULT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_DEFAULT_PASSWD)"); \
> + $(SED) "s,^default:[^:]*:,default:$$TARGET_GENERIC_DEFAULT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow
It would have been nice to factor this with the root password generation, but
that can be done in a follow-up patch if needed.
Regards,
Arnout
> +
> target-generic-getty-busybox:
> $(SED) '/# GENERIC_SERIAL$$/s~^.*#~$(TARGET_GENERIC_GETTY_PORT)::respawn:/sbin/getty -L $(TARGET_GENERIC_GETTY_OPTIONS) $(TARGET_GENERIC_GETTY_PORT) $(TARGET_GENERIC_GETTY_BAUDRATE) $(TARGET_GENERIC_GETTY_TERM) #~' \
> $(TARGET_DIR)/etc/inittab
> @@ -60,7 +69,7 @@ TARGETS += target-generic-issue
> endif
>
> ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
> -TARGETS += target-root-passwd
> +TARGETS += target-root-passwd target-default-passwd
>
> ifeq ($(BR2_TARGET_GENERIC_GETTY),y)
> TARGETS += target-generic-getty-$(if $(BR2_PACKAGE_SYSVINIT),sysvinit,busybox)
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH v2] Allow setting the password for user default
2014-06-03 9:29 [Buildroot] [PATCH v2] Allow setting the password for user default Stephan Hoffmann
2014-06-04 6:16 ` Arnout Vandecappelle
@ 2014-06-04 10:47 ` Peter Korsgaard
2014-06-04 11:46 ` Stephan Hoffmann
1 sibling, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2014-06-04 10:47 UTC (permalink / raw)
To: buildroot
>>>>> "Stephan" == Stephan Hoffmann <sho@relinux.de> writes:
> Signed-off-by: Stephan Hoffmann <sho@relinux.de>
> ---
> Since we can set the password for root while configuring the system
> it seems logical to have the same possibility for user "default".
> Changes v1 -> v2
> - remove rewording in help text for BR2_TARGET_GENERIC_ROOT_PASSWD
> ---
> system/Config.in | 23 ++++++++++++++++++++++-
> system/system.mk | 11 ++++++++++-
> 2 files changed, 32 insertions(+), 2 deletions(-)
> diff --git a/system/Config.in b/system/Config.in
> index 53bca53..d5408e1 100644
> --- a/system/Config.in
> +++ b/system/Config.in
> @@ -211,6 +211,27 @@ config BR2_TARGET_GENERIC_ROOT_PASSWD
> in the build log! Avoid using a valuable password if either the
> .config file or the build log may be distributed!
> +config BR2_TARGET_GENERIC_DEFAULT_PASSWD
> + string "Password for user default"
> + default ""
> + help
> + Set the initial password for user default (in clear). It will be encrypted.
> +
> + If set to empty (the default), then no password will be set,
> + and default will need no password to log in.
I would actually rather get rid of the 'default' user, now that we have
support for BR2_ROOTFS_USERS_TABLES. The 'default' user is not needed
for anything in Buildroot itself, and I'm pretty sure some people might
not know / remember that we always have this password-less user and
remember to remove it in a post build - I know I haven't.
Do you have any use case for keeping it instead of just using
BR2_ROOTFS_USERS_TABLES?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH v2] Allow setting the password for user default
2014-06-04 10:47 ` Peter Korsgaard
@ 2014-06-04 11:46 ` Stephan Hoffmann
2014-06-04 12:00 ` Peter Korsgaard
0 siblings, 1 reply; 5+ messages in thread
From: Stephan Hoffmann @ 2014-06-04 11:46 UTC (permalink / raw)
To: buildroot
On 04.06.2014 12:47, Peter Korsgaard wrote:
>>>>>> "Stephan" == Stephan Hoffmann <sho@relinux.de> writes:
> > Signed-off-by: Stephan Hoffmann <sho@relinux.de>
> > ---
> > Since we can set the password for root while configuring the system
> > it seems logical to have the same possibility for user "default".
>
> > Changes v1 -> v2
> > - remove rewording in help text for BR2_TARGET_GENERIC_ROOT_PASSWD
> > ---
> > system/Config.in | 23 ++++++++++++++++++++++-
> > system/system.mk | 11 ++++++++++-
> > 2 files changed, 32 insertions(+), 2 deletions(-)
>
> > diff --git a/system/Config.in b/system/Config.in
> > index 53bca53..d5408e1 100644
> > --- a/system/Config.in
> > +++ b/system/Config.in
> > @@ -211,6 +211,27 @@ config BR2_TARGET_GENERIC_ROOT_PASSWD
> > in the build log! Avoid using a valuable password if either the
> > .config file or the build log may be distributed!
>
> > +config BR2_TARGET_GENERIC_DEFAULT_PASSWD
> > + string "Password for user default"
> > + default ""
> > + help
> > + Set the initial password for user default (in clear). It will be encrypted.
> > +
> > + If set to empty (the default), then no password will be set,
> > + and default will need no password to log in.
>
> I would actually rather get rid of the 'default' user, now that we have
> support for BR2_ROOTFS_USERS_TABLES. The 'default' user is not needed
> for anything in Buildroot itself, and I'm pretty sure some people might
> not know / remember that we always have this password-less user and
> remember to remove it in a post build - I know I haven't.
Good point, Peter!
This patch was sitting around here for a while and I obviously missed
the invention of BR2_ROOTFS_USERS_TABLES.
> Do you have any use case for keeping it instead of just using
> BR2_ROOTFS_USERS_TABLES?
No, so we shall drop this patch. I can also cook a patch that removes
the old default user, because I definitively do not want to have it
without the possibility to give it a password easily.
Kind regards
Stephan
>
--
reLinux - Stephan Hoffmann
Am Schmidtgrund 124 50765 K?ln
Tel. +49.221.95595-19 Fax: -64
www.reLinux.de Stephan at reLinux.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH v2] Allow setting the password for user default
2014-06-04 11:46 ` Stephan Hoffmann
@ 2014-06-04 12:00 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2014-06-04 12:00 UTC (permalink / raw)
To: buildroot
>>>>> "Stephan" == Stephan Hoffmann <sho@relinux.de> writes:
Hi,
>> Do you have any use case for keeping it instead of just using
>> BR2_ROOTFS_USERS_TABLES?
> No, so we shall drop this patch. I can also cook a patch that removes
> the old default user, because I definitively do not want to have it
> without the possibility to give it a password easily.
Yes, please do - Thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-06-04 12:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-03 9:29 [Buildroot] [PATCH v2] Allow setting the password for user default Stephan Hoffmann
2014-06-04 6:16 ` Arnout Vandecappelle
2014-06-04 10:47 ` Peter Korsgaard
2014-06-04 11:46 ` Stephan Hoffmann
2014-06-04 12:00 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.