[Buildroot] [PATCH] system: only set the root password if it's not empty

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Wade Berrier]

No need to replace the password in etc/shadow with a blank password.

This also helps alleviate the situation when etc/shadow contains a password
which isn't meant to be blown away with a blank root password because mkpasswd
is non-functioning (rhel6).

This is somewhat of a workaround for distros (rhel6, and maybe fedora?) that
don't have a compatible mkpasswd.  They have grub-crypt, but it doesn't appear
to be as script friendly.

Signed-off-by: Wade Berrier <wberrier@gmail.com>
---
 system/system.mk |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/system/system.mk b/system/system.mk
index 50c86ad..fa98532 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -57,7 +57,9 @@ TARGETS += target-generic-issue
 endif
 
 ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
+ifneq ($(TARGET_GENERIC_ROOT_PASSWD),)
 TARGETS += target-root-passwd
+endif
 
 ifneq ($(TARGET_GENERIC_GETTY),)
 TARGETS += target-generic-getty-$(if $(BR2_PACKAGE_SYSVINIT),sysvinit,busybox)
-- 
1.7.9.5

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Yann E. MORIN]

Wade, All,

On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
> No need to replace the password in etc/shadow with a blank password.

How do you differentiate between those two cases:
  - use an empty password,
  - do not change the existing password?

My opinion is that we do want to be able to set an empty pasword,
especially in the case of a custom skeleton. This makes it systematic,
so the user knows what to expect.

If you want to not use the config option to handle the root password,
then you can use either:
  - a post-build script, or
  - a skeleton overlay.

(If I read the Makefiles correctly, skeleton overlays are handled during
target-finalize, which is called after target-root-passwd, so the
overlay should take precedence over the root password option. To be
confirmed...)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Wade Berrier]

Hello,

On Jul 02 19:31, Yann E. MORIN wrote:
> Wade, All,
> 
> On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
> > No need to replace the password in etc/shadow with a blank password.
> 
> How do you differentiate between those two cases:
>   - use an empty password,
>   - do not change the existing password?
> 
> My opinion is that we do want to be able to set an empty pasword,
> especially in the case of a custom skeleton. This makes it systematic,
> so the user knows what to expect.

If that's desired, then yes, my patch isn't a good solution.

> 
> If you want to not use the config option to handle the root password,
> then you can use either:
>   - a post-build script, or
>   - a skeleton overlay.
> 
> (If I read the Makefiles correctly, skeleton overlays are handled during
> target-finalize, which is called after target-root-passwd, so the
> overlay should take precedence over the root password option. To be
> confirmed...)

I guess one real issue is that mkpasswd on redhat fails and returns an empty
hash, which is inserted into the shadow file.

Maybe the thing to do to work across distros would be to compile the correct
mkpasswd as a host- package?

In the meantime I think your suggestions of using a custom overlay or post build
script should work great.

Thanks,

Wade

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Thomas De Schampheleire]

Hi,

On Wed, Jul 3, 2013 at 6:46 AM, Wade Berrier <wberrier@gmail.com> wrote:
> Hello,
>
> On Jul 02 19:31, Yann E. MORIN wrote:
>> Wade, All,
>>
>> On 2013-07-02 02:52 -0600, Wade Berrier spake thusly:
>> > No need to replace the password in etc/shadow with a blank password.
>>
>> How do you differentiate between those two cases:
>>   - use an empty password,
>>   - do not change the existing password?
>>
>> My opinion is that we do want to be able to set an empty pasword,
>> especially in the case of a custom skeleton. This makes it systematic,
>> so the user knows what to expect.
>
> If that's desired, then yes, my patch isn't a good solution.
>
>>
>> If you want to not use the config option to handle the root password,
>> then you can use either:
>>   - a post-build script, or
>>   - a skeleton overlay.
>>
>> (If I read the Makefiles correctly, skeleton overlays are handled during
>> target-finalize, which is called after target-root-passwd, so the
>> overlay should take precedence over the root password option. To be
>> confirmed...)
>
> I guess one real issue is that mkpasswd on redhat fails and returns an empty
> hash, which is inserted into the shadow file.
>
> Maybe the thing to do to work across distros would be to compile the correct
> mkpasswd as a host- package?

Recently, another mkpasswd related problem popped up: seems that on
(some?) Slackware boxes, mkpasswd does not support -m <method>, and
buildroot fails. See
http://lists.busybox.net/pipermail/buildroot/2013-July/075771.html.
Making sure we always use the same mkpasswd would help in both cases.

Should we create a separate host-mkpasswd package based on the whois
sources? (https://github.com/rfc1036/whois)
Or should we add the whois package, and depend on that?
To me, the former seems more appropriate...

Best regards,
Thomas

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Thomas Petazzoni]

Dear Thomas De Schampheleire,

On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:

> Should we create a separate host-mkpasswd package based on the whois
> sources? (https://github.com/rfc1036/whois)
> Or should we add the whois package, and depend on that?
> To me, the former seems more appropriate...

If we can make a very simple host-mkpasswd package like we have the
host-makedevs package (with the source code included in
package/<dir>/), I think it would be good.

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Thomas De Schampheleire]

Hi Wade,

On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Thomas De Schampheleire,
>
> On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:
>
>> Should we create a separate host-mkpasswd package based on the whois
>> sources? (https://github.com/rfc1036/whois)
>> Or should we add the whois package, and depend on that?
>> To me, the former seems more appropriate...
>
> If we can make a very simple host-mkpasswd package like we have the
> host-makedevs package (with the source code included in
> package/<dir>/), I think it would be good.
>

Since a host-mkpasswd package has been merged now, which should fix
problems on some Redhat and Slackware machines, and given the comments
given by Yann, do you agree to drop this patch?

Best regards,
Thomas

[Buildroot] [PATCH] system: only set the root password if it's not empty

[Wade Berrier]

Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com> wrote:
>Hi Wade,
>
>On Sun, Jul 28, 2013 at 3:06 PM, Thomas Petazzoni
><thomas.petazzoni@free-electrons.com> wrote:
>> Dear Thomas De Schampheleire,
>>
>> On Sun, 28 Jul 2013 10:40:15 +0200, Thomas De Schampheleire wrote:
>>
>>> Should we create a separate host-mkpasswd package based on the whois
>>> sources? (https://github.com/rfc1036/whois)
>>> Or should we add the whois package, and depend on that?
>>> To me, the former seems more appropriate...
>>
>> If we can make a very simple host-mkpasswd package like we have the
>> host-makedevs package (with the source code included in
>> package/<dir>/), I think it would be good.
>>
>
>Since a host-mkpasswd package has been merged now, which should fix
>problems on some Redhat and Slackware machines, and given the comments
>given by Yann, do you agree to drop this patch?
>
>Best regards,
>Thomas

Yes, looking forward to trying the host package out.  Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130907/43fa54d2/attachment.html>