From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2 v4] system: allow/disallow root login, accept encoded passwords
Date: Fri, 10 Apr 2015 22:39:44 +0200 [thread overview]
Message-ID: <20150410223944.4dfc96b0@free-electrons.com> (raw)
In-Reply-To: <a13aae8e9670b5cb069379dee94735deb3663f21.1427223149.git.yann.morin.1998@free.fr>
Dear Yann E. MORIN,
On Tue, 24 Mar 2015 19:54:16 +0100, Yann E. MORIN wrote:
> Currently, there is only three possibilities regarding the root account:
> - it is enabled with no password (the default)
> - it is enabled, using a clear-text, user-provided password
> - it is disabled if the user sets the clear-text password to '*'
>
> This is deemed insufficient in many cases, especially when the .config
> file has to be published (e.g. for the GPL compliance, or any other
> reason.).
>
> Fix that in two ways:
>
> - add a bolean option that allows/diesaloows root login altogether,
disallows.
> which defaults to 'y' to keep backward compatibility;
>
> - accept already-encoded passwords, which we recognise as starting
> with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512).
> For backward-compatibility, we stil accept '*' to disable the
still.
> @@ -70,9 +70,25 @@ TARGET_FINALIZE_HOOKS += SET_NETWORK
> ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
>
> define SYSTEM_ROOT_PASSWD
> - [ -n "$(TARGET_GENERIC_ROOT_PASSWD)" ] && \
> - TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \
> - $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow
> + if [ "$(BR2_TARGET_ENABLE_ROOT_LOGIN)" = "y" ]; then \
> + case '$(TARGET_GENERIC_ROOT_PASSWD)' in \
> + ("") \
> + ROOT_PASSWD=""; \
> + ;; \
> + ("$$1$$"*|"$$5$$"*|"$$6$$"*) \
> + ROOT_PASSWD='$(TARGET_GENERIC_ROOT_PASSWD)'; \
> + ;; \
> + ('*') \
> + ROOT_PASSWD='*'; \
> + ;; \
> + (*) \
> + ROOT_PASSWD=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \
> + ;; \
> + esac; \
> + else \
> + ROOT_PASSWD='*'; \
> + fi; \
> + $(SED) "s,^root:[^:]*:,root:$${ROOT_PASSWD}:," $(TARGET_DIR)/etc/shadow
Argh. Can we use make instead of turning Buildroot into a build system
written in shell ?
ifeq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),)
SYSTEM_ROOT_PASSWORD = *
else
ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),)
SYSTEM_ROOT_PASSWORD =
# I believe we could simplify this, and assume that if the password
# starts with $$, we have an already encoded password.
else ifeq ($(or $(filter $$1$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$5$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$6$$%,$(TARGET_GENERIC_ROOT_PASSWORD)))
SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD))
else ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),*)
SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD))
else
SYSTEM_ROOT_PASSWORD = $(shell $(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)")
endif
endif
(Completely untested, of course).
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
next prev parent reply other threads:[~2015-04-10 20:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-24 18:54 [Buildroot] [PATCH 0/2 v4] enhance root password (branch yem/passwd) Yann E. MORIN
2015-03-24 18:54 ` [Buildroot] [PATCH 1/2 v4] system: remove DES password encoding Yann E. MORIN
2015-04-10 20:31 ` Thomas Petazzoni
2015-03-24 18:54 ` [Buildroot] [PATCH 2/2 v4] system: allow/disallow root login, accept encoded passwords Yann E. MORIN
2015-03-24 21:20 ` Lorenzo M. Catucci
2015-04-10 20:39 ` Thomas Petazzoni [this message]
2015-04-10 20:53 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150410223944.4dfc96b0@free-electrons.com \
--to=thomas.petazzoni@free-electrons.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox