Re: [isar-cip-core][PATCH 6/6] change-root-homedir: split root home move into own package

Re: [isar-cip-core][PATCH 6/6] change-root-homedir: split root home move into own package

[Jan Kiszka]

On 02.01.23 18:08, Henning Schild wrote:
> Changing the homedir of root that way is required by any layer that
> takes ro rootfs pieces from here. Making it its own package allows
> reuse without having to take some other customizations.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  .../change-root-homedir.bb                    |  5 +++++
>  .../change-root-homedir/files/postinst        | 21 +++++++++++++++++++
>  recipes-core/customizations/common.inc        |  5 +++--
>  recipes-core/customizations/files/postinst    |  8 -------
>  4 files changed, 29 insertions(+), 10 deletions(-)
>  create mode 100644 recipes-core/change-root-homedir/change-root-homedir.bb
>  create mode 100644 recipes-core/change-root-homedir/files/postinst
> 
> diff --git a/recipes-core/change-root-homedir/change-root-homedir.bb b/recipes-core/change-root-homedir/change-root-homedir.bb
> new file mode 100644
> index 000000000000..dc4631bd6b16
> --- /dev/null
> +++ b/recipes-core/change-root-homedir/change-root-homedir.bb
> @@ -0,0 +1,5 @@

Missing copyright header.

> +inherit dpkg-raw
> +
> +DESCRIPTION = "Move roots homedir to /home for read-only rootfs"
> +
> +SRC_URI = "file://postinst"
> diff --git a/recipes-core/change-root-homedir/files/postinst b/recipes-core/change-root-homedir/files/postinst
> new file mode 100644
> index 000000000000..205ee4839e82
> --- /dev/null
> +++ b/recipes-core/change-root-homedir/files/postinst
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2019

Maybe update to "2019-2023" at this chance.

> +#
> +# Authors:
> +#  Jan Kiszka <jan.kiszka@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +set -e
> +
> +# needed for read-only rootfs with writable /home
> +if [ ! -L /root ]; then
> +	# usermod --move-home can not be used while the target user
> +	# has running processes, also we keep a symlink here
> +	mv /root /home/
> +	ln -s /home/root /root
> +fi
> diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
> index 1124ff2d3590..24c862c32e3b 100644
> --- a/recipes-core/customizations/common.inc
> +++ b/recipes-core/customizations/common.inc
> @@ -22,10 +22,11 @@ SRC_URI = " \
>  WIRELESS_FIRMWARE_PACKAGE ?= ""
>  INSTALL_WIRELESS_TOOLS ??= "0"
>  
> -DEPENDS += "sshd-regen-keys"
> +DEPENDS += "sshd-regen-keys change-root-homedir"
>  
>  DEBIAN_DEPENDS = " \
> -    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys \
> +    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh, sshd-regen-keys, \
> +    change-root-homedir \
>      ${@(', iw, wireless-regdb, ' + d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \
>  	if d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}"
>  
> diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst
> index 7a0b00d98680..7e7ea3692325 100644
> --- a/recipes-core/customizations/files/postinst
> +++ b/recipes-core/customizations/files/postinst
> @@ -21,11 +21,3 @@ fi
>  HOSTNAME=demo
>  echo "$HOSTNAME" > /etc/hostname
>  echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
> -
> -# needed for read-only rootfs with writable /home
> -if [ ! -L /root ]; then
> -	# usermod --move-home can not be used while the target user
> -	# has running processes, also we keep a symlink here
> -	mv /root /home/
> -	ln -s /home/root /root
> -fi

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH 0/6] improve root home moving for layers

[Jan Kiszka]

On 02.01.23 18:08, Henning Schild wrote:
> still v1:
>  - this was sent before but somehow did not make it, no change same v
> 
> The original idea was to make the rootfs home dir move and symlink
> reusable in another layer, while also playing back some findings from
> that other layer.
> 
> That is p1...p4
> 
> p5 and p6 are drive by findings, feel free to pick in any order i do not
> care about them too much
> 
> Henning Schild (6):
>   CONTRIBUTING: fix note on patch prefixes
>   customizations: make postinst idempotent
>   customizations: comment why we can not actually change home easily
>   kas: set clear text root password
>   customizations: make postinst script report all potential errors
>   change-root-homedir: split root home move into own package
> 
>  CONTRIBUTING.md                               |  2 +-
>  kas-cip.yml                                   |  4 ++--
>  .../change-root-homedir.bb                    |  5 +++++
>  .../change-root-homedir/files/postinst        | 21 +++++++++++++++++++
>  recipes-core/customizations/common.inc        |  5 +++--
>  recipes-core/customizations/files/postinst    | 10 ++++-----
>  6 files changed, 37 insertions(+), 10 deletions(-)
>  create mode 100644 recipes-core/change-root-homedir/change-root-homedir.bb
>  create mode 100644 recipes-core/change-root-homedir/files/postinst
> 

Applied all except for the last one where I had style remarks.

Thanks,
Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH 4/6] kas: set clear text root password

[Jan Kiszka]

On 02.01.23 18:08, Henning Schild wrote:
> The comment above the hash looks weird. Might as well write it human
> readable.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  kas-cip.yml | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kas-cip.yml b/kas-cip.yml
> index 10f4594334d6..b970f39ccb13 100644
> --- a/kas-cip.yml
> +++ b/kas-cip.yml
> @@ -37,8 +37,8 @@ local_conf_header:
>      ISAR_CROSS_COMPILE = "1"
>    root_password: |
>      USERS += "root"
> -    # 'root'
> -    USER_root[password] = "oC3wEGl799tZU"
> +    USER_root[password] = "root"
> +    USER_root[flags] = "clear-text-password"
>  
>  env:
>    DISTRO_APT_PREMIRRORS: ""

Seems we have some conflict now with settings of the security image:

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/3548200620

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH 6/6] change-root-homedir: split root home move into own package

[Henning Schild]

Wang Jing maybe you want to address those comments and send this one
again?

If so you should only use this patch, change it and add your
Signed-Off. You could even make yourself the author and drop my
Signed-Off if you want. I think the latter would be the best idea if
you took over.

Further you want to add a cover letter where you mention that you are
based on next and add a "changed since v1" section to that cover letter.

Please reply if or if not you want to continue here. I will only pick
this up again when i hear from you.

Henning

Am Tue, 3 Jan 2023 17:54:25 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 02.01.23 18:08, Henning Schild wrote:
> > Changing the homedir of root that way is required by any layer that
> > takes ro rootfs pieces from here. Making it its own package allows
> > reuse without having to take some other customizations.
> > 
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  .../change-root-homedir.bb                    |  5 +++++
> >  .../change-root-homedir/files/postinst        | 21
> > +++++++++++++++++++ recipes-core/customizations/common.inc        |
> >  5 +++-- recipes-core/customizations/files/postinst    |  8 -------
> >  4 files changed, 29 insertions(+), 10 deletions(-)
> >  create mode 100644
> > recipes-core/change-root-homedir/change-root-homedir.bb create mode
> > 100644 recipes-core/change-root-homedir/files/postinst
> > 
> > diff --git
> > a/recipes-core/change-root-homedir/change-root-homedir.bb
> > b/recipes-core/change-root-homedir/change-root-homedir.bb new file
> > mode 100644 index 000000000000..dc4631bd6b16 --- /dev/null
> > +++ b/recipes-core/change-root-homedir/change-root-homedir.bb
> > @@ -0,0 +1,5 @@  
> 
> Missing copyright header.
> 
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Move roots homedir to /home for read-only rootfs"
> > +
> > +SRC_URI = "file://postinst"
> > diff --git a/recipes-core/change-root-homedir/files/postinst
> > b/recipes-core/change-root-homedir/files/postinst new file mode
> > 100644 index 000000000000..205ee4839e82
> > --- /dev/null
> > +++ b/recipes-core/change-root-homedir/files/postinst
> > @@ -0,0 +1,21 @@
> > +#!/bin/sh
> > +#
> > +# CIP Core, generic profile
> > +#
> > +# Copyright (c) Siemens AG, 2019  
> 
> Maybe update to "2019-2023" at this chance.
> 
> > +#
> > +# Authors:
> > +#  Jan Kiszka <jan.kiszka@siemens.com>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +set -e
> > +
> > +# needed for read-only rootfs with writable /home
> > +if [ ! -L /root ]; then
> > +	# usermod --move-home can not be used while the target user
> > +	# has running processes, also we keep a symlink here
> > +	mv /root /home/
> > +	ln -s /home/root /root
> > +fi
> > diff --git a/recipes-core/customizations/common.inc
> > b/recipes-core/customizations/common.inc index
> > 1124ff2d3590..24c862c32e3b 100644 ---
> > a/recipes-core/customizations/common.inc +++
> > b/recipes-core/customizations/common.inc @@ -22,10 +22,11 @@
> > SRC_URI = " \ WIRELESS_FIRMWARE_PACKAGE ?= ""
> >  INSTALL_WIRELESS_TOOLS ??= "0"
> >  
> > -DEPENDS += "sshd-regen-keys"
> > +DEPENDS += "sshd-regen-keys change-root-homedir"
> >  
> >  DEBIAN_DEPENDS = " \
> > -    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh,
> > sshd-regen-keys \
> > +    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh,
> > sshd-regen-keys, \
> > +    change-root-homedir \
> >      ${@(', iw, wireless-regdb, ' +
> > d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \ if
> > d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}" 
> > diff --git a/recipes-core/customizations/files/postinst
> > b/recipes-core/customizations/files/postinst index
> > 7a0b00d98680..7e7ea3692325 100644 ---
> > a/recipes-core/customizations/files/postinst +++
> > b/recipes-core/customizations/files/postinst @@ -21,11 +21,3 @@ fi
> >  HOSTNAME=demo
> >  echo "$HOSTNAME" > /etc/hostname
> >  echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
> > -
> > -# needed for read-only rootfs with writable /home
> > -if [ ! -L /root ]; then
> > -	# usermod --move-home can not be used while the target user
> > -	# has running processes, also we keep a symlink here
> > -	mv /root /home/
> > -	ln -s /home/root /root
> > -fi  
> 
> Jan
> 

Re: [isar-cip-core][PATCH 4/6] kas: set clear text root password

[Henning Schild]

Am Tue, 3 Jan 2023 20:08:54 +0100
schrieb Henning Schild <henning.schild@siemens.com>:

> Am Tue, 3 Jan 2023 19:03:13 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
> > On 02.01.23 18:08, Henning Schild wrote:  
> > > The comment above the hash looks weird. Might as well write it
> > > human readable.
> > > 
> > > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > > ---
> > >  kas-cip.yml | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/kas-cip.yml b/kas-cip.yml
> > > index 10f4594334d6..b970f39ccb13 100644
> > > --- a/kas-cip.yml
> > > +++ b/kas-cip.yml
> > > @@ -37,8 +37,8 @@ local_conf_header:
> > >      ISAR_CROSS_COMPILE = "1"
> > >    root_password: |
> > >      USERS += "root"
> > > -    # 'root'
> > > -    USER_root[password] = "oC3wEGl799tZU"
> > > +    USER_root[password] = "root"
> > > +    USER_root[flags] = "clear-text-password"
> > >  
> > >  env:
> > >    DISTRO_APT_PREMIRRORS: ""    
> > 
> > Seems we have some conflict now with settings of the security image:
> > 
> > https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/3548200620
> >  
> 
> Lol. It is not too important after all. Not sure which component there
> causes the issue. But if it needs to be tricked to accept a hashed
> short password ... keep the hash.

So please remove from next, we do not need this one.

Henning

> Henning
> 
> > Jan
> >   
> 

Re: [isar-cip-core][PATCH 6/6] change-root-homedir: split root home move into own package

[Wang, Jing]

Hi Henning,

Thanks for your this PATCH information! But since now I'm still NOT familiar with how to submit isar-cip-core PATCH process and also without the related account and permission, I'll appreciate you can continue this PATCH this time. Of course, I'll learn how to contribute PATCH to isar-cip-core and maybe I can take over in the future 😊

Also discussed with Martin, since this PATCH is NOT very high priority for Jupiter-core, then we might pick up the isar-cip-core latest version from master once it's integrated in the future.

Thank you so much!

BR
Wang Jing

-----Original Message-----
From: Schild, Henning (T CED SES-DE) <henning.schild@siemens.com> 
Sent: Wednesday, January 4, 2023 4:17 AM
To: Wang, Jing (DI FA CTR SVC&AI CN) <wangjing@siemens.com>
Cc: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>; cip-dev@lists.cip-project.org
Subject: Re: [isar-cip-core][PATCH 6/6] change-root-homedir: split root home move into own package

Wang Jing maybe you want to address those comments and send this one again?

If so you should only use this patch, change it and add your Signed-Off. You could even make yourself the author and drop my Signed-Off if you want. I think the latter would be the best idea if you took over.

Further you want to add a cover letter where you mention that you are based on next and add a "changed since v1" section to that cover letter.

Please reply if or if not you want to continue here. I will only pick this up again when i hear from you.

Henning

Am Tue, 3 Jan 2023 17:54:25 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 02.01.23 18:08, Henning Schild wrote:
> > Changing the homedir of root that way is required by any layer that 
> > takes ro rootfs pieces from here. Making it its own package allows 
> > reuse without having to take some other customizations.
> > 
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  .../change-root-homedir.bb                    |  5 +++++
> >  .../change-root-homedir/files/postinst        | 21
> > +++++++++++++++++++ recipes-core/customizations/common.inc        |
> >  5 +++-- recipes-core/customizations/files/postinst    |  8 -------
> >  4 files changed, 29 insertions(+), 10 deletions(-)  create mode 
> > 100644 recipes-core/change-root-homedir/change-root-homedir.bb 
> > create mode
> > 100644 recipes-core/change-root-homedir/files/postinst
> > 
> > diff --git
> > a/recipes-core/change-root-homedir/change-root-homedir.bb
> > b/recipes-core/change-root-homedir/change-root-homedir.bb new file 
> > mode 100644 index 000000000000..dc4631bd6b16 --- /dev/null
> > +++ b/recipes-core/change-root-homedir/change-root-homedir.bb
> > @@ -0,0 +1,5 @@
> 
> Missing copyright header.
> 
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Move roots homedir to /home for read-only rootfs"
> > +
> > +SRC_URI = "file://postinst"
> > diff --git a/recipes-core/change-root-homedir/files/postinst
> > b/recipes-core/change-root-homedir/files/postinst new file mode
> > 100644 index 000000000000..205ee4839e82
> > --- /dev/null
> > +++ b/recipes-core/change-root-homedir/files/postinst
> > @@ -0,0 +1,21 @@
> > +#!/bin/sh
> > +#
> > +# CIP Core, generic profile
> > +#
> > +# Copyright (c) Siemens AG, 2019
> 
> Maybe update to "2019-2023" at this chance.
> 
> > +#
> > +# Authors:
> > +#  Jan Kiszka <jan.kiszka@siemens.com> # # SPDX-License-Identifier: 
> > +MIT #
> > +
> > +set -e
> > +
> > +# needed for read-only rootfs with writable /home if [ ! -L /root 
> > +]; then
> > +	# usermod --move-home can not be used while the target user
> > +	# has running processes, also we keep a symlink here
> > +	mv /root /home/
> > +	ln -s /home/root /root
> > +fi
> > diff --git a/recipes-core/customizations/common.inc
> > b/recipes-core/customizations/common.inc index 
> > 1124ff2d3590..24c862c32e3b 100644 --- 
> > a/recipes-core/customizations/common.inc +++ 
> > b/recipes-core/customizations/common.inc @@ -22,10 +22,11 @@ SRC_URI 
> > = " \ WIRELESS_FIRMWARE_PACKAGE ?= ""
> >  INSTALL_WIRELESS_TOOLS ??= "0"
> >  
> > -DEPENDS += "sshd-regen-keys"
> > +DEPENDS += "sshd-regen-keys change-root-homedir"
> >  
> >  DEBIAN_DEPENDS = " \
> > -    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh,
> > sshd-regen-keys \
> > +    ifupdown, isc-dhcp-client, net-tools, iputils-ping, ssh,
> > sshd-regen-keys, \
> > +    change-root-homedir \
> >      ${@(', iw, wireless-regdb, ' +
> > d.getVar('WIRELESS_FIRMWARE_PACKAGE')) \ if
> > d.getVar('INSTALL_WIRELESS_TOOLS') == '1' else ''}" 
> > diff --git a/recipes-core/customizations/files/postinst
> > b/recipes-core/customizations/files/postinst index
> > 7a0b00d98680..7e7ea3692325 100644 --- 
> > a/recipes-core/customizations/files/postinst +++ 
> > b/recipes-core/customizations/files/postinst @@ -21,11 +21,3 @@ fi  
> > HOSTNAME=demo  echo "$HOSTNAME" > /etc/hostname  echo "127.0.0.1 
> > $HOSTNAME" >> /etc/hosts
> > -
> > -# needed for read-only rootfs with writable /home -if [ ! -L /root 
> > ]; then
> > -	# usermod --move-home can not be used while the target user
> > -	# has running processes, also we keep a symlink here
> > -	mv /root /home/
> > -	ln -s /home/root /root
> > -fi
> 
> Jan
> 

Re: [isar-cip-core][PATCH 4/6] kas: set clear text root password

[Jan Kiszka]

On 03.01.23 21:18, Henning Schild wrote:
> Am Tue, 3 Jan 2023 20:08:54 +0100
> schrieb Henning Schild <henning.schild@siemens.com>:
> 
>> Am Tue, 3 Jan 2023 19:03:13 +0100
>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>
>>> On 02.01.23 18:08, Henning Schild wrote:  
>>>> The comment above the hash looks weird. Might as well write it
>>>> human readable.
>>>>
>>>> Signed-off-by: Henning Schild <henning.schild@siemens.com>
>>>> ---
>>>>  kas-cip.yml | 4 ++--
>>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/kas-cip.yml b/kas-cip.yml
>>>> index 10f4594334d6..b970f39ccb13 100644
>>>> --- a/kas-cip.yml
>>>> +++ b/kas-cip.yml
>>>> @@ -37,8 +37,8 @@ local_conf_header:
>>>>      ISAR_CROSS_COMPILE = "1"
>>>>    root_password: |
>>>>      USERS += "root"
>>>> -    # 'root'
>>>> -    USER_root[password] = "oC3wEGl799tZU"
>>>> +    USER_root[password] = "root"
>>>> +    USER_root[flags] = "clear-text-password"
>>>>  
>>>>  env:
>>>>    DISTRO_APT_PREMIRRORS: ""    
>>>
>>> Seems we have some conflict now with settings of the security image:
>>>
>>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/3548200620
>>>  
>>
>> Lol. It is not too important after all. Not sure which component there
>> causes the issue. But if it needs to be tricked to accept a hashed
>> short password ... keep the hash.
> 
> So please remove from next, we do not need this one.
> 

I would prefer to understand the technical reason and then decide if the
current breakage is desirable, also from Isar perspective, or if we
should change something maybe even in Isar to account for this.

I suppose the conflict comes from something in
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recipes-core/security-customizations/files/postinst.
Adding also Venkata.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH 4/6] kas: set clear text root password

[Henning Schild]

Am Wed, 4 Jan 2023 08:46:36 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 03.01.23 21:18, Henning Schild wrote:
> > Am Tue, 3 Jan 2023 20:08:54 +0100
> > schrieb Henning Schild <henning.schild@siemens.com>:
> >   
> >> Am Tue, 3 Jan 2023 19:03:13 +0100
> >> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> >>  
> >>> On 02.01.23 18:08, Henning Schild wrote:    
> >>>> The comment above the hash looks weird. Might as well write it
> >>>> human readable.
> >>>>
> >>>> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> >>>> ---
> >>>>  kas-cip.yml | 4 ++--
> >>>>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>>>
> >>>> diff --git a/kas-cip.yml b/kas-cip.yml
> >>>> index 10f4594334d6..b970f39ccb13 100644
> >>>> --- a/kas-cip.yml
> >>>> +++ b/kas-cip.yml
> >>>> @@ -37,8 +37,8 @@ local_conf_header:
> >>>>      ISAR_CROSS_COMPILE = "1"
> >>>>    root_password: |
> >>>>      USERS += "root"
> >>>> -    # 'root'
> >>>> -    USER_root[password] = "oC3wEGl799tZU"
> >>>> +    USER_root[password] = "root"
> >>>> +    USER_root[flags] = "clear-text-password"
> >>>>  
> >>>>  env:
> >>>>    DISTRO_APT_PREMIRRORS: ""      
> >>>
> >>> Seems we have some conflict now with settings of the security
> >>> image:
> >>>
> >>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/3548200620
> >>>    
> >>
> >> Lol. It is not too important after all. Not sure which component
> >> there causes the issue. But if it needs to be tricked to accept a
> >> hashed short password ... keep the hash.  
> > 
> > So please remove from next, we do not need this one.
> >   
> 
> I would prefer to understand the technical reason and then decide if
> the current breakage is desirable, also from Isar perspective, or if
> we should change something maybe even in Isar to account for this.

Plain isar is not affected. But the moving the user stuff to the end
that we did in Isar a while back is related. Because it will happen
after pam has been hardened like in this layer.

> I suppose the conflict comes from something in
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recipes-core/security-customizations/files/postinst.

likely pam_cracklib

The way pam is configured in that postinst is very questionable anyhow.
pam-auth-update would likely be the better option, drop a few snippets
and call that tool

Henning

> Adding also Venkata.
> 
> Jan
> 

RE: [cip-dev] [isar-cip-core][PATCH 4/6] kas: set clear text root password

[Venkata.Pyla]

>-----Original Message-----
>From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
>Jan Kiszka
>Sent: 04 January 2023 13:17
>To: Henning Schild <henning.schild@siemens.com>; pyla venkata(ＴＳＩＰ
>TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>
>Cc: cip-dev@lists.cip-project.org; Wang Jing <wangjing@siemens.com>
>Subject: Re: [cip-dev] [isar-cip-core][PATCH 4/6] kas: set clear text root password
>
>On 03.01.23 21:18, Henning Schild wrote:
>> Am Tue, 3 Jan 2023 20:08:54 +0100
>> schrieb Henning Schild <henning.schild@siemens.com>:
>>
>>> Am Tue, 3 Jan 2023 19:03:13 +0100
>>> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
>>>
>>>> On 02.01.23 18:08, Henning Schild wrote:
>>>>> The comment above the hash looks weird. Might as well write it
>>>>> human readable.
>>>>>
>>>>> Signed-off-by: Henning Schild <henning.schild@siemens.com>
>>>>> ---
>>>>>  kas-cip.yml | 4 ++--
>>>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/kas-cip.yml b/kas-cip.yml index
>>>>> 10f4594334d6..b970f39ccb13 100644
>>>>> --- a/kas-cip.yml
>>>>> +++ b/kas-cip.yml
>>>>> @@ -37,8 +37,8 @@ local_conf_header:
>>>>>      ISAR_CROSS_COMPILE = "1"
>>>>>    root_password: |
>>>>>      USERS += "root"
>>>>> -    # 'root'
>>>>> -    USER_root[password] = "oC3wEGl799tZU"
>>>>> +    USER_root[password] = "root"
>>>>> +    USER_root[flags] = "clear-text-password"
>>>>>
>>>>>  env:
>>>>>    DISTRO_APT_PREMIRRORS: ""
>>>>
>>>> Seems we have some conflict now with settings of the security image:
>>>>
>>>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/jobs/3548200
>>>> 620
>>>>
>>>
>>> Lol. It is not too important after all. Not sure which component
>>> there causes the issue. But if it needs to be tricked to accept a
>>> hashed short password ... keep the hash.
>>
>> So please remove from next, we do not need this one.
>>
>
>I would prefer to understand the technical reason and then decide if the current
>breakage is desirable, also from Isar perspective, or if we should change
>something maybe even in Isar to account for this.
>
>I suppose the conflict comes from something in https://gitlab.com/cip-
>project/cip-core/isar-cip-core/-/blob/master/recipes-core/security-
>customizations/files/postinst.
>Adding also Venkata.
>

I think the error is because the security customization is enabled with pam to accept only strong password, so it is not allowing the simple password as "clear-text-password".

>Jan
>
>--
>Siemens AG, Technology
>Competence Center Embedded Linux