* [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password
@ 2013-12-11 5:56 Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:56 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Changes since V1:
Modify the code of zap_root_password and rename the function to zap_empty_root_password
to better reflect it's original intent.
The following changes since commit 853f5db48f4cfcb34345938b583874fe5b6fc678:
nativesdk.bbclass: support nativesdk to override with the PACKAGES_DYNAMIC statement (2013-12-09 21:36:33 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib ChenQi/cleartext-password
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/cleartext-password
Chen Qi (3):
shadow-native: allow for setting password in clear text
image.bbclass: fix for zap_root_password
useradd-example: add example for setting clear text password
.../recipes-skeleton/useradd/useradd-example.bb | 3 +-
meta/classes/core-image.bbclass | 2 +-
meta/classes/image.bbclass | 14 +-
.../allow-for-setting-password-in-clear-text.patch | 208 ++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
5 files changed, 220 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
--
1.7.9.5
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH V2 1/3] shadow-native: allow for setting password in clear text
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
@ 2013-12-11 5:56 ` Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:56 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <qi.chen@windriver.com>
Allow user to set password in clear text. This is convenient when
we're building out an image.
This feature is mainly used by useradd.bbclass and extrausers.bbclass.
This patch adds a new option '-P' to useradd, usermod, groupadd and groupmod
commands provided by shadow-native. The shadow package on target and in SDK
will not be affected.
[YOCTO #5365]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../allow-for-setting-password-in-clear-text.patch | 208 ++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
new file mode 100644
index 0000000..eafb935
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
@@ -0,0 +1,208 @@
+Upstream-Status: Inappropriate [OE specific]
+
+Allow for setting password in clear text.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+---
+ src/Makefile.am | 8 ++++----
+ src/groupadd.c | 8 +++++++-
+ src/groupmod.c | 9 ++++++++-
+ src/useradd.c | 9 +++++++--
+ src/usermod.c | 10 ++++++++--
+ 5 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 6a3b4c5..1ffdbc6 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -76,10 +76,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
+-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ grpck_LDADD = $(LDADD) $(LIBSELINUX)
+ grpconv_LDADD = $(LDADD) $(LIBSELINUX)
+ grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
+@@ -99,9 +99,9 @@ su_SOURCES = \
+ suauth.c
+ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ sulogin_LDADD = $(LDADD) $(LIBCRYPT)
+-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ vipw_LDADD = $(LDADD) $(LIBSELINUX)
+
+ install-am: all-am
+diff --git a/src/groupadd.c b/src/groupadd.c
+index 66b38de..3157486 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -124,6 +124,7 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
+ " (non-unique) GID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD use this clear text password for the new group\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs (_(" -r, --system create a system account\n"), stderr);
+ (void) fputs ("\n", stderr);
+@@ -388,13 +389,14 @@ static void process_flags (int argc, char **argv)
+ {"key", required_argument, NULL, 'K'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {"system", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, '\0'}
+ };
+
+ while ((c =
+- getopt_long (argc, argv, "fg:hK:op:R:r", long_options,
++ getopt_long (argc, argv, "fg:hK:op:P:R:r", long_options,
+ &option_index)) != -1) {
+ switch (c) {
+ case 'f':
+@@ -446,6 +448,10 @@ static void process_flags (int argc, char **argv)
+ pflg = true;
+ group_passwd = optarg;
+ break;
++ case 'P':
++ pflg = true;
++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ break;
+ case 'R':
+ if ('/' != optarg[0]) {
+ fprintf (stderr,
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 27eb159..17acbc3 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -127,6 +127,8 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
+ " PASSWORD\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this (clear text)\n"
++ " PASSWORD\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs ("\n", stderr);
+ exit (E_USAGE);
+@@ -348,11 +350,12 @@ static void process_flags (int argc, char **argv)
+ {"new-name", required_argument, NULL, 'n'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {NULL, 0, NULL, '\0'}
+ };
+ while ((c =
+- getopt_long (argc, argv, "g:hn:op:R:",
++ getopt_long (argc, argv, "g:hn:op:P:R:",
+ long_options, &option_index)) != -1) {
+ switch (c) {
+ case 'g':
+@@ -376,6 +379,10 @@ static void process_flags (int argc, char **argv)
+ group_passwd = optarg;
+ pflg = true;
+ break;
++ case 'P':
++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ pflg = true;
++ break;
+ case 'R':
+ if ('/' != optarg[0]) {
+ fprintf (stderr,
+diff --git a/src/useradd.c b/src/useradd.c
+index 2102630..390909c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -716,6 +716,7 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
+ " (non-unique) UID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD clear text password of the new account\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs (_(" -r, --system create a system account\n"), stderr);
+ (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), stderr);
+@@ -1035,6 +1036,7 @@ static void process_flags (int argc, char **argv)
+ {"no-user-group", no_argument, NULL, 'N'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {"system", no_argument, NULL, 'r'},
+ {"shell", required_argument, NULL, 's'},
+@@ -1047,9 +1049,9 @@ static void process_flags (int argc, char **argv)
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "b:c:d:De:f:g:G:k:K:lmMNop:R:rs:u:UZ:",
++ "b:c:d:De:f:g:G:k:K:lmMNop:P:R:rs:u:UZ:",
+ #else
+- "b:c:d:De:f:g:G:k:K:lmMNop:R:rs:u:U",
++ "b:c:d:De:f:g:G:k:K:lmMNop:P:R:rs:u:U",
+ #endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1214,6 +1216,9 @@ static void process_flags (int argc, char **argv)
+ }
+ user_pass = optarg;
+ break;
++ case 'P': /* set clear text password */
++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ break;
+ case 'R':
+ /* no-op since we handled this in process_root_flag() earlier */
+ break;
+diff --git a/src/usermod.c b/src/usermod.c
+index 8363597..f4c1cee 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -325,6 +325,7 @@ static void usage (void)
+ " new location (use only with -d)\n"
+ " -o, --non-unique allow using duplicate (non-unique) UID\n"
+ " -p, --password PASSWORD use encrypted password for the new password\n"
++ " -P, --clear-password PASSWORD use clear text password for the new password\n"
+ " -R --root CHROOT_DIR directory to chroot into\n"
+ " -s, --shell SHELL new login shell for the user account\n"
+ " -u, --uid UID new UID for the user account\n"
+@@ -950,6 +951,7 @@ static void process_flags (int argc, char **argv)
+ {"move-home", no_argument, NULL, 'm'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ #ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+@@ -961,9 +963,9 @@ static void process_flags (int argc, char **argv)
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:",
++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UZ:",
+ #else
+- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U",
++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U",
+ #endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1055,6 +1057,10 @@ static void process_flags (int argc, char **argv)
+ user_pass = optarg;
+ pflg = true;
+ break;
++ case 'P':
++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ pflg = true;
++ break;
+ case 'R':
+ /* no-op since we handled this in process_root_flag() earlier */
+ break;
+--
+1.7.9.5
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 33ecc7d..f77a78a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -32,6 +32,7 @@ SRC_URI_append_class-native = " \
file://disable-syslog.patch \
file://useradd.patch \
file://add_root_cmd_groupmems.patch \
+ file://allow-for-setting-password-in-clear-text.patch \
"
SRC_URI_append_class-nativesdk = " \
file://add_root_cmd_options.patch \
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V2 2/3] image.bbclass: fix for zap_root_password
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
@ 2013-12-11 5:57 ` Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:57 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Previously, this function replaces the root password with '*' if
'debug-tweaks' is not in IMAGE_FEATURES. It not only zaps empty root
password, but also zaps non-empty root password. That means, if the
user uses a bbappend file for base-passwd to set the root password, he
would not be able to login as root; if the user uses 'EXTRA_USERS_PARAMS'
to set the root password, he would still not be able to login as root.
What we really want from this function is to disallow empty root password
if 'debug-tweaks' is not in IMAGE_FEATURES. This function should not remove
non-empty root password because that password is usually deliberately set
by the user.
This patch renames zap_root_password to zap_empty_root_password to
better reflect the intent of this function. It also modifies the code
to make this function work correctly.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/classes/core-image.bbclass | 2 +-
meta/classes/image.bbclass | 14 ++++++++------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index e7c34e2..fc4bd2f 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -74,7 +74,7 @@ inherit image
ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
# Zap the root password if debug-tweaks feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_empty_root_password ; ",d)}'
# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 168f283..c6d9db8 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -562,11 +562,13 @@ rootfs_uninstall_unneeded () {
fi
}
-# set '*' as the root password so the images
-# can decide if they want it or not
-zap_root_password () {
- sed 's%^root:[^:]*:%root:*:%' < ${IMAGE_ROOTFS}/etc/passwd >${IMAGE_ROOTFS}/etc/passwd.new
- mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
+# This function is intended to disallow empty root password if 'debug-tweaks' is not in IMAGE_FEATURES.
+zap_empty_root_password () {
+ if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
+ sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
+ elif [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
+ sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
+ fi
}
# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
@@ -648,7 +650,7 @@ rootfs_sysroot_relativelinks () {
sysroot-relativelinks.py ${SDK_OUTPUT}/${SDKTARGETSYSROOT}
}
-EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
+EXPORT_FUNCTIONS zap_empty_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
do_fetch[noexec] = "1"
do_unpack[noexec] = "1"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V2 3/3] useradd-example: add example for setting clear text password
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
@ 2013-12-11 5:57 ` Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:57 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Use '-P' option for user3 to set a clear text password. This is supposed
to serve as an example of how to set clear text password in recipes.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../recipes-skeleton/useradd/useradd-example.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
index 53d2340..2f8d9b0 100644
--- a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
+++ b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
@@ -32,7 +32,8 @@ USERADD_PACKAGES = "${PN} ${PN}-user3"
USERADD_PARAM_${PN} = "-u 1200 -d /home/user1 -r -s /bin/bash user1; -u 1201 -d /home/user2 -r -s /bin/bash user2"
# user3 will be managed in the useradd-example-user3 pacakge:
-USERADD_PARAM_${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash user3"
+# As an example, we use the -P option to set clear text password for user3
+USERADD_PARAM_${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash -P 'user3' user3"
# GROUPADD_PARAM works the same way, which you set to the options
# you'd normally pass to the groupadd command. This will create
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-11 5:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox