Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a warning when login with root is disabled

["Peter Kjellerstedt" <peter.kjellerstedt@axis.com>]

> -----Original Message-----
> From: Robert Yang <liezhi.yang@windriver.com>
> Sent: den 9 mars 2021 09:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> 
> Hi Peter,
> 
> On 3/5/21 6:18 PM, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: openembedded-core@lists.openembedded.org <openembedded-
> >> core@lists.openembedded.org> On Behalf Of Robert Yang
> >> Sent: den 5 mars 2021 09:49
> >> To: openembedded-core@lists.openembedded.org
> >> Subject: [OE-core] [PATCH 1/1] rootfs-postcommands.bbclass: Print a
> warning when login with root is disabled
> >>
> >> Fixed:
> >> EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
> >> $ bitbake core-image-minimal
> >>
> >> Then we can't login to the system with root without any messages. Add a
> warning
> >> makes it easy to debug.
> >>
> >> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> >> ---
> >>   meta/classes/rootfs-postcommands.bbclass | 6 +++++-
> >>   1 file changed, 5 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/meta/classes/rootfs-postcommands.bbclass
> b/meta/classes/rootfs-postcommands.bbclass
> >> index 1f27a3d07a..e4fe416ac9 100644
> >> --- a/meta/classes/rootfs-postcommands.bbclass
> >> +++ b/meta/classes/rootfs-postcommands.bbclass
> >> @@ -147,7 +147,11 @@ read_only_rootfs_hook () {
> >>   zap_empty_root_password () {
> >>   	if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
> >>   		sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/shadow
> >> -        fi
> >> +		grep -q '^root:*:' ${IMAGE_ROOTFS}/etc/shadow
> >
> > That will match any /etc/shadow file with "root:" in it. Change it to:
> >
> > 		grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> Thanks, I will update it.
> 
> >
> > And make this optional. We intentionally do not have a root password set
> in our
> 
> I don't quite understand about "optional", when the command is:
> 
> grep -q '^root:\*:' ${IMAGE_ROOTFS}/etc/shadow
> 
> Then empty root password in shadow is:
> root::
> 
> so empty root password won't be matched?

Sorry, I was unclear. We do not have an empty password, we have 
"root:*:..." in /etc/shadow, and we obviously do not want this warning.

> // Robert

//Peter

> > products when they are delivered due to the state law (SB-327) that went
> into
> > effect on January 1, 2020 in California, which prohibits default
> passwords to
> > be used in IoT products.
> >
> >> +		if [ $? -eq 0 ]; then
> >> +			bbwarn "Login with root user is disabled
> since zap_empty_root_password is enabled"
> >> +		fi
> >> +	fi
> >>   	if [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
> >>   		sed -i 's%^root::%root:*:%'
> ${IMAGE_ROOTFS}/etc/passwd
> >>   	fi
> >> --
> >> 2.17.1
> >
> > //Peter
> >