Il giorno ven 31 gen 2020 alle ore 09:07 Michael Käppler <xmichae...@web.de> ha scritto:
> Am 30.01.2020 um 15:08 schrieb Federico Bruni: > > I see that it's possible to log in as root user without any password > _even > > in the virtual machine_. Not good. > That was my point. > > I used the --password="" in the Makefile to avoid the step to set the > > password when starting the container with systemd-nspawn. > > > > In mkosi manual I read: > > > > --password= > >> : Set the password of the root user. By default the root account is > >> locked. If this option is not used but a file mkosi.rootpw exists in the > >> local directory the root password is automatically read from it. > >> > > So we may remove the --password option to keep the root account disabled > > and use the mkosi.rootpw to set the password. > > I will test this and hopefully include it in LilyDev v3. > I read the manual differently. I think mkosi.rootpw is just the 'file > alternative' to > the command line, like mkosi.container, etc. So if you set the password > in mkosi.rootpw, > the root account will be active, too. But I haven't tested this. > You're right. I read too quickly and thought that this could be a kind of custom user file, while it's part of the files used to build the image. > IIUC, we could change the root login shell to /sbin/nologin to lock the > root account > in the post-install script. What do you think? > > I have a second thought about this. The whole point of setting a blank root password was that systemd-nspawn required a root login (at least 2 years ago). In fact in the README I suggested to log in as root and then change to dev. But I see that I can log in as dev without any problem (systemd version 243). Can you confirm you can log in as dev in the container? So I'll just remove the --password="" from the Makefile and change the README accordingly.