From: Chen Qi <[email protected]> It's possible that users use EXTRA_USERS_PARAMS to set password for root or explicitly expire root password. So we need to check these two cases to ensure the 'no password' banner is not misleading.
As an example: In conf/toolcfg.cfg: OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password In local.conf: INHERIT += "extrausers" EXTRA_USERS_PARAMS += " passwd-expire root;" Note that allowing 'empty-root-password' image feature + setting/expiring root password has been working since available. This patch focuses on the banner. We want to ensure that it's there only when root really has empty password. We need to ensure that the function runs after set_user_group function from extrausers.bbclass. This is because the check is valid only after things set in EXTRA_USERS_PARAMS are done. So change to use :append. Signed-off-by: Chen Qi <[email protected]> --- meta/classes-recipe/rootfs-postcommands.bbclass | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index d3a569ba3e..bcc25798b9 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -4,8 +4,8 @@ # SPDX-License-Identifier: MIT # -# Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +# Zap the root password if empty-root-password feature is not enabled else add a 'no password' banner if appropriate +ROOTFS_POSTPROCESS_COMMAND:append = ' ${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -259,7 +259,11 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue + fi } # -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226941): https://lists.openembedded.org/g/openembedded-core/message/226941 Mute This Topic: https://lists.openembedded.org/mt/116527245/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
