| Message ID | 20251201052523.1222217-2-Qi.Chen@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V4,1/2] rootfs-postcommands.bbclass: fix echo + '\n' in 'no password' banner | expand |
Thanks, I think this is fine. Alex On Mon, 1 Dec 2025 at 06:25, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > meta/classes-recipe/rootfs-postcommands.bbclass | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass > index f4fbc4c57e..f57782b87b 100644 > --- a/meta/classes-recipe/rootfs-postcommands.bbclass > +++ b/meta/classes-recipe/rootfs-postcommands.bbclass > @@ -5,7 +5,7 @@ > # > > # Zap the root password if empty-root-password feature is not enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' > +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' > > # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled > ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' > @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' > # > ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' > > +# Check and add 'no root password' banner. > +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append. > +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" > + > # Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric > # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it > # automatic or it can be a path. In the latter, the uid/gid matches the > @@ -259,8 +263,12 @@ zap_empty_root_password () { > # This function adds a note to the login banner that the system is configured for root logins without password > # > add_empty_root_password_note () { > - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > - echo "" >> ${IMAGE_ROOTFS}/etc/issue > + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" > + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" > + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then > + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > + echo "" >> ${IMAGE_ROOTFS}/etc/issue > + fi > } > > # > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#227114): https://lists.openembedded.org/g/openembedded-core/message/227114 > Mute This Topic: https://lists.openembedded.org/mt/116551793/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Mon Dec 1, 2025 at 6:25 AM CET, Chen Qi via lists.openembedded.org wrote: > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- Hi Chen, Thanks for your patch. It looks like this is breaking the containerimage.ContainerImageTests.test_expected_files selftest: 2025-12-03 13:55:47,169 - oe-selftest - INFO - containerimage.ContainerImageTests.test_expected_files (subunit.RemotedTestCase) 2025-12-03 13:55:47,176 - oe-selftest - INFO - ... FAIL ... AssertionError: Lists differ: ['./'[14 chars]/etc/issue', './etc/ld.so.cache', './etc/times[112 chars]ib/'] != ['./'[14 chars]/etc/ld.so.cache', './etc/timestamp', './etc/v[97 chars]ib/'] First differing element 2: './etc/issue' './etc/ld.so.cache' First list contains 1 additional elements. First extra element 12: './var/lib/' ['./', './etc/', - './etc/issue', './etc/ld.so.cache', './etc/timestamp', './etc/version', './run/', './usr/', './usr/bin/', './usr/bin/theapp', './var/', './var/cache/', './var/lib/'] https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/2787 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/2682 https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/2926 Can you have a look at this? Thanks, Mathieu
Yes, of course. I'll look into it. Regards, Qi -----Original Message----- From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Sent: Thursday, December 4, 2025 3:37 AM To: Chen, Qi <Qi.Chen@windriver.com>; openembedded-core@lists.openembedded.org Cc: alex@linutronix.de Subject: Re: [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner On Mon Dec 1, 2025 at 6:25 AM CET, Chen Qi via lists.openembedded.org wrote: > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password for > root or explicitly expire root password. So we need to check these two > cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first > enter a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In > particualr, we want to ensure that the function runs after > set_user_group function from extrausers.bbclass. So unlike other > commands in this bbclass using the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- Hi Chen, Thanks for your patch. It looks like this is breaking the containerimage.ContainerImageTests.test_expected_files selftest: 2025-12-03 13:55:47,169 - oe-selftest - INFO - containerimage.ContainerImageTests.test_expected_files (subunit.RemotedTestCase) 2025-12-03 13:55:47,176 - oe-selftest - INFO - ... FAIL ... AssertionError: Lists differ: ['./'[14 chars]/etc/issue', './etc/ld.so.cache', './etc/times[112 chars]ib/'] != ['./'[14 chars]/etc/ld.so.cache', './etc/timestamp', './etc/v[97 chars]ib/'] First differing element 2: './etc/issue' './etc/ld.so.cache' First list contains 1 additional elements. First extra element 12: './var/lib/' ['./', './etc/', - './etc/issue', './etc/ld.so.cache', './etc/timestamp', './etc/version', './run/', './usr/', './usr/bin/', './usr/bin/theapp', './var/', './var/cache/', './var/lib/'] https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/2787 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/2682 https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/2926 Can you have a look at this? Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index f4fbc4c57e..f57782b87b 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -5,7 +5,7 @@ # # Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' # ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' +# Check and add 'no root password' banner. +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append. +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" + # Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it # automatic or it can be a path. In the latter, the uid/gid matches the @@ -259,8 +263,12 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue - echo "" >> ${IMAGE_ROOTFS}/etc/issue + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue + echo "" >> ${IMAGE_ROOTFS}/etc/issue + fi } #