From patchwork Fri Jun 19 13:39:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Robert P. J. Day" X-Patchwork-Id: 90522 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCAAACD4F26 for ; Fri, 19 Jun 2026 13:39:44 +0000 (UTC) Received: from cpanel10.indieserve.net (cpanel10.indieserve.net [199.212.143.9]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.42660.1781876383681755265 for ; Fri, 19 Jun 2026 06:39:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@crashcourse.ca header.s=default header.b=HdPMWlQR; spf=pass (domain: crashcourse.ca, ip: 199.212.143.9, mailfrom: rpjday@crashcourse.ca) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crashcourse.ca; s=default; h=Content-Type:MIME-Version:Message-ID:Subject: To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LAlUNY3GCk5x1bOHxtwiXDC6y+qnNBA+6mWMtzU9MMI=; b=HdPMWlQRvVz1YR+cNcH7mcUUs4 uvj6ttENkRLykO9+vfQ9ekMqePnU2SH32kLb6nY35qJ3TUUfzwoSDDt3WvmG+XdmC9CKaAFBzWsBS 5SMDitucSfyZUTm9+aGDD5vb22oYyEiMzgYwOOYJ30ndDm7YDivPIMp3s5BzCNmpQP44A2ufP5VUG Cnd8BRPhmw9dj49eQjD9Bsgs40AG/+9qpRhTVofKyMeQL3x8zdSL7GNbrQL6e9wjYF0S3HlYdiiTV lJHteRr5UhTnjO4c96LrssI60zVb8g00fRq5O2RaNu5vnCxosUChyjeF7w2Q4lqpueiSiIXCiTsyu 1XVd8Vuw==; Received: from bras-base-otwaon0916w-grc-51-67-71-147-190.dsl.bell.ca ([67.71.147.190]:36604 helo=trixie) by cpanel10.indieserve.net with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.99.4) (envelope-from ) id 1waZRd-00000002u88-1rGE for docs@lists.yoctoproject.org; Fri, 19 Jun 2026 09:39:42 -0400 Date: Fri, 19 Jun 2026 09:39:33 -0400 (EDT) From: "Robert P. J. Day" To: YP docs mailing list Subject: [PATCH] security-manual: clarify text on avoiding root logins, empty passwords Message-ID: MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cpanel10.indieserve.net X-AntiAbuse: Original Domain - lists.yoctoproject.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - crashcourse.ca X-Get-Message-Sender-Via: cpanel10.indieserve.net: authenticated_id: rpjday+crashcourse.ca/only user confirmed/virtual account not confirmed X-Authenticated-Sender: cpanel10.indieserve.net: rpjday@crashcourse.ca X-Source: X-Source-Args: X-Source-Dir: List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 19 Jun 2026 13:39:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9785 Explain how, during development, it's convenient to allow root logins and empty passwords in one of two ways: - explicitly setting image features, or - through an available configuration fragment and advise on removing such settings for the production image. Signed-off-by: Robert P. J. Day diff --git a/documentation/security-manual/securing-images.rst b/documentation/security-manual/securing-images.rst index 952808f3b..457921b34 100644 --- a/documentation/security-manual/securing-images.rst +++ b/documentation/security-manual/securing-images.rst @@ -92,21 +92,20 @@ Considerations Specific to the OpenEmbedded Build System You can take some steps that are specific to the OpenEmbedded build system to make your images more secure: -- Ensure that "allow-empty-password", "allow-root-login", or - "empty-root-password" are not one of your selected :term:`IMAGE_FEATURES`. - When creating a new project, the default is to provide you with an - initial ``local.conf`` file that enables these features using the - :term:`EXTRA_IMAGE_FEATURES` - variable with the line:: +- During development, it's convenient to relax security in your builds + and allow the use of empty passwords or root logins. This is typically + done by adding the values "allow-empty-password", "allow-root-login", and + "empty-root-password" to your build's image features, commonly with the + addition of the line: EXTRA_IMAGE_FEATURES = "allow-empty-password empty-root-password allow-root-login" - To disable these features, simply comment out that line in your - ``local.conf`` file, or make sure :term:`IMAGE_FEATURES` does not contain - any of these features before producing your final image. Among other things, - leaving this in place sets the root password as blank, which makes - logging in for debugging or inspection easy during development but - also means anyone can easily log in during production. + to your ``local.conf`` file, or by enabling the exactly equivalent + configuration fragment "root-login-with-empty-password.conf". + + If you're using either of these approaches during development, + make sure you remove or de-activate these settings before generating + your final production image. - It is possible to set a root password for the image and also to set passwords for any extra users you might add (e.g. administrative or