diff mbox series

[V2,1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner

Message ID 20251129035436.249679-1-Qi.Chen@windriver.com
State New
Headers show
Series [V2,1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner | expand

Commit Message

ChenQi Nov. 29, 2025, 3:54 a.m. UTC 
From: Chen Qi <Qi.Chen@windriver.com>

It's possible that users use EXTRA_USERS_PARAMS to set password
for root or explicitly expire root password. So we need to check
these two cases to ensure the 'no password' banner is not misleading.

As an example:
In conf/toolcfg.cfg:
OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password
In local.conf:
INHERIT += "extrausers"
EXTRA_USERS_PARAMS += " passwd-expire root;"

Note that allowing 'empty-root-password' image feature + setting/expiring
root password has been working since available. This patch focuses on
the banner. We want to ensure that it's there only when root really has
empty password.

We need to ensure that the function runs after set_user_group function
from extrausers.bbclass. This is because the check is valid only after
things set in EXTRA_USERS_PARAMS are done. So change to use :append.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/classes-recipe/rootfs-postcommands.bbclass | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Alexander Kanavin Nov. 29, 2025, 10:16 a.m. UTC | #1 
On Sat, 29 Nov 2025 at 04:54, Chen Qi via lists.openembedded.org
<Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> It's possible that users use EXTRA_USERS_PARAMS to set password
> for root or explicitly expire root password. So we need to check
> these two cases to ensure the 'no password' banner is not misleading.
>
> As an example:
> In conf/toolcfg.cfg:
> OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password
> In local.conf:
> INHERIT += "extrausers"
> EXTRA_USERS_PARAMS += " passwd-expire root;"
>
> Note that allowing 'empty-root-password' image feature + setting/expiring
> root password has been working since available. This patch focuses on
> the banner. We want to ensure that it's there only when root really has
> empty password.
>
> We need to ensure that the function runs after set_user_group function
> from extrausers.bbclass. This is because the check is valid only after
> things set in EXTRA_USERS_PARAMS are done. So change to use :append.

If you are setting a password for root, then why at the same time you
add root-login-with-empty-password to fragments? Aren't they
contradicting each other, and you should pick one or the other, but
not both? Yes up to now EXTRA_USERS_PARAMS setting took priority over
the empty-password setting, and gave you the desired outcome, but that
does not in itself make the combination a valid configuration with a
well-defined behaviour that needs to be preserved.

Alex
ChenQi Nov. 29, 2025, 2:19 p.m. UTC | #2 
This combination has been working for 10+ years. I do like banner. But it's sometimes misleading. See the example. This patch is trying to make it not misleading. 

I don’t think erroring out in useradd_base.bbclass with special case is a good approach. Why so? I don't see any strong reason to break previous behavior. And that makes useradd_base.bbclass bundled with IMAGE_FEATURES. 

Regards,
Qi

-----Original Message-----
From: Alexander Kanavin <alex.kanavin@gmail.com> 
Sent: Saturday, November 29, 2025 6:16 PM
To: Chen, Qi <Qi.Chen@windriver.com>
Cc: openembedded-core@lists.openembedded.org; alex@linutronix.de
Subject: Re: [OE-core][PATCH V2 1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner

On Sat, 29 Nov 2025 at 04:54, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> It's possible that users use EXTRA_USERS_PARAMS to set password for 
> root or explicitly expire root password. So we need to check these two 
> cases to ensure the 'no password' banner is not misleading.
>
> As an example:
> In conf/toolcfg.cfg:
> OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password
> In local.conf:
> INHERIT += "extrausers"
> EXTRA_USERS_PARAMS += " passwd-expire root;"
>
> Note that allowing 'empty-root-password' image feature + 
> setting/expiring root password has been working since available. This 
> patch focuses on the banner. We want to ensure that it's there only 
> when root really has empty password.
>
> We need to ensure that the function runs after set_user_group function 
> from extrausers.bbclass. This is because the check is valid only after 
> things set in EXTRA_USERS_PARAMS are done. So change to use :append.

If you are setting a password for root, then why at the same time you add root-login-with-empty-password to fragments? Aren't they contradicting each other, and you should pick one or the other, but not both? Yes up to now EXTRA_USERS_PARAMS setting took priority over the empty-password setting, and gave you the desired outcome, but that does not in itself make the combination a valid configuration with a well-defined behaviour that needs to be preserved.

Alex
ChenQi Nov. 29, 2025, 2:48 p.m. UTC | #3 
Hi Alex,

To make things clear, my major focus is on the 'no password' banner.
This patch is to ensure that the banner is not displayed when not appropriate.

I can accept the behavior that 'no password for root' image feature errors out with root account manipulated (though I don't like it). I just don't think we should make useradd related bbclasses accessing IMAGE_FEATURES.

Please give these two patches a second thought. If you have other suggestion, please let me know.

Regards,
Qi

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Chen Qi via lists.openembedded.org
Sent: Saturday, November 29, 2025 10:19 PM
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: openembedded-core@lists.openembedded.org; alex@linutronix.de
Subject: Re: [OE-core][PATCH V2 1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner

This combination has been working for 10+ years. I do like banner. But it's sometimes misleading. See the example. This patch is trying to make it not misleading. 

I don’t think erroring out in useradd_base.bbclass with special case is a good approach. Why so? I don't see any strong reason to break previous behavior. And that makes useradd_base.bbclass bundled with IMAGE_FEATURES. 

Regards,
Qi

-----Original Message-----
From: Alexander Kanavin <alex.kanavin@gmail.com>
Sent: Saturday, November 29, 2025 6:16 PM
To: Chen, Qi <Qi.Chen@windriver.com>
Cc: openembedded-core@lists.openembedded.org; alex@linutronix.de
Subject: Re: [OE-core][PATCH V2 1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner

On Sat, 29 Nov 2025 at 04:54, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> It's possible that users use EXTRA_USERS_PARAMS to set password for 
> root or explicitly expire root password. So we need to check these two 
> cases to ensure the 'no password' banner is not misleading.
>
> As an example:
> In conf/toolcfg.cfg:
> OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password
> In local.conf:
> INHERIT += "extrausers"
> EXTRA_USERS_PARAMS += " passwd-expire root;"
>
> Note that allowing 'empty-root-password' image feature + 
> setting/expiring root password has been working since available. This 
> patch focuses on the banner. We want to ensure that it's there only 
> when root really has empty password.
>
> We need to ensure that the function runs after set_user_group function 
> from extrausers.bbclass. This is because the check is valid only after 
> things set in EXTRA_USERS_PARAMS are done. So change to use :append.

If you are setting a password for root, then why at the same time you add root-login-with-empty-password to fragments? Aren't they contradicting each other, and you should pick one or the other, but not both? Yes up to now EXTRA_USERS_PARAMS setting took priority over the empty-password setting, and gave you the desired outcome, but that does not in itself make the combination a valid configuration with a well-defined behaviour that needs to be preserved.

Alex
diff mbox series

Patch

diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass
index d3a569ba3e..bcc25798b9 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -4,8 +4,8 @@ 
 # SPDX-License-Identifier: MIT
 #
 
-# Zap the root password if empty-root-password feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}'
+# Zap the root password if empty-root-password feature is not enabled else add a 'no password' banner if appropriate
+ROOTFS_POSTPROCESS_COMMAND:append = ' ${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}'
 
 # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}'
@@ -259,7 +259,11 @@  zap_empty_root_password () {
 # This function adds a note to the login banner that the system is configured for root logins without password
 #
 add_empty_root_password_note () {
-	echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue
+	rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`"
+	rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`"
+	if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then
+		echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue
+	fi
 }
 
 #