| Message ID | 20251129154130.505619-1-Qi.Chen@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V3,1/2] rootfs-postcommands.bbclass: fix adding 'no password' banner | expand |
On Sat, 29 Nov 2025 at 16:41, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example: > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Note that allowing 'empty-root-password' image feature + setting/expiring > root password has been working since available. This patch focuses on > the banner. We want to ensure that it's there only when root really has > empty password. Ok, it took me a moment (and an image build/runqemu execution) to figure out the use case for the above. Which is: make an image that requires setting a root password on first boot, but without having to first enter a static initial password. In which case the banner is indeed misleading. The patch can probably be tweaked to ensure the check for needing to add a banner runs last (at the point where no further modifications to the root filesystem are going to happen), and it can be made unconditional, and only checking the actual content of the root filesystem, and not accessing IMAGE_FEATURES at all. Is that ok? Can you do it like that? And tweak the commit message to explain what that configuration actually does :) Alex
On 11/30/25 02:14, Alexander Kanavin wrote: > On Sat, 29 Nov 2025 at 16:41, Chen Qi via lists.openembedded.org > <Qi.Chen=windriver.com@lists.openembedded.org> wrote: >> It's possible that users use EXTRA_USERS_PARAMS to set password >> for root or explicitly expire root password. So we need to check >> these two cases to ensure the 'no password' banner is not misleading. >> >> As an example: >> In conf/toolcfg.cfg: >> OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password >> In local.conf: >> INHERIT += "extrausers" >> EXTRA_USERS_PARAMS += " passwd-expire root;" >> >> Note that allowing 'empty-root-password' image feature + setting/expiring >> root password has been working since available. This patch focuses on >> the banner. We want to ensure that it's there only when root really has >> empty password. > Ok, it took me a moment (and an image build/runqemu execution) to > figure out the use case for the above. Which is: make an image that > requires setting a root password on first boot, but without having to > first enter a static initial password. In which case the banner is > indeed misleading. > > The patch can probably be tweaked to ensure the check for needing to > add a banner runs last (at the point where no further modifications to > the root filesystem are going to happen), and it can be made > unconditional, and only checking the actual content of the root > filesystem, and not accessing IMAGE_FEATURES at all. > > Is that ok? Can you do it like that? And tweak the commit message to > explain what that configuration actually does :) > > Alex Yes. Good idea. I'll use this method in V4. I'll also re-order these two patches. Regards, Qi
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index d3a569ba3e..bcc25798b9 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -4,8 +4,8 @@ # SPDX-License-Identifier: MIT # -# Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +# Zap the root password if empty-root-password feature is not enabled else add a 'no password' banner if appropriate +ROOTFS_POSTPROCESS_COMMAND:append = ' ${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -259,7 +259,11 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue + fi } #