From patchwork Wed Dec 17 05:22:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ChenQi X-Patchwork-Id: 76792 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AE6AD64076 for ; Wed, 17 Dec 2025 05:22:44 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7664.1765948961937438049 for ; Tue, 16 Dec 2025 21:22:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=s0YOgLul; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=444662dbf6=qi.chen@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5BH1bQYl1219900; Tue, 16 Dec 2025 21:22:41 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=cc:content-transfer-encoding:content-type:date:from :message-id:mime-version:subject:to; s=PPS06212021; bh=xkM5Cj4eb 5TQpZfM7ShbYLqZIasOe3zUXpjR7YTKKHA=; b=s0YOgLuljaPHGBmbgqL7yUFN5 n38hiIklroq4WOAC//HppLVqwgk4FCM22A7ludU31RgdbxifM71WLH71jrTfXIxP H/PVVLfW2lOZS9d+JtZ9TeBcYlQoYWSuihwh1FZXPXvj+FaKGOGVaKLi1V+QK3Oy QKnPfsrLnCWBggD48uBfXWDwp6zFFQvVhJ/TkG93tqXP5nEZgOcotfUQHxzvYkNw d2OWHly1a4nMe7Jr0aMXinGcyEvVWrJyLAXBzM+EY9LHBdpsOEhaQ0uiiUYRydnW f7dWI3mFOoyqRwMuTcKd6Xz8lKFJ4yAxHOcVMuwa2IUfryEes+eHInHY3vwCw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4b3k0sg55p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 16 Dec 2025 21:22:41 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Tue, 16 Dec 2025 21:22:40 -0800 Received: from oak-lpgbuild14.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Tue, 16 Dec 2025 21:22:40 -0800 From: To: CC: Subject: [OE-core][PATCH V6 1/2] extrausers.bbclass: use '+=' for ROOTFS_POSTPROCESS_COMMAND Date: Wed, 17 Dec 2025 05:22:39 +0000 Message-ID: <20251217052240.3400449-1-Qi.Chen@windriver.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Proofpoint-GUID: fnPAOCRh4VsBKNPRSOx47C85YKBo8Lga X-Proofpoint-ORIG-GUID: fnPAOCRh4VsBKNPRSOx47C85YKBo8Lga X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjE3MDA0MSBTYWx0ZWRfX1LaC/hbgX0Zr 1icRvKpjllELpYmgXSo6nasn3dCHCPJ3wEOBx6he23yNsyGj6X4UGCfIcRT+ZLkqeWrz94Kplxj j5wewproFt19/mXd+te5eNVUpX4eA2fvFsCYEix/+Zpwf1VcsKzPfUpuuDziBzD3Ooxv4fsgm77 jN7oZ8HYTNT9BHS2uZuvRmckkVt+XtzEvT7OTDrHi0sWp3Rhb7npal9o/KtwFK31l14SjhzkoMq 6iQ4CDNlm3NbSdVsS1DkfUtq81sfcn8eufoifdwaaY2m2Hz02yiyzD4Z/DrI9Zzy/lRRYeg7WnU x/GB2vRaU5aBVuuyAHuRm9fNTZp3i4ol5qibzJyeyM8A6ChI0JnUpsmq/Ru+sFoZYniyUn1/t+G u64vb6DBldIGzQy4g76Yb2/13NNENA== X-Authority-Analysis: v=2.4 cv=PqeergM3 c=1 sm=1 tr=0 ts=69423e21 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=t7CeM3EgAAAA:8 a=92fUyVKKCLMJj5RAaaAA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-16_03,2025-12-16_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 adultscore=0 suspectscore=0 spamscore=0 impostorscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2512170041 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Dec 2025 05:22:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227996 From: Chen Qi This is the only place in oe-core that still uses apppend for ROOTFS_POSTPROCESS_COMMAND. It's modifying users and groups and such behavior does not need to run as the last step. So change to use '+='. Signed-off-by: Chen Qi --- meta/classes/extrausers.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/extrausers.bbclass b/meta/classes/extrausers.bbclass index c825c06df9..bfb70b7180 100644 --- a/meta/classes/extrausers.bbclass +++ b/meta/classes/extrausers.bbclass @@ -23,7 +23,7 @@ inherit useradd_base PACKAGE_INSTALL:append = " ${@['', 'base-passwd shadow'][bool(d.getVar('EXTRA_USERS_PARAMS'))]}" # Image level user / group settings -ROOTFS_POSTPROCESS_COMMAND:append = " set_user_group" +ROOTFS_POSTPROCESS_COMMAND += "set_user_group" # Image level user / group settings set_user_group () { From patchwork Wed Dec 17 05:22:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ChenQi X-Patchwork-Id: 76791 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BFEFD64074 for ; Wed, 17 Dec 2025 05:22:44 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7479.1765948962288892754 for ; Tue, 16 Dec 2025 21:22:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=H0qt6D1w; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=444662dbf6=qi.chen@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5BH1bQYm1219900; Tue, 16 Dec 2025 21:22:41 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=cc:content-transfer-encoding:content-type:date:from :in-reply-to:message-id:mime-version:references:subject:to; s= PPS06212021; bh=NpLWk7Fw6FG9q29wMbPZTd0Xhy/H1Ea/toCWyQ5BzWo=; b= H0qt6D1wsb6FoppLKYHeN9oqHhBvE+cUBLosw5smsaPU7AMbaj4k6BFCDkgUHqjS 3WOgTaaknn9SgY5n6jpUBlSL5e5nz9yllpPmDaeLbDBuVpgBEdBanQL37yTdDZ73 UhcaEu23uax1kcRBDFLYWiO4PLv8FnSzPq48WIB6SPeHB06zQ1mHM3oh93rdrqpT 7YZZVX8YvGpB22pH7uS4+TCHoNS2Phc4N6wDAMtWFEEM9yub/0s7U9dySfDkDPNX 3NCLmBQC81upHCzEm8FNmSFhD6MK9BkRo2eGR+WBIA37jhJNZOwlX5hUnqJLXF4u N5RFprXIRdeNS99ar5WSGA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4b3k0sg55p-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 16 Dec 2025 21:22:41 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Tue, 16 Dec 2025 21:22:40 -0800 Received: from oak-lpgbuild14.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Tue, 16 Dec 2025 21:22:40 -0800 From: To: CC: Subject: [OE-core][PATCH V6 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner Date: Wed, 17 Dec 2025 05:22:40 +0000 Message-ID: <20251217052240.3400449-2-Qi.Chen@windriver.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251217052240.3400449-1-Qi.Chen@windriver.com> References: <20251217052240.3400449-1-Qi.Chen@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: tkMBTpQp9qijCJj7J7f5M14h00k4FMmo X-Proofpoint-ORIG-GUID: tkMBTpQp9qijCJj7J7f5M14h00k4FMmo X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjE3MDA0MSBTYWx0ZWRfX85w6qVOnyW/K j5/i/ZvpZ73Zc7BmoFU/s9/6Tx4FS67XMzka4P6aYs7tJjTtz4BpAlbuvp3k1sH7Qw0DOuqdDdG 9O+zfTqOHapAMcR5jCcWTse/j9e6gjBftTTcBm7qk9IO74UyzX7oo1Oas7tHFYwORYYsq3GLpEC blHohEKLurAL7qkYfhkMv003vKve/hbESbbxjfO/yKlt5wP6GcKFsa7a2SbzLTYkn/va6HI3d1A uD0L2HsCDT1zkV3fPqnZu6sG2WemoBnZpD1azl0091F6W3dE75iHJ+UqdYdlF5N5r1pEhkq32cs LFc7gmoUcnH80dtbIuogcexnJ9Yt0rdBkYOUbLmoBbIAgFfd+L6A6/KSLYsUzjC9Hq3YkqSZ+45 2qHpZbHJt333ObnNrnJxL9enMOWPXw== X-Authority-Analysis: v=2.4 cv=PqeergM3 c=1 sm=1 tr=0 ts=69423e21 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=t7CeM3EgAAAA:8 a=0kx6w0X72yRMwSFDy18A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-16_03,2025-12-16_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 adultscore=0 suspectscore=0 spamscore=0 impostorscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2512170041 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Dec 2025 05:22:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227997 From: Chen Qi It's possible that users use EXTRA_USERS_PARAMS to set password for root or explicitly expire root password. So we need to check these two cases to ensure the 'no password' banner is not misleading. As an example, below are configurations to make an image requiring setting a root password on first boot, but without having to first enter a static initial password: In conf/toolcfg.cfg: OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password In local.conf: INHERIT += "extrausers" EXTRA_USERS_PARAMS += " passwd-expire root;" Adding such banner is only meaningful when base-passwd and baes-files are installed. In case of container image, they might not be installed (e.g., container-test-image). So add extra checking for it. With the above logic, we avoid breaking the following oe-selftest test case: containerimage.ContainerImageTests.test_expected_files Signed-off-by: Chen Qi --- meta/classes-recipe/rootfs-postcommands.bbclass | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index f4fbc4c57e..2a36840f29 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -5,7 +5,7 @@ # # Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -58,6 +58,9 @@ inherit image-artifact-names SORT_PASSWD_POSTPROCESS_COMMAND ??= "tidy_shadowutils_files" ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' +# Check and add 'no root password' banner. +ROOTFS_POSTPROCESS_COMMAND += "add_empty_root_password_note" + # # Note that useradd-staticids.bbclass has to be used to ensure that # the numeric IDs of dynamically created entries remain stable. @@ -259,8 +262,14 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue - echo "" >> ${IMAGE_ROOTFS}/etc/issue + if [ -e ${IMAGE_ROOTFS}/etc/shadow -a -e ${IMAGE_ROOTFS}/etc/issue ]; then + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue + echo "" >> ${IMAGE_ROOTFS}/etc/issue + fi + fi } #