initial deflogin feature (security sensitive!)

The feature officially introduces the "engineering passwords"
including empty ones which have been around since forever but
weren't properly managed (and still are not, at least until
there are no stray passwd/chpasswd/usermod calls in both the
profile, installer-features and all the other related parts).

It is based on an m-p-d init3-users script by stanv@ but was
cleaned up and restructured in a pretty severe manner; thanks
glebfm@ for additional discussion.

This also cleans up the kludge previously stuck into build-vm.

Note that vm/icewm sports graphical autologin now as well as
the default root password (which can be overridden by passing
ROOTPW=... to make but it is a change from the previous state
of affairs indeed).
This commit is contained in:
Michael Shigorin 2013-06-14 13:24:28 +00:00
parent b337e72ead
commit d22c793ee9
8 changed files with 79 additions and 19 deletions

View File

@ -4,6 +4,7 @@ ifeq (vm,$(IMAGE_CLASS))
vm/net: vm/bare use/vm-net/dhcp use/vm-ssh; @:
# NB: use/x11 employs some installer-feature packages
vm/icewm: vm/net use/cleanup/installer use/repo +icewm; @:
vm/icewm: vm/net use/cleanup/installer use/repo use/deflogin/altlinuxroot \
use/x11/xorg use/x11/lightdm/gtk use/x11-autologin +icewm; @:
endif

View File

@ -1,4 +1,3 @@
# hooked from ../../lib/sugar.mk
use/build-vm: sub/rootfs@/ use/kernel
use/build-vm: sub/rootfs@/ use/kernel use/deflogin
@$(call add_feature)
@$(call xport,ROOTPW)

View File

@ -1,11 +0,0 @@
#!/bin/sh
if [ -n "$GLOBAL_ROOTPW" ]; then
if type -t chpasswd >&/dev/null; then
echo "root:$GLOBAL_ROOTPW" | chpasswd
else
echo "** warning: chpasswd binary missing" >&2
fi
else
echo "** warning: no root password provided, you're on your own" >&2
fi

View File

@ -11,10 +11,6 @@ IMAGE_PACKAGES = $(DOT_BASE) \
VM_TARBALL := $(IMAGE_OUTDIR)/$(IMAGE_NAME).tar
VM_RAWDISK := $(IMAGE_OUTDIR)/$(IMAGE_NAME).raw
ifeq (,$(ROOTPW))
$(error please provide root password via ROOTPW)
endif
check-sudo:
@if ! type -t sudo >&/dev/null; then \
echo "** error: sudo not available, see doc/vm.txt" >&2; \
@ -43,7 +39,6 @@ convert-image: prepare-image
fi
run-image-scripts: GLOBAL_CLEANUP_PACKAGES := $(CLEANUP_PACKAGES)
run-image-scripts: GLOBAL_ROOTPW := $(ROOTPW)
# override
pack-image: MKI_PACK_RESULTS := tar:$(VM_TARBALL)

View File

@ -0,0 +1,4 @@
Эта фича конфигурирует root login и пользователей по умолчанию.
ВНИМАНИЕ: применяйте разумно, т.к. крайне легко создать и оставить
дыру в безопасности!

View File

@ -0,0 +1,29 @@
# WARNING: the variable values are stored in build config/log!
use/deflogin:
@$(call add_feature)
@$(call add,THE_PACKAGES,shadow-utils)
@$(call xport,ROOTPW)
@$(call xport,USERS)
@$(call xport,GROUPS)
# some presets
# USERS variable chunk format is "login:passwd:admin:sudo"
# GROUPS are just stashed there to include USERS logins created
# livecd: root and altlinux users with no password at all
use/deflogin/empty: use/deflogin use/deflogin/altlinux
@$(call set,ROOTPW,)
@$(call add,USERS,altlinux::1:1)
# mostly used to allow access to videocard and desktop related hardware
use/deflogin/xgrp: use/deflogin
@$(call add,GROUPS,xgrp)
# appliances: "root:altlinux"; "altlinux:root" in "xgrp" group
use/deflogin/altlinuxroot: use/deflogin/xgrp
@$(call try,ROOTPW,altlinux)
@$(call add,USERS,altlinux:root:1:1)
# could also be passed on the commandline
use/deflogin/root: use/deflogin
@$(call try,ROOTPW,altlinux)

View File

@ -0,0 +1,10 @@
#!/bin/sh
# set root password if any; no-op if it is unset
test="${GLOBAL_ROOTPW=:unset}"
if [ "$test" = ":unset" ]; then
echo "** warning: no root password provided, you're on your own" >&2
else
echo "$GLOBAL_ROOTPW" | passwd --stdin root
fi

View File

@ -0,0 +1,33 @@
#!/bin/bash
# add regular user(s) assigning passwords and attributes of power
# NB: care that the utilities exist; shadow-utils is warranted
add_user() {
useradd -m "$1" &&
usermod -p "" "$1" &&
if [ -n "$GLOBAL_GROUPS" ]; then
usermod -a --groups "${GLOBAL_GROUPS// /,}" "$1" # bashism
fi ||
echo "*** failed to add user '$1'"
}
set_password() { echo "$1:$2" | chpasswd; }
set_admin() { usermod -a --groups "wheel" "$1"; }
set_sudo() {
[ ! -w "/etc/sudoers" ] ||
echo "$1\tALL=(ALL) ALL" >> "/etc/sudoers"
}
# chpasswd is inteded for batch use but that would be less comprehensible
[ -z "$GLOBAL_USERS" ] ||
echo "$GLOBAL_USERS" \
| tr ' ' '\n' \
| while IFS=':' read login passwd admin sudo; do
add_user "$login"
[ -z "$passwd" ] || set_password "$login" "$passwd"
[ -z "$admin" ] || set_admin "$login"
[ -z "$sudo" ] || set_sudo "$login"
done