initial deflogin feature (security sensitive!)
The feature officially introduces the "engineering passwords" including empty ones which have been around since forever but weren't properly managed (and still are not, at least until there are no stray passwd/chpasswd/usermod calls in both the profile, installer-features and all the other related parts). It is based on an m-p-d init3-users script by stanv@ but was cleaned up and restructured in a pretty severe manner; thanks glebfm@ for additional discussion. This also cleans up the kludge previously stuck into build-vm. Note that vm/icewm sports graphical autologin now as well as the default root password (which can be overridden by passing ROOTPW=... to make but it is a change from the previous state of affairs indeed).
This commit is contained in:
parent
b337e72ead
commit
d22c793ee9
@ -4,6 +4,7 @@ ifeq (vm,$(IMAGE_CLASS))
|
||||
vm/net: vm/bare use/vm-net/dhcp use/vm-ssh; @:
|
||||
|
||||
# NB: use/x11 employs some installer-feature packages
|
||||
vm/icewm: vm/net use/cleanup/installer use/repo +icewm; @:
|
||||
vm/icewm: vm/net use/cleanup/installer use/repo use/deflogin/altlinuxroot \
|
||||
use/x11/xorg use/x11/lightdm/gtk use/x11-autologin +icewm; @:
|
||||
|
||||
endif
|
||||
|
@ -1,4 +1,3 @@
|
||||
# hooked from ../../lib/sugar.mk
|
||||
use/build-vm: sub/rootfs@/ use/kernel
|
||||
use/build-vm: sub/rootfs@/ use/kernel use/deflogin
|
||||
@$(call add_feature)
|
||||
@$(call xport,ROOTPW)
|
||||
|
@ -1,11 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ -n "$GLOBAL_ROOTPW" ]; then
|
||||
if type -t chpasswd >&/dev/null; then
|
||||
echo "root:$GLOBAL_ROOTPW" | chpasswd
|
||||
else
|
||||
echo "** warning: chpasswd binary missing" >&2
|
||||
fi
|
||||
else
|
||||
echo "** warning: no root password provided, you're on your own" >&2
|
||||
fi
|
@ -11,10 +11,6 @@ IMAGE_PACKAGES = $(DOT_BASE) \
|
||||
VM_TARBALL := $(IMAGE_OUTDIR)/$(IMAGE_NAME).tar
|
||||
VM_RAWDISK := $(IMAGE_OUTDIR)/$(IMAGE_NAME).raw
|
||||
|
||||
ifeq (,$(ROOTPW))
|
||||
$(error please provide root password via ROOTPW)
|
||||
endif
|
||||
|
||||
check-sudo:
|
||||
@if ! type -t sudo >&/dev/null; then \
|
||||
echo "** error: sudo not available, see doc/vm.txt" >&2; \
|
||||
@ -43,7 +39,6 @@ convert-image: prepare-image
|
||||
fi
|
||||
|
||||
run-image-scripts: GLOBAL_CLEANUP_PACKAGES := $(CLEANUP_PACKAGES)
|
||||
run-image-scripts: GLOBAL_ROOTPW := $(ROOTPW)
|
||||
|
||||
# override
|
||||
pack-image: MKI_PACK_RESULTS := tar:$(VM_TARBALL)
|
||||
|
4
features.in/deflogin/README
Normal file
4
features.in/deflogin/README
Normal file
@ -0,0 +1,4 @@
|
||||
Эта фича конфигурирует root login и пользователей по умолчанию.
|
||||
|
||||
ВНИМАНИЕ: применяйте разумно, т.к. крайне легко создать и оставить
|
||||
дыру в безопасности!
|
29
features.in/deflogin/config.mk
Normal file
29
features.in/deflogin/config.mk
Normal file
@ -0,0 +1,29 @@
|
||||
# WARNING: the variable values are stored in build config/log!
|
||||
use/deflogin:
|
||||
@$(call add_feature)
|
||||
@$(call add,THE_PACKAGES,shadow-utils)
|
||||
@$(call xport,ROOTPW)
|
||||
@$(call xport,USERS)
|
||||
@$(call xport,GROUPS)
|
||||
|
||||
# some presets
|
||||
# USERS variable chunk format is "login:passwd:admin:sudo"
|
||||
# GROUPS are just stashed there to include USERS logins created
|
||||
|
||||
# livecd: root and altlinux users with no password at all
|
||||
use/deflogin/empty: use/deflogin use/deflogin/altlinux
|
||||
@$(call set,ROOTPW,)
|
||||
@$(call add,USERS,altlinux::1:1)
|
||||
|
||||
# mostly used to allow access to videocard and desktop related hardware
|
||||
use/deflogin/xgrp: use/deflogin
|
||||
@$(call add,GROUPS,xgrp)
|
||||
|
||||
# appliances: "root:altlinux"; "altlinux:root" in "xgrp" group
|
||||
use/deflogin/altlinuxroot: use/deflogin/xgrp
|
||||
@$(call try,ROOTPW,altlinux)
|
||||
@$(call add,USERS,altlinux:root:1:1)
|
||||
|
||||
# could also be passed on the commandline
|
||||
use/deflogin/root: use/deflogin
|
||||
@$(call try,ROOTPW,altlinux)
|
10
features.in/deflogin/rootfs/image-scripts.d/50-root
Executable file
10
features.in/deflogin/rootfs/image-scripts.d/50-root
Executable file
@ -0,0 +1,10 @@
|
||||
#!/bin/sh
|
||||
# set root password if any; no-op if it is unset
|
||||
|
||||
test="${GLOBAL_ROOTPW=:unset}"
|
||||
|
||||
if [ "$test" = ":unset" ]; then
|
||||
echo "** warning: no root password provided, you're on your own" >&2
|
||||
else
|
||||
echo "$GLOBAL_ROOTPW" | passwd --stdin root
|
||||
fi
|
33
features.in/deflogin/rootfs/image-scripts.d/50-users
Executable file
33
features.in/deflogin/rootfs/image-scripts.d/50-users
Executable file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
# add regular user(s) assigning passwords and attributes of power
|
||||
|
||||
# NB: care that the utilities exist; shadow-utils is warranted
|
||||
|
||||
add_user() {
|
||||
useradd -m "$1" &&
|
||||
usermod -p "" "$1" &&
|
||||
if [ -n "$GLOBAL_GROUPS" ]; then
|
||||
usermod -a --groups "${GLOBAL_GROUPS// /,}" "$1" # bashism
|
||||
fi ||
|
||||
echo "*** failed to add user '$1'"
|
||||
}
|
||||
|
||||
set_password() { echo "$1:$2" | chpasswd; }
|
||||
|
||||
set_admin() { usermod -a --groups "wheel" "$1"; }
|
||||
|
||||
set_sudo() {
|
||||
[ ! -w "/etc/sudoers" ] ||
|
||||
echo "$1\tALL=(ALL) ALL" >> "/etc/sudoers"
|
||||
}
|
||||
|
||||
# chpasswd is inteded for batch use but that would be less comprehensible
|
||||
[ -z "$GLOBAL_USERS" ] ||
|
||||
echo "$GLOBAL_USERS" \
|
||||
| tr ' ' '\n' \
|
||||
| while IFS=':' read login passwd admin sudo; do
|
||||
add_user "$login"
|
||||
[ -z "$passwd" ] || set_password "$login" "$passwd"
|
||||
[ -z "$admin" ] || set_admin "$login"
|
||||
[ -z "$sudo" ] || set_sudo "$login"
|
||||
done
|
Loading…
Reference in New Issue
Block a user