shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-13 17:18:18 +03:00
Code

firstboot: Add --root-password-hashed option

Browse Source
This commit is contained in:
Daan De Meyer 2020-05-25 19:24:07 +02:00
parent 97a1a1103c
commit 676339a191
2 changed files with 90 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
man/systemd-firstboot.xml
View File

@ -150,18 +150,18 @@
<varlistentry>
<term><option>--root-password=<replaceable>PASSWORD</replaceable></option></term>
<term><option>--root-password-file=<replaceable>PATH</replaceable></option></term>
<term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term>
<listitem><para>Sets the password of the system's root user.
This creates a
<listitem><para>Sets the password of the system's root user. This creates a
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
file. This setting exists in two forms:
<option>--root-password=</option> accepts the password to set
directly on the command line, and
<option>--root-password-file=</option> reads it from a file.
Note that it is not recommended to specify passwords on the
command line, as other users might be able to see them simply
by invoking
<citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
file. This setting exists in three forms: <option>--root-password=</option> accepts the password to
set directly on the command line, <option>--root-password-file=</option> reads it from a file and
<option>--root-password-hashed=</option> accepts an already hashed password on the command line. See
<citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the format of the hashed password. Note that it is not recommended to specify
plaintext passwords on the command line, as other users might be able to see them simply by invoking
<citerefentry project='die-net'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>

25
src/firstboot/firstboot.c
View File

@ -53,6 +53,7 @@ static bool arg_copy_timezone = false;
static bool arg_copy_root_password = false;
static bool arg_force = false;
static bool arg_delete_root_password = false;
static bool arg_root_password_is_hashed = false;
STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
STATIC_DESTRUCTOR_REGISTER(arg_locale, freep);
@ -718,7 +719,6 @@ static int write_root_shadow(const char *shadow_path, const char *hashed_passwor
}
static int process_root_password(void) {
_cleanup_free_ char *salt = NULL;
_cleanup_close_ int lock = -1;
struct crypt_data cd = {};
const char *hashed_password;
@ -779,6 +779,12 @@ static int process_root_password(void) {
if (!arg_root_password)
return 0;
if (arg_root_password_is_hashed)
hashed_password = arg_root_password;
else {
_cleanup_free_ char *salt = NULL;
/* hashed_password points inside cd after crypt_r returns so cd has function scope. */
r = make_salt(&salt);
if (r < 0)
return log_error_errno(r, "Failed to get salt: %m");
@ -788,6 +794,7 @@ static int process_root_password(void) {
if (!hashed_password)
return log_error_errno(errno == 0 ? SYNTHETIC_ERRNO(EINVAL) : errno,
"Failed to encrypt password: %m");
}
r = write_root_shadow(etc_shadow, hashed_password);
if (r < 0)
@ -816,8 +823,9 @@ static int help(void) {
" --timezone=TIMEZONE Set timezone\n"
" --hostname=NAME Set hostname\n"
" --machine-ID=ID Set machine ID\n"
" --root-password=PASSWORD Set root password\n"
" --root-password=PASSWORD Set root password from plaintext password\n"
" --root-password-file=FILE Set root password from file\n"
" --root-password-hashed=HASHED_PASSWORD Set root password from hashed password\n"
" --prompt-locale Prompt the user for locale settings\n"
" --prompt-keymap Prompt the user for keymap settings\n"
" --prompt-timezone Prompt the user for timezone\n"
@ -853,6 +861,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_MACHINE_ID,
ARG_ROOT_PASSWORD,
ARG_ROOT_PASSWORD_FILE,
ARG_ROOT_PASSWORD_HASHED,
ARG_PROMPT,
ARG_PROMPT_LOCALE,
ARG_PROMPT_KEYMAP,
@ -881,6 +890,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "machine-id", required_argument, NULL, ARG_MACHINE_ID },
{ "root-password", required_argument, NULL, ARG_ROOT_PASSWORD },
{ "root-password-file", required_argument, NULL, ARG_ROOT_PASSWORD_FILE },
{ "root-password-hashed", required_argument, NULL, ARG_ROOT_PASSWORD_HASHED },
{ "prompt", no_argument, NULL, ARG_PROMPT },
{ "prompt-locale", no_argument, NULL, ARG_PROMPT_LOCALE },
{ "prompt-keymap", no_argument, NULL, ARG_PROMPT_KEYMAP },
@ -959,6 +969,8 @@ static int parse_argv(int argc, char *argv[]) {
r = free_and_strdup(&arg_root_password, optarg);
if (r < 0)
return log_oom();
arg_root_password_is_hashed = false;
break;
case ARG_ROOT_PASSWORD_FILE:
@ -968,6 +980,15 @@ static int parse_argv(int argc, char *argv[]) {
if (r < 0)
return log_error_errno(r, "Failed to read %s: %m", optarg);
arg_root_password_is_hashed = false;
break;
case ARG_ROOT_PASSWORD_HASHED:
r = free_and_strdup(&arg_root_password, optarg);
if (r < 0)
return log_oom();
arg_root_password_is_hashed = true;
break;
case ARG_HOSTNAME: