kumquat-buildroot/system/system.mk
Lorenzo Catucci 18fa4a32a6 system: allow/disallow root login, accept encoded passwords
Currently, there are only two possibilities regarding the root account:
  - it is enabled with no password (the default)
  - it is enabled, using a clear-text, user-provided password

This is deemed insufficient in many cases, especially when the .config
file has to be published (e.g. for the GPL compliance, or any other
reason.).

Fix that in two ways:

  - add a boolean option that allows/disallows root login altogether,
    which defaults to 'y' to keep backward compatibility;

  - accept already-encoded passwords, which we recognise as starting
    with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512).

Signed-off-by: Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
[yann.morin.1998@free.fr:
  - don't add a choice to select between clear-text/encoded password,
    use a single prompt;
  - differentiate in the password hook itself;
  - rewrite parts of the help entry;
  - rewrite and expand the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: "Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
Acked-by: "Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
Tested-by: Gergely Imreh <imrehg@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-04 12:46:43 +02:00

131 lines
4.5 KiB
Makefile

TARGET_GENERIC_HOSTNAME = $(call qstrip,$(BR2_TARGET_GENERIC_HOSTNAME))
TARGET_GENERIC_ISSUE = $(call qstrip,$(BR2_TARGET_GENERIC_ISSUE))
TARGET_GENERIC_ROOT_PASSWD = $(call qstrip,$(BR2_TARGET_GENERIC_ROOT_PASSWD))
TARGET_GENERIC_PASSWD_METHOD = $(call qstrip,$(BR2_TARGET_GENERIC_PASSWD_METHOD))
TARGET_GENERIC_BIN_SH = $(call qstrip,$(BR2_SYSTEM_BIN_SH))
TARGET_GENERIC_GETTY_PORT = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
TARGET_GENERIC_GETTY_BAUDRATE = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
TARGET_GENERIC_GETTY_TERM = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_TERM))
TARGET_GENERIC_GETTY_OPTIONS = $(call qstrip,$(BR2_TARGET_GENERIC_GETTY_OPTIONS))
ifeq ($(BR2_TARGET_GENERIC_GETTY),y)
define SYSTEM_SECURETTY
grep -q '^$(TARGET_GENERIC_GETTY_PORT)$$' $(TARGET_DIR)/etc/securetty || \
echo '$(TARGET_GENERIC_GETTY_PORT)' >> $(TARGET_DIR)/etc/securetty
endef
TARGET_FINALIZE_HOOKS += SYSTEM_SECURETTY
endif
ifneq ($(TARGET_GENERIC_HOSTNAME),)
define SYSTEM_HOSTNAME
mkdir -p $(TARGET_DIR)/etc
echo "$(TARGET_GENERIC_HOSTNAME)" > $(TARGET_DIR)/etc/hostname
$(SED) '$$a \127.0.1.1\t$(TARGET_GENERIC_HOSTNAME)' \
-e '/^127.0.1.1/d' $(TARGET_DIR)/etc/hosts
endef
TARGET_FINALIZE_HOOKS += SYSTEM_HOSTNAME
endif
ifneq ($(TARGET_GENERIC_ISSUE),)
define SYSTEM_ISSUE
mkdir -p $(TARGET_DIR)/etc
echo "$(TARGET_GENERIC_ISSUE)" > $(TARGET_DIR)/etc/issue
endef
TARGET_FINALIZE_HOOKS += SYSTEM_ISSUE
endif
define SET_NETWORK_LOCALHOST
( \
echo "# interface file auto-generated by buildroot"; \
echo ; \
echo "auto lo"; \
echo "iface lo inet loopback"; \
) > $(TARGET_DIR)/etc/network/interfaces
endef
NETWORK_DHCP_IFACE = $(call qstrip,$(BR2_SYSTEM_DHCP))
ifneq ($(NETWORK_DHCP_IFACE),)
define SET_NETWORK_DHCP
( \
echo ; \
echo "auto $(NETWORK_DHCP_IFACE)"; \
echo "iface $(NETWORK_DHCP_IFACE) inet dhcp"; \
) >> $(TARGET_DIR)/etc/network/interfaces
endef
endif
define SET_NETWORK
mkdir -p $(TARGET_DIR)/etc/network/
$(SET_NETWORK_LOCALHOST)
$(SET_NETWORK_DHCP)
endef
TARGET_FINALIZE_HOOKS += SET_NETWORK
ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y)
ifeq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),y)
ifeq ($(TARGET_GENERIC_ROOT_PASSWD),)
SYSTEM_ROOT_PASSWORD =
else ifneq ($(filter $$1$$% $$5$$% $$6$$%,$(TARGET_GENERIC_ROOT_PASSWD)),)
SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWD)
else
PACKAGES += host-mkpasswd
# This variable will only be evaluated in the finalize stage, so we can
# be sure that host-mkpasswd will have already been built by that time.
SYSTEM_ROOT_PASSWORD = $(shell $(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)")
endif
else # !BR2_TARGET_ENABLE_ROOT_LOGIN
SYSTEM_ROOT_PASSWORD = *
endif
define SYSTEM_SET_ROOT_PASSWD
$(SED) 's,^root:[^:]*:,root:$(SYSTEM_ROOT_PASSWORD):,' $(TARGET_DIR)/etc/shadow
endef
TARGET_FINALIZE_HOOKS += SYSTEM_SET_ROOT_PASSWD
ifeq ($(BR2_SYSTEM_BIN_SH_NONE),y)
define SYSTEM_BIN_SH
rm -f $(TARGET_DIR)/bin/sh
endef
else
define SYSTEM_BIN_SH
ln -sf $(TARGET_GENERIC_BIN_SH) $(TARGET_DIR)/bin/sh
endef
endif
TARGET_FINALIZE_HOOKS += SYSTEM_BIN_SH
ifeq ($(BR2_TARGET_GENERIC_GETTY),y)
ifeq ($(BR2_PACKAGE_SYSVINIT),y)
# In sysvinit inittab, the "id" must not be longer than 4 bytes, so we
# skip the "tty" part and keep only the remaining.
define SYSTEM_GETTY
$(SED) '/# GENERIC_SERIAL$$/s~^.*#~$(shell echo $(TARGET_GENERIC_GETTY_PORT) | tail -c+4)::respawn:/sbin/getty -L $(TARGET_GENERIC_GETTY_OPTIONS) $(TARGET_GENERIC_GETTY_PORT) $(TARGET_GENERIC_GETTY_BAUDRATE) $(TARGET_GENERIC_GETTY_TERM) #~' \
$(TARGET_DIR)/etc/inittab
endef
else
# Add getty to busybox inittab
define SYSTEM_GETTY
$(SED) '/# GENERIC_SERIAL$$/s~^.*#~$(TARGET_GENERIC_GETTY_PORT)::respawn:/sbin/getty -L $(TARGET_GENERIC_GETTY_OPTIONS) $(TARGET_GENERIC_GETTY_PORT) $(TARGET_GENERIC_GETTY_BAUDRATE) $(TARGET_GENERIC_GETTY_TERM) #~' \
$(TARGET_DIR)/etc/inittab
endef
endif
TARGET_FINALIZE_HOOKS += SYSTEM_GETTY
endif
ifeq ($(BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW),y)
# Find commented line, if any, and remove leading '#'s
define SYSTEM_REMOUNT_RW
$(SED) '/^#.*-o remount,rw \/$$/s~^#\+~~' $(TARGET_DIR)/etc/inittab
endef
else
# Find uncommented line, if any, and add a leading '#'
define SYSTEM_REMOUNT_RW
$(SED) '/^[^#].*-o remount,rw \/$$/s~^~#~' $(TARGET_DIR)/etc/inittab
endef
endif
TARGET_FINALIZE_HOOKS += SYSTEM_REMOUNT_RW
endif # BR2_ROOTFS_SKELETON_DEFAULT