projects / systemd / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fdf270a)
firstboot: create locked and empty root passwords consistently
authorDan Nicholson <dbn@endlessos.org>
Tue, 30 Jul 2024 17:11:11 +0000 (11:11 -0600)
committerLuca Boccassi <bluca@debian.org>
Thu, 15 Aug 2024 13:04:41 +0000 (14:04 +0100)
Although locked and empty passwords in /etc/passwd are treated the same, in all
other cases the entry is configured to read the password from /etc/shadow.

(cherry picked from commit 5088de9daa156a095e79684c658f9035db971538)

src/firstboot/firstboot.c patch | blob | history
test/units/TEST-74-AUX-UTILS.firstboot.sh patch | blob | history

diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index 6afabef4307663f97dcf1fa3dcb15d36c73f839e..923c2b89df0d5a689945d86af5912601bdcbc821 100644 (file)
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -1142,10 +1142,13 @@ static int process_root_account(int rfd) {
                 password = PASSWORD_SEE_SHADOW;
                 hashed_password = _hashed_password;
 
-        } else if (arg_delete_root_password)
-                password = hashed_password = PASSWORD_NONE;
-        else
-                password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
+        } else if (arg_delete_root_password) {
+                password = PASSWORD_SEE_SHADOW;
+                hashed_password = PASSWORD_NONE;
+        } else {
+                password = PASSWORD_SEE_SHADOW;
+                hashed_password = PASSWORD_LOCKED_AND_INVALID;
+        }
 
         r = write_root_passwd(rfd, pfd, password, arg_root_shell);
         if (r < 0)
diff --git a/test/units/TEST-74-AUX-UTILS.firstboot.sh b/test/units/TEST-74-AUX-UTILS.firstboot.sh
index 2569ad88167258c84a59d564f0bdc9d3cd4d56b5..48792c4c676c6a1af31a4e903f3334da335507d6 100755 (executable)
--- a/test/units/TEST-74-AUX-UTILS.firstboot.sh
+++ b/test/units/TEST-74-AUX-UTILS.firstboot.sh
@@ -211,7 +211,7 @@ echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname
 grep -q "foobar" "$ROOT/etc/hostname"
 # With no root password provided, a locked account should be created.
 systemd-firstboot --root="$ROOT" --prompt-root-password </dev/null
-grep -q "^root:!\*:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
 grep -q "^root:!\*:" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 echo -ne "\n/bin/fooshell\n" | systemd-firstboot --root="$ROOT" --prompt-root-shell
@@ -262,7 +262,7 @@ grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id"
 rm -fv "$ROOT/etc/machine-id"
 
 systemd-firstboot --root="$ROOT" --delete-root-password
-grep -q "^root::0:0:" "$ROOT/etc/passwd"
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
 grep -q "^root::" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 
https://github.com/systemd/systemd.git