[elbe-devel] [PATCH v1 00/15] elbe: switch to hashed passwords in XML
Holger Dengler
holger at hdengler.de
Wed Jun 8 22:39:43 CEST 2022
This patch series contains some ideas to get rid of plain-text passwords in
Elbe XMLs. The work has started a while ago and I think it is now time to
discuss it on the mailing list. So, here we go...
The Elbe XML use plain-text passwords for root and users in the XML. At the
first glance, this is not a problem because in most cases, the Elbe Builds
are part of an automation and the plain-text passwords must be generated and
documented anyhow. But the XML is also a) copied to the target RFS
('/etc/elbe_base.xml') and b) part of the build output. In both cases, a
contained plain-text password might be a security riks, if these build
results are not handled with care. Removing the plain-text passwords from
the XML could be a possible solution. But to keep the capability, to rebuild
target RFS with the build-output XMLs, a hashed password must be kept in
the XML.
The main idea is, to replace the plain-text passwords with hashed ones. The
build results are with this change on an even security level as the password
database in the target RFS ('/etc/shadow'). And it will still be possible to
rebuild the target RFS based of the build output XMLs (e.g. source.xml).
But the removal of the plain-text password for root will conflict with
another feature of Elbe, the test action 'login'. It is used to executing
some post-build tests, e.g. test if it is possible to login to the target
system. This action requires a plain-text password for root in the XML. This
leads to an attribute for the 'passwd' element, which controls the removal
of the plain-text password element.
In more detail:
---------------
- Patch 1-2/15 use a batch-mode aware tool to set the passwords. They are a
preparation for later patches, because the 'chpasswd' command is also able
to process hashed passwords.
- Patch 3/15 introduces a hashed password element for the root password,
patch 4/15 uses its content for setting the root password.
- Patches 5-6/15 are doing the same for user passwords in 'adduser' elements.
- Patch 7-8/15 add password handling to the XML preprocessing. The hashed
passwords will be updated, based on an existing plain-text password.
- Patch 9-10/15 add the removal of plain-text passwords to the XML
preprocessing, based on an additional attribute.
- Patch 11/15 detects the conversion of a legacy XML file and enforces the
preservation of the plain-text password. The commit message explains some
more details.
- Patch 12/15 adds an early failure in XML preprocessing, if the removal of
a plain-text password will cause a conflict in the login action.
- Patch 13/15 adds a sub-command to Elbe to hash plain-text passwords.
- Patch 14/15 converts all example XMLs to the new schema. Plain-text
password will be removed in the build.
- Patch 15/15 converts all test XMLs to the new schema. Plain-test passwords
will only be preserved, if the login action is specified.
This v1 does *not* contain any documentation yet. I expect some discussion
and also changes to the current implementation. Updated man pages will be
part of the v2 or v3, as soon as the main aspects of the implementation has
been stabilized a bit.
I only built a few example XMLs for testing, so the test coverage is still
quite low. But maybe someone can also do some tests to figure out, if the
changes are working as expected.
Now, I'm looking forward to discuss the changes here. All feedback will be
appreciated.
The series is also available on github:
To github.com:hdengler/elbe.git
* [new branch] tip -> tip
Holger Dengler (15):
rfs: use chpasswd for root password
finetuning: use chpasswd for user password
dbsfed.xsd: target: add element for hashed root password
rfs: use hashed password for root
dbsfed.xsd: adduser: add hashed password attribute
finetuning: use hashed password for adduser
xmlpreprocess: add password processing for root
xmlpreprocess: add password processing for adduser
dbsfed.xsd: target: add attribute to passwd element
xmlpreprocess: remove plain-text root password
xmlpreprocess: legacy support for hashed root passwords
xmlpreprocess: detect plain-text password removal conflicts
commands: add passwd sub-command
examples: add empty hashed password element
tests: add empty hashed password element
elbepack/commands/passwd.py | 21 ++++++
elbepack/finetuning.py | 7 +-
elbepack/rfs.py | 6 +-
elbepack/xmlpreprocess.py | 69 +++++++++++++++++++
examples/arm64-qemu-virt.xml | 1 +
examples/armel-rescue-busybox-cpio.xml | 1 +
examples/armhf-nfs-with-build-tools.xml | 1 +
examples/armhf-ti-beaglebone-black.xml | 1 +
examples/armhf-ubuntu.xml | 1 +
examples/powerpc.xml | 1 +
.../x86_32-pc-hdimg-minimal-grub-buster.xml | 1 +
...6_32-pc-hdimg-with-include-development.xml | 1 +
...86_32-pc-hdimg-with-include-production.xml | 1 +
examples/x86_64-docker-elbe.xml | 1 +
examples/x86_64-docker-systemd.xml | 1 +
examples/x86_64-docker.xml | 1 +
examples/x86_64-pc-hdimg-gnome3.xml | 1 +
.../x86_64-pc-hdimg-grub-hybrid-buster.xml | 1 +
examples/x86_64-pc-hdimg-grub-uefi-buster.xml | 1 +
.../x86_64-pc-rescue-busybox-dyn-cpio.xml | 1 +
schema/dbsfed.xsd | 30 +++++++-
tests/pbuilder-amd64.xml | 1 +
tests/simple-amd64-bookworm.xml | 3 +-
tests/simple-amd64-with-grub-uefi.xml | 3 +-
tests/simple-amd64-with-grub.xml | 3 +-
tests/simple-arm64.xml | 3 +-
tests/simple-armhf.xml | 3 +-
tests/xinclude/simple.xml | 3 +-
28 files changed, 153 insertions(+), 15 deletions(-)
create mode 100644 elbepack/commands/passwd.py
--
2.36.1
More information about the elbe-devel
mailing list