[elbe-devel] [PATCH] efilesystem: dont put root cleartext password into RFS
John Ogness
john.ogness at linutronix.de
Thu May 2 15:04:48 CEST 2019
On 2019-05-02, Manuel Traut <manut at linutronix.de> wrote:
> Currently the root password of the RFS is stored in
> cleartext in /etc/elbe_base.xml. The file is only
> readable by root. However for security reasons it
> is better not to have the password inside the filesystem.
>
> This sets the passwd XML element to an empty string.
> The element is not removed because the schema defines
> it as mandatory.
Do we really want it to be a valid XML with an empty root password? If
people are going to use the elbe_base.xml to re-generate an image, I
would prefer that it throws an invalid schema error rather than create
an image with an empty root password.
> Signed-off-by: Manuel Traut <manut at linutronix.de>
> ---
> elbepack/efilesystem.py | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/elbepack/efilesystem.py b/elbepack/efilesystem.py
> index 1f6428e0..b68c30da 100644
> --- a/elbepack/efilesystem.py
> +++ b/elbepack/efilesystem.py
> @@ -133,6 +133,7 @@ class ElbeFilesystem(Filesystem):
> version_file.close()
>
> elbe_base = self.open("etc/elbe_base.xml", "wb")
> + xml.tgt.ensure_child('passwd').set_text('')
> xml.xml.write(elbe_base)
> self.chmod("etc/elbe_base.xml", stat.S_IREAD)
More information about the elbe-devel
mailing list