[elbe-devel] [PATCH] efilesystem: dont put root cleartext password into RFS
Torben Hohn
torben.hohn at linutronix.de
Fri May 3 16:02:29 CEST 2019
On Thu, May 02, 2019 at 10:27:10PM +0200, Manuel Traut wrote:
> On 22:10 Thu 02 May , John Ogness wrote:
> > On 2019-05-02, Manuel Traut <manut at linutronix.de> wrote:
> > > On 15:04 Thu 02 May , John Ogness wrote:
> > >> On 2019-05-02, Manuel Traut <manut at linutronix.de> wrote:
> > >> > Currently the root password of the RFS is stored in
> > >> > cleartext in /etc/elbe_base.xml. The file is only
> > >> > readable by root. However for security reasons it
> > >> > is better not to have the password inside the filesystem.
> > >> >
> > >> > This sets the passwd XML element to an empty string.
> > >> > The element is not removed because the schema defines
> > >> > it as mandatory.
> > >>
> > >> Do we really want it to be a valid XML with an empty root password? If
> > >> people are going to use the elbe_base.xml to re-generate an image, I
> > >> would prefer that it throws an invalid schema error rather than create
> > >> an image with an empty root password.
> > >
> > > Good point, however the file is used by several other elbe subcommands:
> > >
> > > - bootup-check
> > > - pkgdiff
> > > - updated
> > >
> > > But none of those subcommands currently validate the XML file.
> > > So we will not break existing stuff if we produce an invalid XML.
> > >
> > > Another option would be to alter the schema to make passwd optional.
> > > But how should we handle this case during building a RFS?
> >
> > I like the idea of having it optional. If it is missing, it can setup
> > the root account to be disabled:
> >
> > root:!:...
> >
> > Right now I have to use finetuning to accomplish that.
> >
> > By the way, I suppose the same goes for passwd of adduser. That also
> > should not be in the elbe_base.xml.
>
> If Torben is also fine with those 2 recommendations i will implement it
> that way and send a v2.
>
> Thanks for the input,
> Manu
Talked to holger.
Removing the password is a change to the xml file, and it can not be
used anymore to rebuild the RFS from there.
Lets add an xml tag, that sets the hash, and then the hash is calculated
in elbe preprocess.
This way we will never have the root password in the buildresults, cdroms
and what not. Not even inside the initvm. And we remain reproducible.
>
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel
--
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99
Hinweise zum Datenschutz finden Sie hier (Informations on data privacy
can be found here): https://linutronix.de/kontakt/Datenschutz.php
Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen |
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.linutronix.de/pipermail/elbe-devel/attachments/20190503/d3845cec/attachment.sig>
More information about the elbe-devel
mailing list