[elbe-devel] [PATCH v2 0/8] elbe: switch to hashed passwords in XML
Holger Dengler
holger at hdengler.de
Thu Jun 16 12:10:06 CEST 2022
Here comes the v2 with a slightly different approach. It is less complex in
writing XMLs and in processing them. Personally, I would prefer the v2 over
the v1. More details under the general part.
The Elbe XML uses plain-text passwords for root and user in the XML. At
first glance, this is not a problem, since the Elbe builds are in most cases
part of an automation and the plain-text passwords have to be generated and
documented anyway. But the XML is on the one hand also copied into the
target RFS ('/etc/elbe_base.xml') and on the other hand is part of the build
output. In both cases, an included plain-text password can be a security
risk if these results are not handled with due care. Removing the plain-text
passwords from the XML file could be a possible solution. However, to keep
the ability to rebuild the target RFS with the build output XMLs, a hashed
password must be included in the XML.
The main idea is to replace the plain text passwords in the XML with hashed
ones. With this change, the build results will be at an equivalent security
level as the password database in the target RFS ("/etc/shadow"). And it
will still be possible to rebuild the target RFS based on the build output
XMLs (e.g. source.xml).
But removing the plain-text password for root conflicts with another feature
of Elbe, the 'login' action. It is used for running post-build tests, such
as a root login on the target system. This action requires a plain text
password for root in the XML file. The solution is to specify the plain-text
password in the login element. If nothing is specified, the default is
"root".
In more detail:
---------------
- Patch 1-2/8 use a batch-mode aware tool to set the passwords. They are a
preparation for later patches, because the 'chpasswd' command is also able
to process hashed passwords.
- Patch 3/8 uses the value of the "login" element as password.
- Patch 4/8 replaces the "passwd" element for root with "passwd_hased". It
also includes the change in RFS processing.
- Patch 5/8 replaces the "passwd" attribute for adduser with "passwd_hased".
It also includes the change in fintuning processing.
- Patch 6/8 converts legacy XMLs in XML preprocessing. Plain-text password
are replaced with hashed ones.
- Patch 7/8 converts legacy XMLs in XML preprocessing. If the XML has a
"login" and "passwd" element, the value of "passwd" is moved to the
"login".
- Patch 8/8 adds a sub-command to Elbe to hash plain-text passwords.
Changes since v1:
- different approach
- a value in "login" element is used as plain-text password for root login
- schema: remove plain-text password element for root
- schema: remove plain-text password attribute for adduser
- no changes to the example/tests XML required
The series is also available on github:
To github.com:hdengler/elbe.git
* [new branch] tip2 -> tip2
Holger Dengler (8):
rfs: use chpasswd for root password
finetuning: use chpasswd for user password
commands: check-build: move password to login value
schema: switch to hashed password for root
schema: switch to hashed passwords for users
proprocess: migrate root and user passwords
preprocess: migrate login action
commands: add passwd sub-command
elbepack/commands/check-build.py | 5 ++---
elbepack/commands/passwd.py | 21 +++++++++++++++++++++
elbepack/finetuning.py | 7 +++----
elbepack/rfs.py | 6 +++---
elbepack/xmlpreprocess.py | 32 +++++++++++++++++++++++++++++---
schema/dbsfed.xsd | 12 +++++++-----
6 files changed, 65 insertions(+), 18 deletions(-)
create mode 100644 elbepack/commands/passwd.py
--
2.36.1
More information about the elbe-devel
mailing list