[OE-core] [PATCH 2/2] base-passwd: set root's default password to 'root'

Robert Yang liezhi.yang at windriver.com
Tue Nov 29 05:36:58 UTC 2016



On 11/29/2016 11:45 AM, Paul Eggleton wrote:
> On Tue, 29 Nov 2016 10:45:51 Robert Yang wrote:
>> On 11/29/2016 09:57 AM, Khem Raj wrote:
>>>> On Nov 24, 2016, at 10:59 AM, Paul Eggleton
>>>> <paul.eggleton at linux.intel.com> wrote:>>
>>>> On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote:
>>>>> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote:
>>>>>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky,
>>>>>> and
>>>>>> there is no passwd, so that user can login easily without a passwd, I
>>>>>> think
>>>>>> that current status is more unsafe ?
>>>>>
>>>>> Both well-known password and no password are unsafe. User "root" with
>>>>> password "root" is not even "more" safe already now, because tools that
>>>>> brute-force logins try that. Choosing something else would be a bit
>>>>> safer for a short while until the tools add it to their dictionary.
>>>>>
>>>>> Poky is also targeting a different audience than OE-core. Poky can
>>>>> assume to be used in a secure environment, OE-core can't (because it
>>>>> might be used for all kinds of devices).
>>>>
>>>> I don't think that's part of the design goals on either side, it's simply
>>>> about making development easier. The feature is clearly labelled "debug-
>>>> tweaks" because it's for debugging not for production. It could be that
>>>> we
>>>> should make it do other things like append a notice to /etc/issue to
>>>> avoid
>>>> people leaving it on for production, if that is a concern.
>>>
>>> Sometimes such goals can lead to problems. Making development easier by
>>> all means if you can ensure a hard error on production e.g. debug-tweaks
>>> can then never be part of production images. Otherwise someone will
>>> forget it and it will be discovered on millions of devices in field along
>>> with the user project will be red-faced.
>
> Right. FWIW in mitigation I did write the raw material for the following
> section of the YP manuals, though I don't know how many people have ended
> up reading it:
>
> http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
>
> In there there is an explicit mention of disabling debug-tweaks. Looking
> around the place it could be that we need more warnings about this being
> on by default though.
>
>> Will something like IMAGE_FEATURES += "production" help here ?
>
> I'd like to see something like this - at least give the user some way of
> saying "I really am in production now, so error out on anything that I
> shouldn't be doing there". I wonder if it potentially goes further than
> just conflicting with things like debug-tweaks and empty-root-password.
>
>> We may also need something like IMAGE_FEATURES += "test" to make it can work
>> with -ctestimage.
>
> Not sure I follow your reasoning here - can you explain what this feature
> would do?

For example, the "bitbake <image> -ctestimage" requires a few pkgs installed,
such as psplash-default, see the testcase in meta/lib/oeqa/runtime/smart.py:

     def test_smart_install(self):
         self.smart('remove -y psplash-default')
         self.smart('install -y psplash-default')

The test would fail without psplash-default installed, and also it requires
sshd installed on the target. When IMAGE_FETURES += "test", we can install
these required packages, I'm not sure this is a good idea, or maybe we can
enhance testimge.bbclass to do it. Another way to fix the problem might be
not hardcode the package name.

// Robert

>
> Cheers,
> Paul
>



More information about the Openembedded-core mailing list