[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices
openwrt at daniel.thecshore.com
Thu Dec 24 06:00:24 EST 2015
On 23/12/15 07:05 AM, Imre Kaloz wrote:
> Hi Daniel,
> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson
> <openwrt at daniel.thecshore.com> wrote:
>> I am reworking this (requiring console login) as couple of packages
>> for the packages feed, although it may require an image.mk or packages
>> Makefile hook in order to embed an appropriate inittab into the image
>> (since the inittab will need to be modified and we need to guarantee
>> the correct order of actions; and inittab comes from base-files which
>> is last thing done in the packages Makefile).
> I hope the other devs will chime in, but FWIW I would make this enabled
> unconditionally across all targets. As we already have a way to do a
> "factory reset" using the reset button, IMHO failsafe should also
> enforce login passwords everywhere, including the serial console.
At the present time it is actually not possible to using /bin/login from
within the preinit context and therefore making passwords required
during failsafe is not currently possible.
There are two problems:
The first issue is that others have pointed out, using passwords not
embedded in the squashfs would require using mount_root, but one of the
objectives of failsafe is to provide a why to recover when mount_root
produces bad behaviour or just doesn't work.
The second (well and third) is that /bin/login issues vhangup (to
prevent password sniffing) but that means any surrounding shell loses
the tty and exits. The only way around that issue (in failsafe) is exec
/bin/login BUT preinit is 'the' init which means login replaces init and
it is impossible for commands like mount_root to execute because they
depend on being able to talk to the actual init not something that has
exec'd init and isn't listening for them.
Basically failsafe/preinit is operating single user mode and that really
limits what you can do to work around the issue. If you added getty
into the mix it might be possible make failsafe use login, but that's
work for another day.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel