[OpenWrt-Devel] [PATCH] base-files utils/busybox: Make requiring login in console default for easily accessed devices

Daniel Dickinson openwrt at daniel.thecshore.com
Thu Dec 24 06:00:24 EST 2015

Hi Imre,

On 23/12/15 07:05 AM, Imre Kaloz wrote:
> Hi Daniel,
> On Wed, 23 Dec 2015 07:58:59 +0100, Daniel Dickinson
> <openwrt at daniel.thecshore.com> wrote:
>> I am reworking this (requiring console login) as couple of packages
>> for the packages feed, although it may require an image.mk or packages
>> Makefile hook in order to embed an appropriate inittab into the image
>> (since the inittab will need to be modified and we need to guarantee
>> the correct order of actions; and inittab comes from base-files which
>> is last thing done in the packages Makefile).
> I hope the other devs will chime in, but FWIW I would make this enabled
> unconditionally across all targets. As we already have a way to do a
> "factory reset" using the reset button, IMHO failsafe should also
> enforce login passwords everywhere, including the serial console.

At the present time it is actually not possible to using /bin/login from 
within the preinit context and therefore making passwords required 
during failsafe is not currently possible.

There are two problems:

The first issue is that others have pointed out, using passwords not 
embedded in the squashfs would require using mount_root, but one of the 
objectives of failsafe is to provide a why to recover when mount_root 
produces bad behaviour or just doesn't work.

The second (well and third) is that /bin/login issues vhangup (to 
prevent password sniffing) but that means any surrounding shell loses 
the tty and exits.  The only way around that issue (in failsafe) is exec 
/bin/login BUT preinit is 'the' init which means login replaces init and 
it is impossible for commands like mount_root to execute because they 
depend on being able to talk to the actual init not something that has 
exec'd init and isn't listening for them.

Basically failsafe/preinit is operating single user mode and that really 
limits what you can do to work around the issue.  If you added getty 
into the mix it might be possible make failsafe use login, but that's 
work for another day.


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list