[PATCH 11/11] base-files: set root password if present inside board.json

Jo-Philipp Wich jo at wwsnet.net
Tue Sep 24 02:57:46 PDT 2024


Hi,

> The code checks if the first character is "$". In that case it is assumed
> that the string contains a solted hash. Alternatively we assume that it is
> a cleartext password.

IMHO that kind of heuristic is undesirable. Imagine a scenario where something 
autogenerates passwords and those happen to start with `$`, the resulting 
configuration would not allow authentication with the expected password.

You should probably just separate the variables into `root_password_plain` and 
`root_password_hash`, then make the latter take precedence over the former in 
case both are defined.

~ Jo

> 
> Signed-off-by: John Crispin <john at phrozen.org>
> ---
>   .../files/etc/uci-defaults/50-root-passwd         | 15 +++++++++++++++
>   1 file changed, 15 insertions(+)
>   create mode 100644 package/base-files/files/etc/uci-defaults/50-root-passwd
> 
> diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd
> new file mode 100644
> index 0000000000..a7e5ace913
> --- /dev/null
> +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd
> @@ -0,0 +1,15 @@
> +. /usr/share/libubox/jshn.sh
> +
> +json_init
> +json_load "$(cat /etc/board.json)"
> +
> +json_select credentials
> +json_get_vars root_password root_password
> +	[ -z "$root_password" ] || {
> +		if [ "${root_password:0:1}" == "$" ]; then
> +			sed -i "s|^root:[^:]*|root:$root_password|g" /etc/shadow
> +		else
> +			(echo "$root_password"; sleep 1; echo "$root_password") | passwd root
> +		fi
> +	}
> +json_select ..



More information about the openwrt-devel mailing list