Message ID | 20230105150242.21236-1-venkata.pyla@toshiba-tsip.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [isar-cip-core] security.yml: Add root user credentials in security kas file | expand |
On 05.01.23 16:02, venkata.pyla@toshiba-tsip.com wrote: > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > Security image creation imposes a rule to have strong password in user > accounts and that should not affect the normal image user account > settings, so overwriting user account settings in security kas file as > required for security image. > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > --- > kas/opt/security.yml | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/kas/opt/security.yml b/kas/opt/security.yml > index 4e74a9c..c385a62 100644 > --- a/kas/opt/security.yml > +++ b/kas/opt/security.yml > @@ -12,3 +12,9 @@ header: > version: 12 > > target: cip-core-image-security > + > +local_conf_header: > + root_password: | > + USERS += "root" > + USER_root[password] = "Cipsecurity@123" > + USER_root[flags] = "clear-text-password" Then I could apply Henning's patch after that again, I assume. Let's see... Thanks, Jan
Am Thu, 5 Jan 2023 20:32:42 +0530 schrieb venkata.pyla@toshiba-tsip.com: > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > Security image creation imposes a rule to have strong password in user > accounts and that should not affect the normal image user account > settings, so overwriting user account settings in security kas file as > required for security image. > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > --- > kas/opt/security.yml | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/kas/opt/security.yml b/kas/opt/security.yml > index 4e74a9c..c385a62 100644 > --- a/kas/opt/security.yml > +++ b/kas/opt/security.yml > @@ -12,3 +12,9 @@ header: > version: 12 > > target: cip-core-image-security > + > +local_conf_header: > + root_password: | > + USERS += "root" > + USER_root[password] = "Cipsecurity@123" This looks like a pretty hefty interface change and should maybe be documented somewhere. Note that we should use that variable in recipes-core/security-customizations/files/postinst when appending to /etc/issue ... or the value ;) And talking about the value, can we get rid of the "y" and the "@"? The "y" is subject to QWERTZ vs QWERTY and the "@" might also be hard to type when the keyboard layout is not 100% ... like in qemu when your host has german layout. Henning > + USER_root[flags] = "clear-text-password"
Am Thu, 5 Jan 2023 17:33:59 +0100 schrieb Henning Schild <henning.schild@siemens.com>: > Am Thu, 5 Jan 2023 20:32:42 +0530 > schrieb venkata.pyla@toshiba-tsip.com: > > > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > > > Security image creation imposes a rule to have strong password in > > user accounts and that should not affect the normal image user > > account settings, so overwriting user account settings in security > > kas file as required for security image. > > > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > > --- > > kas/opt/security.yml | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/kas/opt/security.yml b/kas/opt/security.yml > > index 4e74a9c..c385a62 100644 > > --- a/kas/opt/security.yml > > +++ b/kas/opt/security.yml > > @@ -12,3 +12,9 @@ header: > > version: 12 > > > > target: cip-core-image-security > > + > > +local_conf_header: > > + root_password: | > > + USERS += "root" > > + USER_root[password] = "Cipsecurity@123" > > This looks like a pretty hefty interface change and should maybe be > documented somewhere. Note that we should use that variable in > recipes-core/security-customizations/files/postinst when appending to > /etc/issue ... or the value ;) And in fact we will need two packages coming out of that one recipe if we use different passwords in different images. Building two image in the same tree would likely cause false sharing and whoever build the package first wins. Henning > And talking about the value, can we get rid of the "y" and the "@"? > The "y" is subject to QWERTZ vs QWERTY and the "@" might also be hard > to type when the keyboard layout is not 100% ... like in qemu when > your host has german layout. > > Henning > > > + USER_root[flags] = "clear-text-password" >
On 05.01.23 17:37, Henning Schild wrote: > Am Thu, 5 Jan 2023 17:33:59 +0100 > schrieb Henning Schild <henning.schild@siemens.com>: > >> Am Thu, 5 Jan 2023 20:32:42 +0530 >> schrieb venkata.pyla@toshiba-tsip.com: >> >>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >>> >>> Security image creation imposes a rule to have strong password in >>> user accounts and that should not affect the normal image user >>> account settings, so overwriting user account settings in security >>> kas file as required for security image. >>> >>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >>> --- >>> kas/opt/security.yml | 6 ++++++ >>> 1 file changed, 6 insertions(+) >>> >>> diff --git a/kas/opt/security.yml b/kas/opt/security.yml >>> index 4e74a9c..c385a62 100644 >>> --- a/kas/opt/security.yml >>> +++ b/kas/opt/security.yml >>> @@ -12,3 +12,9 @@ header: >>> version: 12 >>> >>> target: cip-core-image-security >>> + >>> +local_conf_header: >>> + root_password: | >>> + USERS += "root" >>> + USER_root[password] = "Cipsecurity@123" >> >> This looks like a pretty hefty interface change and should maybe be >> documented somewhere. Note that we should use that variable in >> recipes-core/security-customizations/files/postinst when appending to >> /etc/issue ... or the value ;) > > And in fact we will need two packages coming out of that one recipe if > we use different passwords in different images. Building two image in > the same tree would likely cause false sharing and whoever build the > package first wins. We don't build two images in CIP. This kas config snippet simply overrides the one from kas-cip.yml when appending it. In the end, both passwords are for demonstration purposes only, obviously. Jan
Am Thu, 5 Jan 2023 17:45:44 +0100 schrieb Jan Kiszka <jan.kiszka@siemens.com>: > On 05.01.23 17:37, Henning Schild wrote: > > Am Thu, 5 Jan 2023 17:33:59 +0100 > > schrieb Henning Schild <henning.schild@siemens.com>: > > > >> Am Thu, 5 Jan 2023 20:32:42 +0530 > >> schrieb venkata.pyla@toshiba-tsip.com: > >> > >>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> > >>> > >>> Security image creation imposes a rule to have strong password in > >>> user accounts and that should not affect the normal image user > >>> account settings, so overwriting user account settings in security > >>> kas file as required for security image. > >>> > >>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > >>> --- > >>> kas/opt/security.yml | 6 ++++++ > >>> 1 file changed, 6 insertions(+) > >>> > >>> diff --git a/kas/opt/security.yml b/kas/opt/security.yml > >>> index 4e74a9c..c385a62 100644 > >>> --- a/kas/opt/security.yml > >>> +++ b/kas/opt/security.yml > >>> @@ -12,3 +12,9 @@ header: > >>> version: 12 > >>> > >>> target: cip-core-image-security > >>> + > >>> +local_conf_header: > >>> + root_password: | > >>> + USERS += "root" > >>> + USER_root[password] = "Cipsecurity@123" > >> > >> This looks like a pretty hefty interface change and should maybe be > >> documented somewhere. Note that we should use that variable in > >> recipes-core/security-customizations/files/postinst when appending > >> to /etc/issue ... or the value ;) > > > > And in fact we will need two packages coming out of that one recipe > > if we use different passwords in different images. Building two > > image in the same tree would likely cause false sharing and whoever > > build the package first wins. > > We don't build two images in CIP. This kas config snippet simply > overrides the one from kas-cip.yml when appending it. > > In the end, both passwords are for demonstration purposes only, > obviously. I later saw that there are two packages writing the issue file, the security one should be updated to use the new value. Or maybe both should use the variable. Henning > Jan >
diff --git a/kas/opt/security.yml b/kas/opt/security.yml index 4e74a9c..c385a62 100644 --- a/kas/opt/security.yml +++ b/kas/opt/security.yml @@ -12,3 +12,9 @@ header: version: 12 target: cip-core-image-security + +local_conf_header: + root_password: | + USERS += "root" + USER_root[password] = "Cipsecurity@123" + USER_root[flags] = "clear-text-password"