summaryrefslogtreecommitdiffstats
path: root/src/firstboot
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-16 18:27:01 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-16 18:27:01 +0000
commit0acda3abb713d13ee9c7778766a1fff5bbfdd87e (patch)
treeabc5d8e66d598a5dc1fd96c99f7ca09adb063205 /src/firstboot
parentReleasing progress-linux version 256.4-3~progress7.99u1. (diff)
downloadsystemd-0acda3abb713d13ee9c7778766a1fff5bbfdd87e.tar.xz
systemd-0acda3abb713d13ee9c7778766a1fff5bbfdd87e.zip
Merging upstream version 256.5.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/firstboot')
-rw-r--r--src/firstboot/firstboot.c68
1 files changed, 40 insertions, 28 deletions
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index 6afabef..0dbdfc6 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -908,8 +908,7 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch
_cleanup_fclose_ FILE *original = NULL, *passwd = NULL;
_cleanup_(unlink_and_freep) char *passwd_tmp = NULL;
int r;
-
- assert(password);
+ bool found = false;
r = fopen_temporary_at_label(etc_fd, "passwd", "passwd", &passwd, &passwd_tmp);
if (r < 0)
@@ -929,9 +928,11 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch
while ((r = fgetpwent_sane(original, &i)) > 0) {
if (streq(i->pw_name, "root")) {
- i->pw_passwd = (char *) password;
+ if (password)
+ i->pw_passwd = (char *) password;
if (shell)
i->pw_shell = (char *) shell;
+ found = true;
}
r = putpwent_sane(i, passwd);
@@ -942,9 +943,15 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch
return r;
} else {
+ r = fchmod(fileno(passwd), 0644);
+ if (r < 0)
+ return -errno;
+ }
+
+ if (!found) {
struct passwd root = {
.pw_name = (char *) "root",
- .pw_passwd = (char *) password,
+ .pw_passwd = (char *) (password ?: PASSWORD_SEE_SHADOW),
.pw_uid = 0,
.pw_gid = 0,
.pw_gecos = (char *) "Super User",
@@ -955,10 +962,6 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch
if (errno != ENOENT)
return -errno;
- r = fchmod(fileno(passwd), 0644);
- if (r < 0)
- return -errno;
-
r = putpwent_sane(&root, passwd);
if (r < 0)
return r;
@@ -979,8 +982,7 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) {
_cleanup_fclose_ FILE *original = NULL, *shadow = NULL;
_cleanup_(unlink_and_freep) char *shadow_tmp = NULL;
int r;
-
- assert(hashed_password);
+ bool found = false;
r = fopen_temporary_at_label(etc_fd, "shadow", "shadow", &shadow, &shadow_tmp);
if (r < 0)
@@ -1000,8 +1002,11 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) {
while ((r = fgetspent_sane(original, &i)) > 0) {
if (streq(i->sp_namp, "root")) {
- i->sp_pwdp = (char *) hashed_password;
- i->sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY);
+ if (hashed_password) {
+ i->sp_pwdp = (char *) hashed_password;
+ i->sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY);
+ }
+ found = true;
}
r = putspent_sane(i, shadow);
@@ -1012,9 +1017,15 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) {
return r;
} else {
+ r = fchmod(fileno(shadow), 0000);
+ if (r < 0)
+ return -errno;
+ }
+
+ if (!found) {
struct spwd root = {
.sp_namp = (char*) "root",
- .sp_pwdp = (char *) hashed_password,
+ .sp_pwdp = (char *) (hashed_password ?: PASSWORD_LOCKED_AND_INVALID),
.sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY),
.sp_min = -1,
.sp_max = -1,
@@ -1027,10 +1038,6 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) {
if (errno != ENOENT)
return -errno;
- r = fchmod(fileno(shadow), 0000);
- if (r < 0)
- return -errno;
-
r = putspent_sane(&root, shadow);
if (r < 0)
return r;
@@ -1081,13 +1088,6 @@ static int process_root_account(int rfd) {
return 0;
}
- /* Don't create/modify passwd and shadow if not asked */
- if (!(arg_root_password || arg_prompt_root_password || arg_copy_root_password || arg_delete_root_password ||
- arg_root_shell || arg_prompt_root_shell || arg_copy_root_shell)) {
- log_debug("Initialization of root account was not requested, skipping.");
- return 0;
- }
-
r = make_lock_file_at(pfd, ETC_PASSWD_LOCK_FILENAME, LOCK_EX, &lock);
if (r < 0)
return log_error_errno(r, "Failed to take a lock on /etc/passwd: %m");
@@ -1142,10 +1142,22 @@ static int process_root_account(int rfd) {
password = PASSWORD_SEE_SHADOW;
hashed_password = _hashed_password;
- } else if (arg_delete_root_password)
- password = hashed_password = PASSWORD_NONE;
- else
- password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
+ } else if (arg_delete_root_password) {
+ password = PASSWORD_SEE_SHADOW;
+ hashed_password = PASSWORD_NONE;
+ } else if (!arg_root_password && arg_prompt_root_password) {
+ /* If the user was prompted, but no password was supplied, lock the account. */
+ password = PASSWORD_SEE_SHADOW;
+ hashed_password = PASSWORD_LOCKED_AND_INVALID;
+ } else
+ /* Leave the password as is. */
+ password = hashed_password = NULL;
+
+ /* Don't create/modify passwd and shadow if there's nothing to do. */
+ if (!(password || hashed_password || arg_root_shell)) {
+ log_debug("Initialization of root account was not requested, skipping.");
+ return 0;
+ }
r = write_root_passwd(rfd, pfd, password, arg_root_shell);
if (r < 0)