[systemd-devel] systemd-firstboot skip root password initialisation if /etc/shadow is present
David Herrmann
dh.herrmann at gmail.com
Tue Sep 22 03:19:17 PDT 2015
Hi
On Tue, Sep 22, 2015 at 11:59 AM, Francis Moreau <francis.moro at gmail.com> wrote:
> On Tue, Sep 22, 2015 at 11:16 AM, David Herrmann <dh.herrmann at gmail.com> wrote:
>> Hi
>>
>> On Tue, Sep 22, 2015 at 11:07 AM, Francis Moreau <francis.moro at gmail.com> wrote:
>>> Hello,
>>>
>>> On Mon, Sep 21, 2015 at 7:45 PM, David Herrmann <dh.herrmann at gmail.com> wrote:
>>>> Hi
>>>>
>>>> On Fri, Sep 18, 2015 at 6:31 PM, Francis Moreau <francis.moro at gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> I find odd that systemd-firstboot skips root password init if
>>>>> /etc/shadow exists because AFAICS this file is always part of a
>>>>> minimal rootfs after being setup by an installer. Indeed it's
>>>>> populated during package installation.
>>>>>
>>>>> So I can't see a case where systemd-firstboot would prompt for a root password.
>>>>
>>>> If an installer ships a shadow file, then we expect the installer to
>>>> populate it. The firstboot tool will recover situations where you
>>>> deleted /etc entirely (eg., factory reset).
>>>
>>> From the man page " systemd-firstboot initializes the most basic
>>> system settings interactively on the first boot, or optionally
>>> non-interactively when a system image is created."
>>>
>>> And when a system image is created, usually root password won't be set
>>> but it's *very* unlikely that /etc/shadow will be missing. That's the
>>> reason why I don't think its going to work in real life.
>>
>> Why would an installer create an empty shadow file?
>
> Well during package installation done by the installer, some packages,
> usually the ones that installs daemons/services, populates
> /etc/shadow.
>
> On Archlinux, after creating a minimal rootfs, shadow file is containing:
>
> bin:x:14871::::::
> daemon:x:14871::::::
> mail:x:14871::::::
> ftp:x:14871::::::
> http:x:14871::::::
> uuidd:x:14871::::::
> dbus:x:14871::::::
> nobody:x:14871::::::
> systemd-journal-gateway:x:14871::::::
> systemd-timesync:x:14871::::::
> systemd-network:x:14871::::::
> systemd-bus-proxy:x:14871::::::
Then "fix" the installer? These entries look like no-ops to me. We
assume that if the installer touches /etc, then it can as well prompt
for a root-password. If you want to make use of firstboot, we
recommend to adopt an "empty /etc" installer.
If we support looking for "root" in shadow files and prompt if
non-present, we start supporting legacy setups where /etc is
half-populated. We don't want that. Either go full legacy and make
your installer prompt for everything, or go "empty /etc" and firstboot
will take over.
>>
>>> BTW, I don't know if recovering when /etc/ has been deleted is
>>> possible even if systemd-firstboot will restore a couple of conf
>>> files...
>>
>> Depending on your distribution, it is.
>
> Just out of curiosity, which distros are supposed to support that ?
I can trash /etc on Archlinux and boot it as a container just fine. It
doesn't work as a full system, yet. Not all packages have adopted
empty /etc support.
Thanks
David
More information about the systemd-devel
mailing list