branding: enforce passwordless root via passwd -d -R; remove direct passwd/shadow edits

initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.
2025-09-09 13:59:44 +02:00
parent e70a35ddc8
commit c10580d171
14 changed files with 137 additions and 20 deletions
--- a/config/build.conf
+++ b/config/build.conf
@@ -49,6 +49,13 @@ KERNEL_SOURCE_URL="https://cdn.kernel.org/pub/linux/kernel"
 ZEROOS_BRANDING="true"
 ZEROOS_REBRANDING="true"

+# Root account configuration
+# Provide either ZEROOS_ROOT_PASSWORD_HASH (preferred, SHA-512 crypt) or ZEROOS_ROOT_PASSWORD (plain, will be hashed during build)
+# Legacy variable names also supported: ROOT_PASSWORD_HASH / ROOT_PASSWORD
+# Passwordless root is the default for branded builds when no password is provided.
+ZEROOS_PASSWORDLESS_ROOT="true"
+# ZEROOS_ROOT_PASSWORD_HASH=""    # optional, preferred when setting a password
+# ZEROOS_ROOT_PASSWORD=""         # optional, dev-only; if set, overrides passwordless
 # Feature flags
 ENABLE_STRIP="true"
 ENABLE_UPX="true"
--- a/config/packages.list
+++ b/config/packages.list
@@ -7,6 +7,7 @@ alpine-baselayout
 alpine-baselayout-data
 busybox
 musl
+agetty

 # Module loading & hardware detection
 eudev
@@ -17,6 +18,7 @@ kmod

 # Console/terminal management
 util-linux
+wget

 # Essential networking (for Zero-OS connectivity)
 iproute2
--- a/config/zinit/getty.yaml
+++ b/config/zinit/getty.yaml
@@ -1,2 +1,2 @@
-exec: /sbin/getty -L 115200 ttyS0 vt100
+exec: /sbin/agetty -a root -L 115200 ttyS0 vt100
 restart: always
--- a/config/zinit/gettyconsole.yaml
+++ b/config/zinit/gettyconsole.yaml
@@ -1,2 +1,2 @@
-exec: /sbin/getty -L 115200 console vt100
+exec: /bin/sh
 restart: always
--- a/config/zinit/init/network.sh
+++ b/config/zinit/init/network.sh
@@ -4,4 +4,5 @@ set -e
 if ! getent group dhcpcd >/dev/null 2>&1; then addgroup -S dhcpcd 2>/dev/null || true; fi
 if ! getent passwd dhcpcd >/dev/null 2>&1; then adduser -S -H -D -s /sbin/nologin -G dhcpcd dhcpcd 2>/dev/null || true; fi
 # Exec dhcpcd (will run as root if it cannot drop to dhcpcd user)
-exec dhcpcd ""
+interfaces=$(ip -br l | awk '!/lo/&&!/my0/{print $1}')
+exec dhcpcd $interfaces