branding: enforce passwordless root via passwd -d -R; remove direct passwd/shadow edits

initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.
2025-09-09 13:59:44 +02:00
parent e70a35ddc8
commit c10580d171
14 changed files with 137 additions and 20 deletions
--- a/config/build.conf
+++ b/config/build.conf
@@ -49,6 +49,13 @@ KERNEL_SOURCE_URL="https://cdn.kernel.org/pub/linux/kernel"
 ZEROOS_BRANDING="true"
 ZEROOS_REBRANDING="true"

+# Root account configuration
+# Provide either ZEROOS_ROOT_PASSWORD_HASH (preferred, SHA-512 crypt) or ZEROOS_ROOT_PASSWORD (plain, will be hashed during build)
+# Legacy variable names also supported: ROOT_PASSWORD_HASH / ROOT_PASSWORD
+# Passwordless root is the default for branded builds when no password is provided.
+ZEROOS_PASSWORDLESS_ROOT="true"
+# ZEROOS_ROOT_PASSWORD_HASH=""    # optional, preferred when setting a password
+# ZEROOS_ROOT_PASSWORD=""         # optional, dev-only; if set, overrides passwordless
 # Feature flags
 ENABLE_STRIP="true"
 ENABLE_UPX="true"