Jan De Landtsheer
c10580d171
initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.
57 lines
3.0 KiB
Markdown
57 lines
3.0 KiB
Markdown
Zero-OS Branding Diagnostics and Notes
|
||
|
||
Context
|
||
- Goal: Branding flags should enable passwordless root in initramfs and update /etc/{issue,motd}.
|
||
- Source of truth for flags: [config/build.conf](config/build.conf)
|
||
- Implementation hook: [bash.initramfs_finalize_customization()](scripts/lib/initramfs.sh:575) called from [bash.initramfs_create_cpio()](scripts/lib/initramfs.sh:663) just before CPIO creation.
|
||
|
||
Observed issue in latest build
|
||
- Branding flags were set: logs showed "Branding debug: ZEROOS_BRANDING=true ... _branding=true".
|
||
- Both /etc/passwd and /etc/shadow exist in initramfs; Alpine uses shadow for authentication.
|
||
- The script only edited /etc/passwd, leaving /etc/shadow unchanged; login still required a password.
|
||
- Evidence (from build logs):
|
||
- Preview /etc/passwd (pre): root:(x):0:0:root:/root:/bin/sh
|
||
- Preview /etc/shadow (pre): root:(***):...
|
||
- Preview /etc/passwd (post): root:(x):0:0:root:/root:/bin/sh
|
||
- Preview /etc/shadow (post): root:(***):...
|
||
|
||
Root cause
|
||
- Editing /etc/passwd is ineffective when /etc/shadow is present; the pw field is ignored in passwd and 'x' indicates to consult shadow.
|
||
|
||
Fix implemented
|
||
- Change in [bash.initramfs_finalize_customization()](scripts/lib/initramfs.sh:575):
|
||
- Prefer editing /etc/shadow for root’s password field; fallback to /etc/passwd if shadow is absent.
|
||
- Command used:
|
||
- sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/shadow"
|
||
- Diagnostics retained:
|
||
- Logs branding vars, presence/perms of /etc/{shadow,passwd}, and sanitized previews pre/post.
|
||
|
||
Verification plan
|
||
- Minimal rebuild to re-run finalize:
|
||
- rm -f .build-stages/initramfs_create.done .build-stages/initramfs_test.done
|
||
- DEBUG=1 ./scripts/build.sh --skip-tests
|
||
- Confirm in logs:
|
||
- "✓ Root password removed in /etc/shadow (passwordless root)"
|
||
- Preview /etc/shadow (post): root:(***): with empty field notation "root::" internally.
|
||
- Optional deeper check by inspecting the archive:
|
||
- cd dist && mkdir tmp && cd tmp
|
||
- xz -dc ../initramfs.cpio.xz | cpio -idv
|
||
- grep '^root:' ./etc/shadow | sed 's/^\(root:\)[^:]*:/\1(***):/'
|
||
- Expected: the second field is empty (root::...).
|
||
|
||
Behavior and safety notes
|
||
- Permissions: /etc/shadow typically 640 root:shadow; the fix does not alter permissions.
|
||
- Passwordless root in initramfs is intended only when [config/build.conf](config/build.conf) sets ZEROOS_BRANDING="true" (or ZEROOS_REBRANDING="true").
|
||
- The change affects only the initramfs image; not the host system.
|
||
|
||
Code references
|
||
- Branding guard and customization: [bash.initramfs_finalize_customization()](scripts/lib/initramfs.sh:575)
|
||
- Archive creation entry point: [bash.initramfs_create_cpio()](scripts/lib/initramfs.sh:663)
|
||
- Build orchestrator: [bash.main_build_process()](scripts/build.sh:213)
|
||
|
||
Notes usage
|
||
- This file (docs/NOTES.md) is the session-to-session log of debugging and decisions.
|
||
- For finalized policies, consider adding docs/DECISIONS.md.
|
||
|
||
Change log
|
||
- 2025-09-09: Added diagnostics and implemented shadow-first passwordless root; documented verification steps. |