From 157b5a339e948abc9c5b6e942e9a51c8de860635 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 24 Jul 2014 15:49:48 -0700 Subject: [PATCH] Import patches-unapplied version 2.229 to ubuntu/utopic-proposed Imported using git-ubuntu import. Changelog parent: ce12eac0a592255d4dfc88cbc1a2f92bbe3a8b00 New changelog entries: [ Michael Terry ] * Don't set an arbitrary password for the phablet user. As we transition to using PAM as the storage medium for the user's password, we can't expect the user to know about the 'phablet' password. * And configure libnss-extrausers to store user password information instead of /etc/shadow. --- debian/changelog | 11 ++++++++ .../ubuntu-touch/hooks/01-setup_user.chroot | 28 +++++++++++++++---- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index b12df096..0339ad41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +livecd-rootfs (2.229) utopic; urgency=medium + + [ Michael Terry ] + * Don't set an arbitrary password for the phablet user. As we transition + to using PAM as the storage medium for the user's password, we can't + expect the user to know about the 'phablet' password. + * And configure libnss-extrausers to store user password information + instead of /etc/shadow. + + -- Steve Langasek Thu, 24 Jul 2014 15:49:48 -0700 + livecd-rootfs (2.228) utopic; urgency=medium * Pass --mirror-binary in the ubuntu-rtm case too; this isn't inherited diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index 20883e13..d2b46acb 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -6,15 +6,33 @@ UGID=32011 echo "I: creating default user $USER" adduser --gecos $USER --disabled-login $USER --uid $UGID -echo "I: set user $USER password to $USER" -echo "$USER:$USER" | chpasswd - -echo "I: allowing user to log in without password" -gpasswd -a $USER nopasswdlogin +echo "I: set user $USER password to blank" +passwd -d $USER adduser --gecos system --no-create-home --disabled-login --disabled-password system --uid 1000 adduser --gecos radio --no-create-home --disabled-login --disabled-password radio --uid 1001 +# Enable libnss-extrusers +sed -i 's/^group:.*compat/\0 extrausers/' /etc/nsswitch.conf +sed -i 's/^passwd:.*compat/\0 extrausers/' /etc/nsswitch.conf +sed -i 's/^shadow:.*compat/\0 extrausers/' /etc/nsswitch.conf + +# Allow using pam_extrausers, with relatively weak passwords (no obscure keyword, and with minlen=4) +sed -i '/Primary/a password [success=2 default=ignore] pam_extrausers.so minlen=4 sha512' /etc/pam.d/common-password +sed -i '/Primary/a auth [success=2 authinfo_unavail=ignore default=1] pam_extrausers.so nullok' /etc/pam.d/common-auth + +# Move user from /etc to extrausers location +grep "^$USER" /etc/group >> /var/lib/extrausers/group +grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd +grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow +chmod 0644 /var/lib/extrausers/group +chmod 0644 /var/lib/extrausers/passwd +chmod 0640 /var/lib/extrausers/shadow +chown root:shadow /var/lib/extrausers/shadow +sed -i "/^$USER/d" /etc/group +sed -i "/^$USER/d" /etc/passwd +sed -i "/^$USER/d" /etc/shadow + # Prevent the system user from being presented in the greeter by bumping MIN_UID sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs