From 6821cae1d740abeec911b7323f3a10cfb4f54ff3 Mon Sep 17 00:00:00 2001 From: Michael Terry Date: Thu, 3 Jul 2014 15:33:55 -0400 Subject: [PATCH 1/4] Set password to blank rather than the arbitrary 'phablet' --- live-build/ubuntu-touch/hooks/01-setup_user.chroot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index 20883e13..254aa035 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -6,8 +6,8 @@ UGID=32011 echo "I: creating default user $USER" adduser --gecos $USER --disabled-login $USER --uid $UGID -echo "I: set user $USER password to $USER" -echo "$USER:$USER" | chpasswd +echo "I: set user $USER password to blank" +passwd -d $USER echo "I: allowing user to log in without password" gpasswd -a $USER nopasswdlogin From 28f16fd7d6c1d01ea7e348392ac138269c92a5b4 Mon Sep 17 00:00:00 2001 From: Michael Terry Date: Tue, 8 Jul 2014 09:36:10 -0400 Subject: [PATCH 2/4] Allow weak passwords --- live-build/ubuntu-touch/hooks/01-setup_user.chroot | 3 +++ 1 file changed, 3 insertions(+) diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index 254aa035..92ad8bbb 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -12,6 +12,9 @@ passwd -d $USER echo "I: allowing user to log in without password" gpasswd -a $USER nopasswdlogin +# Allow user to have weak passwords, like a PIN generally is +sed -i 's/pam_unix.so obscure/pam_unix.so/' /etc/pam.d/common-password + adduser --gecos system --no-create-home --disabled-login --disabled-password system --uid 1000 adduser --gecos radio --no-create-home --disabled-login --disabled-password radio --uid 1001 From 422787d8ffd1d669252d44b6596e2887033ddace Mon Sep 17 00:00:00 2001 From: Michael Terry Date: Tue, 8 Jul 2014 10:21:58 -0400 Subject: [PATCH 3/4] and allow minimum length of 4 --- live-build/ubuntu-touch/hooks/01-setup_user.chroot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index 92ad8bbb..bad37d23 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -13,7 +13,7 @@ echo "I: allowing user to log in without password" gpasswd -a $USER nopasswdlogin # Allow user to have weak passwords, like a PIN generally is -sed -i 's/pam_unix.so obscure/pam_unix.so/' /etc/pam.d/common-password +sed -i 's/pam_unix.so obscure/pam_unix.so minlen=4/' /etc/pam.d/common-password adduser --gecos system --no-create-home --disabled-login --disabled-password system --uid 1000 adduser --gecos radio --no-create-home --disabled-login --disabled-password radio --uid 1001 From a1e5f638057e24490468e69c76dca7d7f490e7ba Mon Sep 17 00:00:00 2001 From: Michael Terry Date: Fri, 18 Jul 2014 15:28:44 -0400 Subject: [PATCH 4/4] Enable libnss-extrausers --- .../ubuntu-touch/hooks/01-setup_user.chroot | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/live-build/ubuntu-touch/hooks/01-setup_user.chroot b/live-build/ubuntu-touch/hooks/01-setup_user.chroot index bad37d23..d2b46acb 100755 --- a/live-build/ubuntu-touch/hooks/01-setup_user.chroot +++ b/live-build/ubuntu-touch/hooks/01-setup_user.chroot @@ -9,15 +9,30 @@ adduser --gecos $USER --disabled-login $USER --uid $UGID echo "I: set user $USER password to blank" passwd -d $USER -echo "I: allowing user to log in without password" -gpasswd -a $USER nopasswdlogin - -# Allow user to have weak passwords, like a PIN generally is -sed -i 's/pam_unix.so obscure/pam_unix.so minlen=4/' /etc/pam.d/common-password - adduser --gecos system --no-create-home --disabled-login --disabled-password system --uid 1000 adduser --gecos radio --no-create-home --disabled-login --disabled-password radio --uid 1001 +# Enable libnss-extrusers +sed -i 's/^group:.*compat/\0 extrausers/' /etc/nsswitch.conf +sed -i 's/^passwd:.*compat/\0 extrausers/' /etc/nsswitch.conf +sed -i 's/^shadow:.*compat/\0 extrausers/' /etc/nsswitch.conf + +# Allow using pam_extrausers, with relatively weak passwords (no obscure keyword, and with minlen=4) +sed -i '/Primary/a password [success=2 default=ignore] pam_extrausers.so minlen=4 sha512' /etc/pam.d/common-password +sed -i '/Primary/a auth [success=2 authinfo_unavail=ignore default=1] pam_extrausers.so nullok' /etc/pam.d/common-auth + +# Move user from /etc to extrausers location +grep "^$USER" /etc/group >> /var/lib/extrausers/group +grep "^$USER" /etc/passwd >> /var/lib/extrausers/passwd +grep "^$USER" /etc/shadow >> /var/lib/extrausers/shadow +chmod 0644 /var/lib/extrausers/group +chmod 0644 /var/lib/extrausers/passwd +chmod 0640 /var/lib/extrausers/shadow +chown root:shadow /var/lib/extrausers/shadow +sed -i "/^$USER/d" /etc/group +sed -i "/^$USER/d" /etc/passwd +sed -i "/^$USER/d" /etc/shadow + # Prevent the system user from being presented in the greeter by bumping MIN_UID sed -i 's/^\(UID_MIN\s\+\).*/\11002/g' /etc/login.defs