From patchwork Thu May 12 04:04:33 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
X-Patchwork-Id: 1798
Return-Path: <isar-users+bncBCTZZTVX2QCRBVPP6OJQMGQEYD3CR6I@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	by shymkent (Cyrus 2.5.10-Debian-2.5.10-3) with LMTPA;
	Thu, 12 May 2022 14:04:43 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-ed1-f55.google.com (mail-ed1-f55.google.com
	[209.85.208.55])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPS id
	24CC4gpJ018014
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT)
	for <patchwork@isar-build.org>; Thu, 12 May 2022 14:04:42 +0200
Received: by mail-ed1-f55.google.com with SMTP id
	k15-20020a508acf000000b0042a448a43cdsf115871edk.13
	for <patchwork@isar-build.org>; Thu, 12 May 2022 05:04:42 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1652357077; cv=pass;
	d=google.com; s=arc-20160816;
	b=Sz0VVu5Y4AA7e4NfWfiFJSnfEmTVpDZi7aB79ozXj3OoztK0WeKVkENpfABVP6Kjnt
	/G6z00AX02pphB2Yeme5f8Xss4yRoej9mrQUFXMQH4Pppwfig1KxigW/wPINcF0XXQ07
	s+trEFedAx0ZaE1Lb+nS+Bd8CZBeiS2buOIUtMb04gaKld1FjLXQy+zQ7UBRtjd1e8uQ
	8+w+f8A4g6gFjInq01D7CWNQ2cnZk6rD14ftTvAs2tDueQhyAy6NRyCP+MbHXfw0Ph/r
	rUZUFc5lXS0Tf9mysZQMlsQhAua+iM/is+LXGJtW9bfeETL+OtJbeIAArZEy5gbDMxnU
	9mdw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
	:list-id:mailing-list:precedence:feedback-id:mime-version:references
	:in-reply-to:message-id:date:subject:to:from:sender:dkim-signature;
	bh=6ZdQZpxERJr+voChYMmikiBjms6H7X1hYjusnRX8yl0=;
	b=hPTbbKmX8LcCsa/GSpgg49VYk7IlMbazvAfdUW3WQkuJDZfqi8ZtLrtRTSfmfdSLVV
	W2WJk8dE45Rbd0g23ZtLCvGy+5Te3UlS0l6VnX6lQH1P0TAVjS2i5Y7RDikTFhFxSYAB
	J2PP9BK3B9wN6z2C9ovNlkVDYVvO/21u2uSKtGFhTXEjF2ATNbWa4KOvjhKx+owcK7le
	+3zL9smwsRSheqMHTTHzAonS5H6pEPjUW8pGHFQKcxL/o0yxLMCgmBWHrwv6zFgU0D06
	xHqziI1gZD/qSz/7Befm48NaU8GRP5aCcdSucxMwB14Rx2w8z2FPLrchR4sxOwT51yNe
	WU4g==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
	dkim=pass header.i=@siemens.com header.s=fm1 header.b=bQ2D0xpj;
	spf=pass (google.com: domain of
	fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com
	designates 185.136.64.227 as permitted sender)
	smtp.mailfrom=fm-51332-202205121204352154f9d795207f32ef-up7R4X@rts-flowmailer.siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlegroups.com; s=20210112;
	h=sender:from:to:subject:date:message-id:in-reply-to:references
	:mime-version:feedback-id:x-original-sender
	:x-original-authentication-results:precedence:mailing-list:list-id
	:list-post:list-help:list-archive:list-subscribe:list-unsubscribe;
	bh=6ZdQZpxERJr+voChYMmikiBjms6H7X1hYjusnRX8yl0=;
	b=YQ5Kuc3vKlY20xYdmvOWAi4VOlUqb9Yjs3PZJ8tb8bdqcQrHhvyrna8rpzq5D/WmCI
	rG8jAEmS3Xa+wLL/QWGI5FeVbWXlS4GL4GoRbwAF717O5y53cO6gT6d61B75WvmjQnCo
	jkzDNuSJLy8EceIOOdMDHmv0fNvzKVd2pRdNVpktU3MB/lPR0zujVmLR5oZUUsQMhAat
	iAGzdvJtFMA+nZRaEDPeNqfS87/uTfeqb992K31lmV2osBM25yTgojgyVb0exwuoLc7f
	rRfyJ8qUxR9YD8ww4AMbDmOy8og9S/yXn2349tHg6yFbnvE6C7H0Z6jyAWJQiuoJBhRm
	+f+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20210112;
	h=sender:x-gm-message-state:from:to:subject:date:message-id
	:in-reply-to:references:mime-version:feedback-id:x-original-sender
	:x-original-authentication-results:precedence:mailing-list:list-id
	:x-spam-checked-in-group:list-post:list-help:list-archive
	:list-subscribe:list-unsubscribe;
	bh=6ZdQZpxERJr+voChYMmikiBjms6H7X1hYjusnRX8yl0=;
	b=R6cuSaM/uDe4P62AEPJ+c4VBe7Q/Lrco31RA4b+LAk2eurX9vH8rBg9i/uB6qr+Lq8
	KvvLrQXz7hS7oYK6+DP0rq2WT539zoRBJLGLEyTucc7LbVNA7iyP8Y/nxifylIFXCCyJ
	VGGVTyaELDSfmbAJJzX9qjXA/xhtSCEzULgjl7JQhqf7tA2Zav5qk+oZ1ukdAy8d5lhF
	WjVbnPozvL4RUalZwTeo6eDQoNIwQ43m8NrsXGEUahkMIi3BBnv0jkBqR8zI7gorJet5
	aB5rwRi+CzOPujKdXQPRSaCqRjNCApn7uajufTCaNAvRx5ygblFFUyVF0yxRXfbgw3o0
	71Bw==
Sender: isar-users@googlegroups.com
X-Gm-Message-State: AOAM530UEVbub2wWMpTnCbUmWIkDT0cyI16/0/VfUBhW3zFbXQZrkbTi
	3XOceyoc1pwNwyFRJvwIHLk=
X-Google-Smtp-Source: 
 ABdhPJzT6VHkjwwtHVw77fKaFlCLchKQN3K816Kl2wEfL6jZWx4VmOAGrGezeaqboPTyUAFIYSzEtQ==
X-Received: by 2002:a05:6402:1d90:b0:425:dd36:447c with SMTP id
	dk16-20020a0564021d9000b00425dd36447cmr34994795edb.347.1652357077422;
	Thu, 12 May 2022 05:04:37 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6402:270b:b0:427:d070:5bfe with SMTP id
	y11-20020a056402270b00b00427d0705bfels1572239edd.0.gmail;
	Thu, 12 May 2022 05:04:36 -0700 (PDT)
X-Received: by 2002:aa7:c6da:0:b0:428:24bc:e652 with SMTP id
	b26-20020aa7c6da000000b0042824bce652mr34633171eds.21.1652357076475;
	Thu, 12 May 2022 05:04:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652357076; cv=none;
	d=google.com; s=arc-20160816;
	b=mmQLGtJVS/EjcgbreWmrk4GdlwSrL8mwd6QR0OMmDnLFj3XDFoOzWyKulsopFX+4lG
	u4aLjMRciDtji2wcxujyg794WEEP84+HUNKNrt1tx7yAgrcSGuTsb4V1oSnwpqpiIU1x
	mKtVYBkghK8lPuj+3/lZ4wDS34SJjauT8adNSPfHE5xd4ycf3+JjyEdHAsxIn9A7hTW3
	GBOLHurDT2vTiSfNs1Z34XGvTZSbWpcHKANBbRGrUsPt8MG8SYcDthMi1pa/37PXgPVe
	BBswXI/u1iTgj0INoMzMZCejLVYx0v/l/A0YDpr60dteMm/e9/+2kZMerIoXlQ6ORFyh
	9U4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=feedback-id:content-transfer-encoding:mime-version:references
	:in-reply-to:message-id:date:subject:to:from:dkim-signature;
	bh=i+M/f7hTauGlqEqW2IVmSZL7wozMHJ0mC2bTYEQ9+Eo=;
	b=1Lj3+ggNrp+8fzBHahlc/JA4YRiW5MnmDdgdstPtlYKdUwSzqjeLgsoxWR2gKS3CB7
	kQwGQC7WI8hv20TRCh2kvl1ZlYXE2giwPT+PrQiT9QVBQ85RRnkn1n7nIPZ9jv9O332c
	69hlGfqL4QOadpv5Kp68vh4kLUUz37Nlodoai2OZtF07W6VUHXhQKOdLJGa1TlHuAHLp
	tcZD6lTFotA/67Gi17PsA5UBKrneii01CLDdlcXmv1VBw7ZeNkC6POFh2wl2ITrd80li
	I0wWv9b2xAGRyZ5VXAHRnL6xv8RkuV7Zrhaa3fON6Iw8r+0u3Kebcxv/JnXJ8qB51gn/
	TFCg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
	dkim=pass header.i=@siemens.com header.s=fm1 header.b=bQ2D0xpj;
	spf=pass (google.com: domain of
	fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com
	designates 185.136.64.227 as permitted sender)
	smtp.mailfrom=fm-51332-202205121204352154f9d795207f32ef-up7R4X@rts-flowmailer.siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mta-64-227.siemens.flowmailer.net
	(mta-64-227.siemens.flowmailer.net. [185.136.64.227])
	by gmr-mx.google.com with ESMTPS id
	og11-20020a1709071dcb00b006f4639cc02dsi248348ejc.2.2022.05.12.05.04.36
	for <isar-users@googlegroups.com>
	(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 12 May 2022 05:04:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of
	fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com
	designates 185.136.64.227 as permitted sender)
	client-ip=185.136.64.227;
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
	202205121204352154f9d795207f32ef for <isar-users@googlegroups.com>;
	Thu, 12 May 2022 14:04:36 +0200
From: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>
To: jan.kiszka@siemens.com, isar-users@googlegroups.com,
	henning.schild@siemens.com
Subject: [PATCH v2 2/2] classes/image-account-extension: Add flag to force
	password change on first login
Date: Thu, 12 May 2022 14:04:33 +0200
Message-Id: <20220512120433.695303-3-Quirin.Gylstorff@siemens.com>
In-Reply-To: <20220512120433.695303-1-Quirin.Gylstorff@siemens.com>
References: <20220512120433.695303-1-Quirin.Gylstorff@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-51332:519-21489:flowmailer
X-Original-Sender: quirin.gylstorff@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
	header.i=@siemens.com header.s=fm1 header.b=bQ2D0xpj; spf=pass
	(google.com: domain of
	fm-51332-202205121204352154f9d795207f32ef-up7r4x@rts-flowmailer.siemens.com
	designates 185.136.64.227 as permitted sender)
	smtp.mailfrom=fm-51332-202205121204352154f9d795207f32ef-up7R4X@rts-flowmailer.siemens.com;
	dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
	contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
	<mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
	<mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
	<mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
	<https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_MED, DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI, SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: INBOX

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids possible errors if `passwd --expire root` is
set during package installation.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/user_manual.md                           | 1 +
 meta/classes/image-account-extension.bbclass | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index cdb73224..02874b6d 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -678,6 +678,7 @@ The `USERS` and `USER_<username>` variable works similar to the `GROUPS` and `GR
    - `system` - `useradd` will be called with `--system`.
    - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password.
    - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it.
+   - `force-passwd-change` - Force the user to change to password on first login.
 
 #### Home directory contents prefilling
 
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index caa962a0..99de8b0d 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -17,7 +17,7 @@ USERS ??= ""
 #USER_root[home] = "/home/root"
 #USER_root[shell] = "/bin/sh"
 #USER_root[groups] = "audio video"
-#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password"
+#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password force-passwd-change"
 
 GROUPS ??= ""
 
@@ -258,5 +258,10 @@ image_configure_accounts() {
             printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
                 /usr/sbin/chpasswd $chpasswd_args
         fi
+        if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then
+            echo "Execute passwd to force password change on first boot for \"$name\""
+            sudo -E chroot '${ROOTFSDIR}' \
+                /usr/bin/passwd --expire "$name"
+        fi
     done
 }