From 8028e1054a596077fe7b15d4c254c5d37289ebd6 Mon Sep 17 00:00:00 2001 From: Radostin Stoyanov Date: Fri, 21 Jul 2017 13:13:20 +0100 Subject: Drop need of root privileges to set root password These changes aim to avoid the requirement for root privileges when setting the password of root user on root file system. The "-R, --root" flag of chpasswd is using chroot to apply changes in root file system and this requires root privileges. [1] Instead compute hash of the root password using passlib [2] and insert the value in the /etc/shadow file in the rootfs. [1] https://en.wikipedia.org/wiki/Chroot#Limitations [2] http://passlib.readthedocs.io/en/stable/lib/passlib.hosts.html --- src/virtBootstrap/utils.py | 33 +++++++++++++++++++++++++++++++++ src/virtBootstrap/virt_bootstrap.py | 18 +++--------------- 2 files changed, 36 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py index a65d3f5..e1e681c 100644 --- a/src/virtBootstrap/utils.py +++ b/src/virtBootstrap/utils.py @@ -32,6 +32,7 @@ import tempfile import logging from subprocess import CalledProcessError, PIPE, Popen +import passlib.hosts # pylint: disable=invalid-name # Create logger @@ -331,6 +332,38 @@ def str2float(element): return None +def set_root_password(rootfs, password): + """ + Set password on the root user within root filesystem + """ + shadow_file = os.path.join(rootfs, "etc/shadow") + + shadow_file_permissions = os.stat(shadow_file)[0] + # Set read-write permissions to shadow file + # 438 = 0110110110 = -rw-rw-rw- + os.chmod(shadow_file, 438) + try: + with open(shadow_file) as orig_file: + shadow_content = orig_file.read().split('\n') + + for index, line in enumerate(shadow_content): + if line.startswith('root'): + line_split = line.split(':') + line_split[1] = passlib.hosts.linux_context.hash(password) + shadow_content[index] = ':'.join(line_split) + break + + with open(shadow_file, "w") as new_file: + new_file.write('\n'.join(shadow_content)) + + except Exception: + raise + + finally: + # Restore original permissions + os.chmod(shadow_file, shadow_file_permissions) + + def write_progress(prog): """ Write progress output to console diff --git a/src/virtBootstrap/virt_bootstrap.py b/src/virtBootstrap/virt_bootstrap.py index c66cc92..b43c87e 100755 --- a/src/virtBootstrap/virt_bootstrap.py +++ b/src/virtBootstrap/virt_bootstrap.py @@ -27,7 +27,6 @@ import logging import sys import os from textwrap import dedent -from subprocess import CalledProcessError, Popen, PIPE try: from urlparse import urlparse except ImportError: @@ -70,18 +69,6 @@ def get_source(source_type): raise Exception("Invalid image URL scheme: '%s'" % source_type) -def set_root_password(rootfs, password): - """ - Set password on the root user in rootfs - """ - users = 'root:%s' % password - args = ['chpasswd', '-R', rootfs] - chpasswd = Popen(args, stdin=PIPE) - chpasswd.communicate(input=users.encode('utf-8')) - if chpasswd.returncode != 0: - raise CalledProcessError(chpasswd.returncode, cmd=args, output=None) - - # pylint: disable=too-many-arguments def bootstrap(uri, dest, fmt='dir', @@ -117,8 +104,9 @@ def bootstrap(uri, dest, no_cache=no_cache, progress=prog).unpack(dest) - if root_password is not None: - set_root_password(dest, root_password) + if fmt == "dir" and root_password is not None: + logger.info("Setting password of the root account") + utils.set_root_password(dest, root_password) def set_logging_conf(loglevel=None): -- cgit