forked from tfgrid/zosbuilder
branding: enforce passwordless root via passwd -d -R; remove direct passwd/shadow edits
initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.
This commit is contained in:
@@ -226,14 +226,42 @@ trap cleanup_on_exit EXIT INT TERM
|
||||
BUILD_CONF="${PROJECT_ROOT}/config/build.conf"
|
||||
if [[ -f "$BUILD_CONF" ]]; then
|
||||
log_debug "Loading build configuration from: ${BUILD_CONF}"
|
||||
# shellcheck source=/dev/null
|
||||
source "$BUILD_CONF"
|
||||
else
|
||||
log_warn "Build configuration not found: ${BUILD_CONF}"
|
||||
log_warn "Using default values"
|
||||
fi
|
||||
|
||||
# Normalize key directory variables to absolute paths anchored at PROJECT_ROOT.
|
||||
# This prevents later re-sourcing from accidentally re-introducing relative paths.
|
||||
if [[ -z "${INSTALL_DIR:-}" ]]; then
|
||||
INSTALL_DIR="${PROJECT_ROOT}/initramfs"
|
||||
elif [[ "${INSTALL_DIR}" != /* ]]; then
|
||||
INSTALL_DIR="${PROJECT_ROOT}/${INSTALL_DIR#./}"
|
||||
fi
|
||||
|
||||
if [[ -z "${COMPONENTS_DIR:-}" ]]; then
|
||||
COMPONENTS_DIR="${PROJECT_ROOT}/components"
|
||||
elif [[ "${COMPONENTS_DIR}" != /* ]]; then
|
||||
COMPONENTS_DIR="${PROJECT_ROOT}/${COMPONENTS_DIR#./}"
|
||||
fi
|
||||
|
||||
if [[ -z "${KERNEL_DIR:-}" ]]; then
|
||||
KERNEL_DIR="${PROJECT_ROOT}/kernel"
|
||||
elif [[ "${KERNEL_DIR}" != /* ]]; then
|
||||
KERNEL_DIR="${PROJECT_ROOT}/${KERNEL_DIR#./}"
|
||||
fi
|
||||
|
||||
if [[ -z "${DIST_DIR:-}" ]]; then
|
||||
DIST_DIR="${PROJECT_ROOT}/dist"
|
||||
elif [[ "${DIST_DIR}" != /* ]]; then
|
||||
DIST_DIR="${PROJECT_ROOT}/${DIST_DIR#./}"
|
||||
fi
|
||||
|
||||
# Export common variables
|
||||
export SCRIPT_DIR PROJECT_ROOT
|
||||
export INSTALL_DIR COMPONENTS_DIR KERNEL_DIR DIST_DIR
|
||||
export -f log_info log_warn log_error log_debug
|
||||
export -f safe_execute section_header
|
||||
export -f command_exists in_container check_dependencies
|
||||
|
||||
@@ -580,14 +580,31 @@ function initramfs_finalize_customization() {
|
||||
# Branding guard (default disabled). Enable by setting ZEROOS_BRANDING=true (or ZEROOS_REBRANDING=true)
|
||||
local _branding="${ZEROOS_BRANDING:-${ZEROOS_REBRANDING:-false}}"
|
||||
|
||||
# Diagnostics: branding variables and environment
|
||||
log_info "Branding debug: ZEROOS_BRANDING=${ZEROOS_BRANDING:-unset} ZEROOS_REBRANDING=${ZEROOS_REBRANDING:-unset} _branding=${_branding}"
|
||||
log_info "Branding debug: PROJECT_ROOT=${PROJECT_ROOT:-unset} BUILD_CONF=${BUILD_CONF:-unset} PWD=$(pwd)"
|
||||
|
||||
# Diagnostics: which auth files exist and their perms/owners
|
||||
if [[ "${_branding}" == "true" ]]; then
|
||||
# Remove root password for passwordless login
|
||||
log_info "Branding enabled: removing root password for passwordless login"
|
||||
if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
|
||||
safe_execute sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/passwd"
|
||||
log_info "✓ Root password removed"
|
||||
# Passwordless root (legacy behavior aligned with 9423b708): remove root password
|
||||
if command_exists "passwd"; then
|
||||
log_info "Branding enabled: deleting root password via passwd -d -R '${initramfs_dir}'"
|
||||
safe_execute chroot ${initramfs_dir} passwd -d root
|
||||
log_info "✓ Root password deleted (passwordless root)"
|
||||
else
|
||||
log_warn "/etc/passwd not found, skipping password removal"
|
||||
log_error "passwd not available in build container; install 'shadow' package to enable password deletion."
|
||||
fi
|
||||
|
||||
# Diagnostics: sanitized previews (post-change)
|
||||
if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
|
||||
local _passwd_post
|
||||
_passwd_post=$(grep '^root:' "${initramfs_dir}/etc/passwd" 2>/dev/null | sed 's/^\(root:\)[^:]*:/\1(x):/')
|
||||
log_info "Preview /etc/passwd (post): ${_passwd_post:-<no root entry>}"
|
||||
fi
|
||||
if [[ -f "${initramfs_dir}/etc/shadow" ]]; then
|
||||
local _shadow_post
|
||||
_shadow_post=$(grep '^root:' "${initramfs_dir}/etc/shadow" 2>/dev/null | sed 's/^\(root:\)[^:]*:/\1(***):/')
|
||||
log_info "Preview /etc/shadow (post): ${_shadow_post:-<no root entry>}"
|
||||
fi
|
||||
|
||||
# Update /etc/motd to Zero-OS
|
||||
@@ -774,7 +791,12 @@ function initramfs_create_cpio() {
|
||||
function initramfs_validate() {
|
||||
local initramfs_dir_in="$1"
|
||||
local initramfs_dir
|
||||
|
||||
# Diagnostics to catch path/WD issues during validation
|
||||
log_info "Validation debug: input='${initramfs_dir_in}' PWD=$(pwd) PROJECT_ROOT=${PROJECT_ROOT:-unset} INSTALL_DIR=${INSTALL_DIR:-unset}"
|
||||
|
||||
initramfs_dir=$(resolve_path "${initramfs_dir_in}")
|
||||
log_info "Validation debug: resolved initramfs_dir='${initramfs_dir}'"
|
||||
|
||||
section_header "Validating initramfs contents"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user