[arch-commits] Commit in systemd/trunk (PKGBUILD initcpio-install-systemd)

Christian Hesse eworm at archlinux.org
Wed Jun 10 20:07:40 UTC 2020 

    Date: Wednesday, June 10, 2020 @ 20:07:40
  Author: eworm
Revision: 388767

lock the root account in initramfs...

but allow to overwrite shadow file in initramfs with custom
/etc/shadow.initramfs.

Modified:
  systemd/trunk/PKGBUILD
  systemd/trunk/initcpio-install-systemd

--------------------------+
 PKGBUILD                 |    2 +-
 initcpio-install-systemd |   11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-06-10 18:58:28 UTC (rev 388766)
+++ PKGBUILD	2020-06-10 20:07:40 UTC (rev 388767)
@@ -44,7 +44,7 @@
             'e38c7c422c82953f9c2476a5ab8009d614cbec839e4088bff5db7698ddc84e3d8ed64f32ed323f57b1913c5c9703546f794996cb415ed7cdda930b627962a3c4'
             '85d11bbbb5c10016e4a67eec051315e2e292939844f260bf698018c5bd1c516c28444f635eb15832a23e26891c4beda14bacfa57fdeda45c00f1b653abe3b123'
             'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73'
-            'e5dfc897f281dcfa89dc81b4f24a4098a49b190bff49cea313c20d4ad019e8ebbe07cbe84232bae0579d103bc66ce96d098e0dbd0a93efd19d249ac742060038'
+            '3e41c029728d80f469375ae1a0fd2107ede128c91ddf58e57058dd45cfd1403f8f0e75de4c1d4349acad84aea9d0011fdb8e1955335dfb619bddd61613dce6ee'
             'a25b28af2e8c516c3a2eec4e64b8c7f70c21f974af4a955a4a9d45fd3e3ff0d2a98b4419fe425d47152d5acae77d64e69d8d014a7209524b75a81b0edb10bf3a'
             '61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648'
             'c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5'

Modified: initcpio-install-systemd
===================================================================
--- initcpio-install-systemd	2020-06-10 18:58:28 UTC (rev 388766)
+++ initcpio-install-systemd	2020-06-10 20:07:40 UTC (rev 388767)
@@ -169,8 +169,17 @@
         'group: files' \
         'shadow: files'
 
+    # By default we lock the root account in initramfs. A failed service or
+    # timeout must not open the opportunity of an unprotected root shell.
+    # Overwrite the shadow file in initramfs by creating custom
+    # /etc/shadow.initramfs. Be warned: The file may leak from encrypted to
+    # unencrypted storage.
     echo "root:x:0:0:root:/:/bin/sh" >"$BUILDROOT/etc/passwd"
-    echo "root::::::::" >"$BUILDROOT/etc/shadow"
+    if [ -s /etc/shadow.initramfs ]; then
+        add_file /etc/shadow.initramfs /etc/shadow
+    else
+        echo 'root:*:::::::' >"$BUILDROOT/etc/shadow"
+    fi
     getent group root audio disk input kmem kvm lp optical render storage tty uucp video | awk -F: ' { print $1 ":x:" $3 ":" }' >"$BUILDROOT/etc/group"
 
     add_dir "/etc/modules-load.d"

More information about the arch-commits mailing list