diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2020-07-21 22:30:16 +0100 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2020-07-22 21:22:41 +0100 |
commit | c4a53ebf7a51674a14f2273bb6fac382ca75f9eb (patch) | |
tree | c0ce644a485cd87b6d4983587c1178f1b2ff0853 /man/systemd-firstboot.xml | |
parent | eced0d2a46774a40021fd8e5d624461bc107a46e (diff) | |
download | systemd-c4a53ebf7a51674a14f2273bb6fac382ca75f9eb.tar.gz |
firstboot: Tighten up passwd/shadow handling
There are a lot of edge cases that the current implementation
doesn't handle, especially in cases where one of passwd/shadow
exists and the other doesn't exist. For example, if
--root-password is specified, we will write /etc/shadow but
won't add a root entry to /etc/passwd if there is none.
To fix some of these issues, we constrain systemd-firstboot to
only modify /etc/passwd and /etc/shadow if both do not exist
already (or --force) is specified. On top of that, we calculate
all necessary information for both passwd and shadow upfront so
we can take it all into account when writing the actual files.
If no root password options are given --force is specified or both
files do not exist, we lock the root account for security purposes.
Diffstat (limited to 'man/systemd-firstboot.xml')
-rw-r--r-- | man/systemd-firstboot.xml | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/man/systemd-firstboot.xml b/man/systemd-firstboot.xml index 491ca6e9bf..8c9ea80f15 100644 --- a/man/systemd-firstboot.xml +++ b/man/systemd-firstboot.xml @@ -164,9 +164,10 @@ <term><option>--root-password-file=<replaceable>PATH</replaceable></option></term> <term><option>--root-password-hashed=<replaceable>HASHED_PASSWORD</replaceable></option></term> - <listitem><para>Sets the password of the system's root user. This creates a + <listitem><para>Sets the password of the system's root user. This creates/modifies the + <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry> and <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> - file. This setting exists in three forms: <option>--root-password=</option> accepts the password to + files. This setting exists in three forms: <option>--root-password=</option> accepts the password to set directly on the command line, <option>--root-password-file=</option> reads it from a file and <option>--root-password-hashed=</option> accepts an already hashed password on the command line. See <citerefentry project='die-net'><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry> |