From 85d7d3d01a4ad89f9442897e94bfc683479fce51 Mon Sep 17 00:00:00 2001 From: "Brian C. Lane" Date: Wed, 8 Aug 2018 15:46:16 -0700 Subject: [PATCH] Lock the root account, except on live-iso If we leave the root account w/o a password people will use it that way, leading to insecure images. Also if we use a default password. So lock the root account in the templates. Users will need to do one of these things: 1. Use [[customizations.user]] in their blueprint to configure root or another user. 2. Use [[customizations.sshkey]] to set a key for root 2. Install a package that configures a user at install time 3. Install a package that sets up a user at boot time (eg. cloud-init) This also drops the auth line from the kickstart templates, allowing it to use the default password algoritm instead of md5. Resolves: rhbz#1626122 --- docs/lorax-composer.rst | 12 ++++++++++++ share/composer/ext4-filesystem.ks | 7 ++----- share/composer/live-iso.ks | 8 +++----- share/composer/partitioned-disk.ks | 7 ++----- share/composer/qcow2.ks | 10 ++-------- share/composer/tar.ks | 7 ++----- 6 files changed, 23 insertions(+), 28 deletions(-) diff --git a/docs/lorax-composer.rst b/docs/lorax-composer.rst index 257f56a8..0a9df447 100644 --- a/docs/lorax-composer.rst +++ b/docs/lorax-composer.rst @@ -13,6 +13,18 @@ Behind the scenes it uses `livemedia-creator `_ and `Anaconda `_ to handle the installation and configuration of the images. +Important Things To Note +------------------------ + +* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode + for image creation to work correctly. You can either edit the setting in the + ``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer. + +* All image types lock the root account, except for live-iso. You will need to either + use one of the `Customizations`_ methods for setting a ssh key/password, install a + package that creates a user, or use something like `cloud-init` to setup access at + boot time. + Installation ------------ diff --git a/share/composer/ext4-filesystem.ks b/share/composer/ext4-filesystem.ks index c96080c7..8c0be2cc 100644 --- a/share/composer/ext4-filesystem.ks +++ b/share/composer/ext4-filesystem.ks @@ -3,12 +3,9 @@ # Firewall configuration firewall --enabled -# Root password -rootpw --plaintext removethispw +# NOTE: The root account is locked by default # Network information network --bootproto=dhcp --onboot=on --activate -# System authorization information -auth --useshadow --enablemd5 # System keyboard keyboard --xlayouts=us --vckeymap=us # System language @@ -34,4 +31,4 @@ rm /var/lib/systemd/random-seed # Packages requires to support this output format go here policycoreutils -# NOTE lorax-composer will add the recipe packages below here, including the final %end +# NOTE lorax-composer will add the blueprint packages below here, including the final %end diff --git a/share/composer/live-iso.ks b/share/composer/live-iso.ks index f274701f..2956d7d3 100644 --- a/share/composer/live-iso.ks +++ b/share/composer/live-iso.ks @@ -1,16 +1,14 @@ # Lorax Composer Live ISO output kickstart template -# +# Firewall configuration firewall --enabled --service=mdns # X Window System configuration information xconfig --startxonboot -# Root password +# Root password is removed for live-iso rootpw --plaintext removethispw # Network information network --bootproto=dhcp --device=link --activate -# System authorization information -auth --useshadow --passalgo=sha512 # System keyboard keyboard --xlayouts=us --vckeymap=us # System language @@ -370,4 +368,4 @@ grub2-efi-ia32 efibootmgr -# NOTE lorax-composer will add the recipe packages below here, including the final %end%packages +# NOTE lorax-composer will add the blueprint packages below here, including the final %end%packages diff --git a/share/composer/partitioned-disk.ks b/share/composer/partitioned-disk.ks index 7f184064..5db95847 100644 --- a/share/composer/partitioned-disk.ks +++ b/share/composer/partitioned-disk.ks @@ -3,12 +3,9 @@ # Firewall configuration firewall --enabled -# Root password -rootpw --plaintext removethispw +# NOTE: The root account is locked by default # Network information network --bootproto=dhcp --onboot=on --activate -# System authorization information -auth --useshadow --enablemd5 # System keyboard keyboard --xlayouts=us --vckeymap=us # System language @@ -35,4 +32,4 @@ kernel grub2 -# NOTE lorax-composer will add the recipe packages below here, including the final %end +# NOTE lorax-composer will add the blueprint packages below here, including the final %end diff --git a/share/composer/qcow2.ks b/share/composer/qcow2.ks index 8f22dd2e..0900feb2 100644 --- a/share/composer/qcow2.ks +++ b/share/composer/qcow2.ks @@ -3,12 +3,9 @@ # Firewall configuration firewall --enabled -# Root password -rootpw --plaintext removethispw +# NOTE: The root account is locked by default # Network information network --bootproto=dhcp --onboot=on --activate -# System authorization information -auth --useshadow --enablemd5 # System keyboard keyboard --xlayouts=us --vckeymap=us # System language @@ -25,9 +22,6 @@ timezone US/Eastern bootloader --location=mbr %post -# Remove root password -passwd -d root > /dev/null - # Remove random-seed rm /var/lib/systemd/random-seed %end @@ -37,4 +31,4 @@ kernel -dracut-config-rescue grub2 -# NOTE lorax-composer will add the recipe packages below here, including the final %end +# NOTE lorax-composer will add the blueprint packages below here, including the final %end diff --git a/share/composer/tar.ks b/share/composer/tar.ks index 9e7c3b30..0f164ab2 100644 --- a/share/composer/tar.ks +++ b/share/composer/tar.ks @@ -3,12 +3,9 @@ # Firewall configuration firewall --enabled -# Root password -rootpw --plaintext removethispw +# NOTE: The root account is locked by default # Network information network --bootproto=dhcp --onboot=on --activate -# System authorization information -auth --useshadow --enablemd5 # System keyboard keyboard --xlayouts=us --vckeymap=us # System language @@ -35,4 +32,4 @@ rm /var/lib/systemd/random-seed policycoreutils -# NOTE lorax-composer will add the recipe packages below here, including the final %end +# NOTE lorax-composer will add the blueprint packages below here, including the final %end