[lxc-devel] [PATCH 4/4] Added root_password_expired password control tuning knob.

Stéphane Graber stgraber at ubuntu.com
Sun Mar 23 00:56:39 UTC 2014 

On Sat, Mar 22, 2014 at 01:59:59PM -0400, Michael H. Warfield wrote:
> Added root_password_expired password control tuning knob.
> 
> Added the environment variable "root_password_expired" to
> control if the initial, temporary, root password is initially
> set up as "expired".  If set to "yes" (default), the root password
> is set as "expired" and the user must change it at first login.
> 
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  templates/lxc-centos.in | 21 +++++++++++++++++----
>  templates/lxc-fedora.in | 21 +++++++++++++++++----
>  2 files changed, 34 insertions(+), 8 deletions(-)
> 
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index 6d9e512..238159a 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -29,7 +29,7 @@
>  #Configurations
>  default_path=@LXCPATH@
>  
> -# Some combinations of the tunning knobs below do not exactly make sense.
> +# Some combinations of the tuning knobs below do not exactly make sense.
>  # but that's ok.
>  #
>  # If the "root_password" is non-blank, use it, else set a default.
> @@ -45,6 +45,8 @@ default_path=@LXCPATH@
>  # If root_store_password = yes, store it in the configuration directory
>  # If root_prompt_password = yes, invoke "passwd" to force the user to change
>  # the root password after the container is created.
> +# If root_expire_password = yes, you will be prompted to change the root
> +# password at the first login.
>  #
>  # These are conditional assignments...  The can be overridden from the
>  # preexisting environment variables...
> @@ -61,6 +63,10 @@ default_path=@LXCPATH@
>  # with users running under the API...  Don't default to "yes"
>  : ${root_prompt_password='no'}
>  
> +# Expire root password? Default to yes, but can be overridden from
> +# the environment variable
> +: ${root_expire_password='yes'}
> +
>  # These are only going into comments in the resulting config...
>  lxc_network_type=veth
>  lxc_network_link=lxcbr0
> @@ -346,8 +352,12 @@ EOF
>      fi
>  
>      echo "root:$root_password" | chroot $rootfs_path chpasswd
> -    # Also set this password as expired to force the user to change it!
> -    chroot $rootfs_path passwd -e root
> +
> +    if [ ${root_expire_password} = "yes" ]
> +    then
> +        # Also set this password as expired to force the user to change it!
> +        chroot $rootfs_path passwd -e root
> +    fi
>  
>      # This will need to be enhanced for CentOS 7 when systemd
>      # comes into play...   /\/\|=mhw=|\/\/
> @@ -900,7 +910,9 @@ then
>  "
>      chroot ${rootfs_path} passwd
>  else
> -    echo "
> +    if [ ${root_expire_password} = "yes" ]
> +    then
> +        echo "
>  The root password is set up as "expired" and will require it to be changed
>  at first login, which you should do as soon as possible.  If you lose the
>  root password or wish to change it without starting the container, you
> @@ -909,4 +921,5 @@ also reset the expired flag):
>  
>          chroot ${rootfs_path} passwd
>  "
> +    fi
>  fi
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 16f0c55..5414b4e 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -29,7 +29,7 @@
>  #Configurations
>  default_path=@LXCPATH@
>  
> -# Some combinations of the tunning knobs below do not exactly make sense.
> +# Some combinations of the tuning knobs below do not exactly make sense.
>  # but that's ok.
>  #
>  # If the "root_password" is non-blank, use it, else set a default.
> @@ -45,6 +45,8 @@ default_path=@LXCPATH@
>  # If root_store_password = yes, store it in the configuration directory
>  # If root_prompt_password = yes, invoke "passwd" to force the user to change
>  # the root password after the container is created.
> +# If root_expire_password = yes, you will be prompted to change the root
> +# password at the first login.
>  #
>  # These are conditional assignments...  The can be overridden from the
>  # preexisting environment variables...
> @@ -61,6 +63,10 @@ default_path=@LXCPATH@
>  # with users running under the API...  Don't default to "yes"
>  : ${root_prompt_password='no'}
>  
> +# Expire root password? Default to yes, but can be overridden from
> +# the environment variable
> +: ${root_expire_password='yes'}
> +
>  # These are only going into comments in the resulting config...
>  lxc_network_type=veth
>  lxc_network_link=lxcbr0
> @@ -294,8 +300,12 @@ EOF
>      fi
>  
>      echo "root:$root_password" | chroot $rootfs_path chpasswd
> -    # Also set this password as expired to force the user to change it!
> -    chroot $rootfs_path passwd -e root
> +
> +    if [ ${root_expire_password} = "yes" ]
> +    then
> +        # Also set this password as expired to force the user to change it!
> +        chroot $rootfs_path passwd -e root
> +    fi
>  
>      # specifying this in the initial packages doesn't always work.
>      # Even though it should have...
> @@ -1412,7 +1422,9 @@ then
>  "
>      chroot ${rootfs_path} passwd
>  else
> -    echo "
> +    if [ ${root_expire_password} = "yes" ]
> +    then
> +        echo "
>  The root password is set up as "expired" and will require it to be changed
>  at first login, which you should do as soon as possible.  If you lose the
>  root password or wish to change it without starting the container, you
> @@ -1421,4 +1433,5 @@ also reset the expired flag):
>  
>          chroot ${rootfs_path} passwd
>  "
> +    fi
>  fi
> -- 
> 1.8.3.1
> 
> 
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140322/2de6a22d/attachment.pgp>

More information about the lxc-devel mailing list