From 01b2432007766a6a1acc942f62d4ece7b25e560d Mon Sep 17 00:00:00 2001
From: Romain Bazile <romain@bazile.io>
Date: Fri, 17 Jun 2022 16:45:08 +0200
Subject: [PATCH] Create a `DISABLE_FIRST_BOOT_USER_RENAME` flag to be set in
 config (#618)

Closes #614
---
 README.md                             | 13 +++++++++++--
 build.sh                              | 12 ++++++++++++
 export-image/01-user-rename/01-run.sh |  8 +++++---
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 2ef35e8..a86f951 100644
--- a/README.md
+++ b/README.md
@@ -175,14 +175,23 @@ The following environment variables are supported:
    To get the current value from a running system, look in
    `/etc/timezone`.
 
- * `FIRST_USER_NAME` (Default: "pi" )
+ * `FIRST_USER_NAME` (Default: `pi`)
 
-   Username for the first user
+   Username for the first user. This user only exists during the image creation process. Unless
+   `DISABLE_FIRST_BOOT_USER_RENAME` is set to `1`, this user will be renamed on the first boot with
+   a name chosen by the final user. This security feature is designed to prevent shipping images
+   with a default username and help prevent malicious actors from taking over your devices.
 
  * `FIRST_USER_PASS` (Default: unset)
 
    Password for the first user. If unset, the account is locked.
 
+ * `DISABLE_FIRST_BOOT_USER_RENAME` (Default: `0`)
+
+   Disable the renaming of the first user during the first boot. This make it so `FIRST_USER_NAME`
+   stays activated. `FIRST_USER_PASS` must be set for this to work. Please be aware of the implied
+   security risk of defining a default username and password for your devices.
+
  * `WPA_ESSID`, `WPA_PASSWORD` and `WPA_COUNTRY` (Default: unset)
 
    If these are set, they are use to configure `wpa_supplicant.conf`, so that the Raspberry Pi can automatically connect to a wireless network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wireless network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters.
diff --git a/build.sh b/build.sh
index 014035c..135da35 100755
--- a/build.sh
+++ b/build.sh
@@ -225,6 +225,7 @@ export TARGET_HOSTNAME=${TARGET_HOSTNAME:-raspberrypi}
 
 export FIRST_USER_NAME=${FIRST_USER_NAME:-pi}
 export FIRST_USER_PASS
+export DISABLE_FIRST_BOOT_USER_RENAME=${DISABLE_FIRST_BOOT_USER_RENAME:-0}
 export RELEASE=${RELEASE:-bullseye}
 export WPA_ESSID
 export WPA_PASSWORD
@@ -290,6 +291,17 @@ if [[ ! "$FIRST_USER_NAME" =~ ^[a-z][-a-z0-9_]*$ ]]; then
 	exit 1
 fi
 
+if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]] && [ -z "${FIRST_USER_PASS}" ]; then
+	echo "To disable user rename on first boot, FIRST_USER_PASS needs to be set"
+	echo "Not setting FIRST_USER_PASS makes your system vulnerable and open to cyberattacks"
+	exit 1
+fi
+
+if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]]; then
+	echo "User rename on the first boot is disabled"
+	echo "Be advised of the security risks linked to shipping a device with default username/password set."
+fi
+
 if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then
 	echo "Could not reach APT_PROXY server: ${APT_PROXY}"
 	exit 1
diff --git a/export-image/01-user-rename/01-run.sh b/export-image/01-user-rename/01-run.sh
index 8a5617b..f3f900f 100755
--- a/export-image/01-user-rename/01-run.sh
+++ b/export-image/01-user-rename/01-run.sh
@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
-on_chroot << EOF
-	SUDO_USER="${FIRST_USER_NAME}" rename-user -f -s
-EOF
+if [[ "${DISABLE_FIRST_BOOT_USER_RENAME}" == "0" ]]; then
+	on_chroot <<- EOF
+		SUDO_USER="${FIRST_USER_NAME}" rename-user -f -s
+	EOF
+fi