Relentnet/MarineComOS_RPI
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Create a DISABLE_FIRST_BOOT_USER_RENAME flag to be set in config (#618)

Browse Source 
Closes #614
This commit is contained in:
Romain Bazile 2022-06-17 16:45:08 +02:00 committed by GitHub
parent 3385618efb
commit 01b2432007
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -175,14 +175,23 @@ The following environment variables are supported:
To get the current value from a running system, look in To get the current value from a running system, look in
`/etc/timezone`. `/etc/timezone`.
* `FIRST_USER_NAME` (Default: "pi" ) * `FIRST_USER_NAME` (Default: `pi`)
Username for the first user Username for the first user. This user only exists during the image creation process. Unless
`DISABLE_FIRST_BOOT_USER_RENAME` is set to `1`, this user will be renamed on the first boot with
a name chosen by the final user. This security feature is designed to prevent shipping images
with a default username and help prevent malicious actors from taking over your devices.
* `FIRST_USER_PASS` (Default: unset) * `FIRST_USER_PASS` (Default: unset)
Password for the first user. If unset, the account is locked. Password for the first user. If unset, the account is locked.
* `DISABLE_FIRST_BOOT_USER_RENAME` (Default: `0`)
Disable the renaming of the first user during the first boot. This make it so `FIRST_USER_NAME`
stays activated. `FIRST_USER_PASS` must be set for this to work. Please be aware of the implied
security risk of defining a default username and password for your devices.
* `WPA_ESSID`, `WPA_PASSWORD` and `WPA_COUNTRY` (Default: unset) * `WPA_ESSID`, `WPA_PASSWORD` and `WPA_COUNTRY` (Default: unset)
If these are set, they are use to configure `wpa_supplicant.conf`, so that the Raspberry Pi can automatically connect to a wireless network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wireless network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters. If these are set, they are use to configure `wpa_supplicant.conf`, so that the Raspberry Pi can automatically connect to a wireless network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wireless network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters.

12
build.sh
View File

@ -225,6 +225,7 @@ export TARGET_HOSTNAME=${TARGET_HOSTNAME:-raspberrypi}
export FIRST_USER_NAME=${FIRST_USER_NAME:-pi} export FIRST_USER_NAME=${FIRST_USER_NAME:-pi}
export FIRST_USER_PASS export FIRST_USER_PASS
export DISABLE_FIRST_BOOT_USER_RENAME=${DISABLE_FIRST_BOOT_USER_RENAME:-0}
export RELEASE=${RELEASE:-bullseye} export RELEASE=${RELEASE:-bullseye}
export WPA_ESSID export WPA_ESSID
export WPA_PASSWORD export WPA_PASSWORD
@ -290,6 +291,17 @@ if [[ ! "$FIRST_USER_NAME" =~ ^[a-z][-a-z0-9_]*$ ]]; then
exit 1 exit 1
fi fi
if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]] && [ -z "${FIRST_USER_PASS}" ]; then
echo "To disable user rename on first boot, FIRST_USER_PASS needs to be set"
echo "Not setting FIRST_USER_PASS makes your system vulnerable and open to cyberattacks"
exit 1
fi
if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]]; then
echo "User rename on the first boot is disabled"
echo "Be advised of the security risks linked to shipping a device with default username/password set."
fi
if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then
echo "Could not reach APT_PROXY server: ${APT_PROXY}" echo "Could not reach APT_PROXY server: ${APT_PROXY}"
exit 1 exit 1

8
export-image/01-user-rename/01-run.sh
View File

@ -1,5 +1,7 @@
#!/bin/bash -e #!/bin/bash -e
on_chroot << EOF if [[ "${DISABLE_FIRST_BOOT_USER_RENAME}" == "0" ]]; then
SUDO_USER="${FIRST_USER_NAME}" rename-user -f -s on_chroot <<- EOF
EOF SUDO_USER="${FIRST_USER_NAME}" rename-user -f -s
EOF
fi