initial deflogin feature (security sensitive!)

conf.d/vm.mk

@@ -4,6 +4,7 @@ ifeq (vm,$(IMAGE_CLASS))
 vm/net: vm/bare use/vm-net/dhcp use/vm-ssh; @:
 
 # NB: use/x11 employs some installer-feature packages
-vm/icewm: vm/net use/cleanup/installer use/repo +icewm; @:
+vm/icewm: vm/net use/cleanup/installer use/repo use/deflogin/altlinuxroot \
+	use/x11/xorg use/x11/lightdm/gtk use/x11-autologin +icewm; @:
 
 endif

features.in/build-vm/config.mk

 # hooked from ../../lib/sugar.mk
-use/build-vm: sub/rootfs@/ use/kernel
+use/build-vm: sub/rootfs@/ use/kernel use/deflogin
 	@$(call add_feature)
-	@$(call xport,ROOTPW)

features.in/build-vm/image-scripts.d/00-root

-#!/bin/sh
-
-if [ -n "$GLOBAL_ROOTPW" ]; then
-	if type -t chpasswd >&/dev/null; then
-		echo "root:$GLOBAL_ROOTPW" | chpasswd
-	else
-		echo "** warning: chpasswd binary missing" >&2
-	fi
-else
-	echo "** warning: no root password provided, you're on your own" >&2
-fi

features.in/build-vm/lib/90-build-vm.mk

@@ -11,10 +11,6 @@ IMAGE_PACKAGES = $(DOT_BASE) \
 VM_TARBALL := $(IMAGE_OUTDIR)/$(IMAGE_NAME).tar
 VM_RAWDISK := $(IMAGE_OUTDIR)/$(IMAGE_NAME).raw
 
-ifeq (,$(ROOTPW))
-$(error please provide root password via ROOTPW)
-endif
-
 check-sudo:
 	@if ! type -t sudo >&/dev/null; then \
 		echo "** error: sudo not available, see doc/vm.txt" >&2; \
@@ -43,7 +39,6 @@ convert-image: prepare-image
 	fi
 
 run-image-scripts: GLOBAL_CLEANUP_PACKAGES := $(CLEANUP_PACKAGES)
-run-image-scripts: GLOBAL_ROOTPW := $(ROOTPW)
 
 # override
 pack-image: MKI_PACK_RESULTS := tar:$(VM_TARBALL)

features.in/deflogin/README

+Эта фича конфигурирует root login и пользователей по умолчанию.
+
+ВНИМАНИЕ: применяйте разумно, т.к. крайне легко создать и оставить
+          дыру в безопасности!

features.in/deflogin/config.mk

+# WARNING: the variable values are stored in build config/log!
+use/deflogin:
+	@$(call add_feature)
+	@$(call add,THE_PACKAGES,shadow-utils)
+	@$(call xport,ROOTPW)
+	@$(call xport,USERS)
+	@$(call xport,GROUPS)
+
+# some presets
+# USERS variable chunk format is "login:passwd:admin:sudo"
+# GROUPS are just stashed there to include USERS logins created
+
+# livecd: root and altlinux users with no password at all
+use/deflogin/empty: use/deflogin use/deflogin/altlinux
+	@$(call set,ROOTPW,)
+	@$(call add,USERS,altlinux::1:1)
+
+# mostly used to allow access to videocard and desktop related hardware
+use/deflogin/xgrp: use/deflogin
+	@$(call add,GROUPS,xgrp)
+
+# appliances: "root:altlinux"; "altlinux:root" in "xgrp" group
+use/deflogin/altlinuxroot: use/deflogin/xgrp
+	@$(call try,ROOTPW,altlinux)
+	@$(call add,USERS,altlinux:root:1:1)
+
+# could also be passed on the commandline
+use/deflogin/root: use/deflogin
+	@$(call try,ROOTPW,altlinux)

features.in/deflogin/rootfs/image-scripts.d/50-root

+#!/bin/sh
+# set root password if any; no-op if it is unset
+
+test="${GLOBAL_ROOTPW=:unset}"
+
+if [ "$test" = ":unset" ]; then
+	echo "** warning: no root password provided, you're on your own" >&2
+else
+	echo "$GLOBAL_ROOTPW" | passwd --stdin root
+fi

features.in/deflogin/rootfs/image-scripts.d/50-users

+#!/bin/bash
+# add regular user(s) assigning passwords and attributes of power
+
+# NB: care that the utilities exist; shadow-utils is warranted
+
+add_user() {
+	useradd -m "$1" &&
+	usermod -p "" "$1" &&
+	if [ -n "$GLOBAL_GROUPS" ]; then
+		usermod -a --groups "${GLOBAL_GROUPS// /,}" "$1" # bashism
+	fi ||
+	echo "*** failed to add user '$1'"
+}
+
+set_password() { echo "$1:$2" | chpasswd; }
+
+set_admin() { usermod -a --groups "wheel" "$1"; }
+
+set_sudo() {
+	[ ! -w "/etc/sudoers" ] ||
+		echo "$1\tALL=(ALL) ALL" >> "/etc/sudoers"
+}
+
+# chpasswd is inteded for batch use but that would be less comprehensible
+[ -z "$GLOBAL_USERS" ] ||
+	echo "$GLOBAL_USERS" \
+	| tr ' ' '\n' \
+	| while IFS=':' read login passwd admin sudo; do
+		add_user "$login"
+		[ -z "$passwd" ] || set_password "$login" "$passwd"
+		[ -z "$admin" ] || set_admin "$login"
+		[ -z "$sudo" ] || set_sudo "$login"
+	done