deflogin: GLOBAL_ROOTPW is always set

use/deflogin will result in ROOTPW being exported no matter is it set or not; xport() can't check before exporting as it relies on lazy evaluation when the actual ROOTPW value can be set or modified after exporting GLOBAL_ROOTPW for mkimage. So let's not even pretent we can differ unset ROOTPW from empty ROOTPW: both result in empty GLOBAL_ROOTPW as of today. Fixing this would require moving the exports into a separate makefile being included after all the configuration and checking each variable for being defined before exporting the corresponding GLOBAL_ prefixed one. Yes this might be a security fix in some cases.

deflogin: GLOBAL_ROOTPW is always set
f2892ad3 · Michael Shigorin · e00d46cf · f2892ad3 · f2892ad3
Commit f2892ad3 authored Mar 10, 2014 by Michael Shigorin
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

README features.in/deflogin/README +1 -0

50-root features.in/deflogin/rootfs/image-scripts.d/50-root +3 -3

No files found.
--- a/features.in/deflogin/README
+++ b/features.in/deflogin/README
 Эта фича конфигурирует root login и пользователей по умолчанию.
 Если ROOTPW не задан, то подходящий пароль не существует.
+Различить пустой и незаданный при текущей реализации xport() невозможно.

 ВНИМАНИЕ: применяйте разумно, т.к. крайне легко создать и оставить
          дыру в безопасности!
--- a/features.in/deflogin/rootfs/image-scripts.d/50-root
+++ b/features.in/deflogin/rootfs/image-scripts.d/50-root
 #!/bin/sh
-# set root password if any; no-op if it is unset
+# set root password if any; no-op if it is empty

-if [ "${GLOBAL_ROOTPW=:unset}" = ":unset" ]; then
-	echo "** warning: no root password provided, you're on your own" >&2
+if [ -z "$GLOBAL_ROOTPW" ]; then
+	echo "** warning: no root password provided, skipping" >&2
 else
 	echo "$GLOBAL_ROOTPW" | passwd --stdin root
 fi