Re: Use of '--sudo' in vmdebootstrap; live-wrapper package

To: philwyett@kathenas.org
Cc: debian-live@lists.debian.org
Subject: Re: Use of '--sudo' in vmdebootstrap; live-wrapper package
From: Steve McIntyre <steve@einval.com>
Date: Fri, 7 Jul 2017 02:28:19 +0100
Message-id: <[🔎] 20170707012819.cuvooh4lnjj7qbzt@tack.einval.com>
Reply-to: Debian Wiki admins <wiki@debian.org>
In-reply-to: <[🔎] E1dSXtp-0001ku-Dq@mail.einval.com>
References: <[🔎] 1498991748.1999.6.camel@kathenas.org> <[🔎] E1dSXtp-0001ku-Dq@mail.einval.com>

On Wed, Jul 05, 2017 at 01:10:33AM +0100, Steve McIntyre wrote:
>Phil wrote:
>>
>>In a previous mail I mentioned removal of '--lock-root-password'.
>>
>>On the same line (36) of 'vm.py' is the argument passed to
>>'vmdebootstrap' of '--sudo'. Ok, according to the manual pages this
>>will force the install of the 'sudo' package. Also if a user is
>>created, it will add them to the 'sudo' group.
>>
>>However, under 'live-wrapper' I see no user creation at
>>'vmdebootstrap' creation time, thus this leaves us with 'sudo'
>>installed but any user created at install of the end result ISO image,
>>not part of the 'sudo' group.
>>
>>I see the primary purpose of the correct usage is to create a username
>>and password that can be used while running in live mode.
>>
>>Example:
>>
>>vmdebootstrap --user=debian/debian --sudo
>>
>>The above would create a user 'debian' with password 'debian' who can
>>use 'sudo' whilst running in live mode; and it is probably this
>>behaviour we would want?
>
>Not really, no. There's a special live-specific sudo config file
>/etc/sudoers.d/live which gives sudo rights to the live user without
>password.
>
>If you're trying to track down the su/sudo problem with the live
>installer, that's somewhere different. The installer is meant to write
>changes to the passwd/shadow/sudoers files at the end of the
>installation, and that does't seem to be working. I've been too busy
>in the last few days to look into that any deeper.

In fact, I've found the problem now.

vmdebootstrap explicitly locks the password for root in /etc/shadow
using "passwd -l". That changes the crypted root passwd from "*" to
"!*". Later on, user-setup-udeb in the installer only looks for a
locked root account containing "*". It doesn't recognise the "!*" and
assumes that's a valid password so doesn't change it.

I'll get user-setup-udeb fixed, but for now I have a quick-hack fix in
live-customise.sh to replace '!*' with '*'. All works after that
point.  \o/

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"C++ ate my sanity" -- Jon Rabone

Reply to:

References:
- Use of '--sudo' in vmdebootstrap; live-wrapper package
  - From: Phil Wyett <philwyett@kathenas.org>
- Re: Use of '--sudo' in vmdebootstrap; live-wrapper package
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Processed (with 15 errors): tagging 359062, tagging 863177, tagging 863180, tagging 631725, tagging 721763, tagging 551590 ...
Next by Date: Bug#867539: live-build: nicer mksquashfs
Previous by thread: Re: Use of '--sudo' in vmdebootstrap; live-wrapper package
Next by thread: Re: Scheduling 9.1, maybe 8.9
Index(es):
- Date
- Thread