On 10/17/2023 12:28 PM, Denys Dmytriyenko wrote:
On Tue, Oct 17, 2023 at 02:52:43PM +0530, Chirag Shilwant wrote:
On 17/10/23 02:48, Andrew Davis via lists.yoctoproject.org wrote:
I'm sure I don't have to explain why this was a bad idea..
Still, It will be good to have a commit message explaining it :)
It is a very obvious major security weakness and is definitely a very bad
idea for an end product!
But, there was never a clear definition of what meta-arago is - is it an
end product distribution or simply a test environment for the BSP/SDK.
This was added over 10 years ago as part of AM-SDK for ease of testing.
Even though the commit does not explain it [1], we had a discussion and
the security implications of sending telnet passwords in clear text were
questioned.
The counter-argument here is that we build "debug" images w/o root password
anyway by default, so allowing password-less root logins over telnet is
rather a moot point, as we already allow the same for ssh.
Mayve instead of completely removing this, it should be conditional and
only enabled when "debug-tweaks" is enabled in EXTRA_IMAGE_FEATURES,
similar to allowing ssh root logins w/o a password.
[1]
https://git.yoctoproject.org/meta-arago/commit/?id=98b6209a3010e32da963a0f6f53fceebbc37f8f9
Well, we have to keep this for now. We will work to disable the telnet
requirement in our testing flow and move to ssh. At that point we can
revisit this patch.
Signed-off-by: Andrew Davis <[email protected]>
---
.../shadow/shadow-securetty_%.bbappend | 15 ---------------
1 file changed, 15 deletions(-)
delete mode 100644
meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
diff --git
a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
b/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
deleted file mode 100644
index 62999d2a..00000000
--- a/meta-arago-distro/recipes-extended/shadow/shadow-securetty_%.bbappend
+++ /dev/null
@@ -1,15 +0,0 @@
-PR:append = ".arago0"
-
-do_install:append () {
- # Allow telnet sessions to login as root
- securetty_file=${D}${sysconfdir}/securetty
-
- echo '' >> $securetty_file
- echo '# Allow 5 telnet login' >> $securetty_file
- echo 'pts/0' >> $securetty_file
- echo 'pts/1' >> $securetty_file
- echo 'pts/2' >> $securetty_file
- echo 'pts/3' >> $securetty_file
- echo 'pts/4' >> $securetty_file
-
-}
--
Ryan Eatmon [email protected]
-----------------------------------------
Texas Instruments, Inc. - LCPD - MGTS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14958):
https://lists.yoctoproject.org/g/meta-arago/message/14958
Mute This Topic: https://lists.yoctoproject.org/mt/102005945/21656
Group Owner: [email protected]
Unsubscribe:
https://lists.yoctoproject.org/g/meta-arago/leave/10763299/21656/89520264/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
