Don't include root password in /usr/lib/credstore

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 63038d5559085ad96547c2a81c97bc2b8f462129..f00bc8e303eec90dd58ff602c8f4a55d660d7d9c 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2347,7 +2347,6 @@ def run_firstboot(context: Context) -> None:
 
     password, hashed = context.config.root_password or (None, False)
     pwopt = "--root-password-hashed" if hashed else "--root-password"
-    pwcred = "passwd.hashed-password.root" if hashed else "passwd.plaintext-password.root"
 
     settings = (
         ("--locale",          "firstboot.locale",          context.config.locale),
@@ -2355,7 +2354,7 @@ def run_firstboot(context: Context) -> None:
         ("--keymap",          "firstboot.keymap",          context.config.keymap),
         ("--timezone",        "firstboot.timezone",        context.config.timezone),
         ("--hostname",        None,                        context.config.hostname),
-        (pwopt,               pwcred,                      password),
+        (pwopt,               None,                        password),
         ("--root-shell",      "passwd.shell.root",         context.config.root_shell),
     )
 
@@ -2386,7 +2385,7 @@ def run_firstboot(context: Context) -> None:
                 (context.root / "usr/lib/credstore").mkdir(exist_ok=True)
 
             for cred, value in creds:
-                with umask(~0o600 if "password" in cred else ~0o644):
+                with umask(~0o644):
                     (context.root / "usr/lib/credstore" / cred).write_text(value)