From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 16 Jan 2024 12:04:58 +0000 (+0100)
Subject: Don't include root password in /usr/lib/credstore
X-Git-Tag: v20.2~16^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2289%2Fhead;p=thirdparty%2Fmkosi.git

Don't include root password in /usr/lib/credstore
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 63038d555..f00bc8e30 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2347,7 +2347,6 @@ def run_firstboot(context: Context) -> None:
 
     password, hashed = context.config.root_password or (None, False)
     pwopt = "--root-password-hashed" if hashed else "--root-password"
-    pwcred = "passwd.hashed-password.root" if hashed else "passwd.plaintext-password.root"
 
     settings = (
         ("--locale",          "firstboot.locale",          context.config.locale),
@@ -2355,7 +2354,7 @@ def run_firstboot(context: Context) -> None:
         ("--keymap",          "firstboot.keymap",          context.config.keymap),
         ("--timezone",        "firstboot.timezone",        context.config.timezone),
         ("--hostname",        None,                        context.config.hostname),
-        (pwopt,               pwcred,                      password),
+        (pwopt,               None,                        password),
         ("--root-shell",      "passwd.shell.root",         context.config.root_shell),
     )
 
@@ -2386,7 +2385,7 @@ def run_firstboot(context: Context) -> None:
                 (context.root / "usr/lib/credstore").mkdir(exist_ok=True)
 
             for cred, value in creds:
-                with umask(~0o600 if "password" in cred else ~0o644):
+                with umask(~0o644):
                     (context.root / "usr/lib/credstore" / cred).write_text(value)