From 1e054b4f3d75552b23299d20079f5f6ee3b7853a Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 16 Jan 2024 13:04:58 +0100
Subject: [PATCH] Don't include root password in /usr/lib/credstore

---
 mkosi/__init__.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 63038d555..f00bc8e30 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2347,7 +2347,6 @@ def run_firstboot(context: Context) -> None:
 
     password, hashed = context.config.root_password or (None, False)
     pwopt = "--root-password-hashed" if hashed else "--root-password"
-    pwcred = "passwd.hashed-password.root" if hashed else "passwd.plaintext-password.root"
 
     settings = (
         ("--locale",          "firstboot.locale",          context.config.locale),
@@ -2355,7 +2354,7 @@ def run_firstboot(context: Context) -> None:
         ("--keymap",          "firstboot.keymap",          context.config.keymap),
         ("--timezone",        "firstboot.timezone",        context.config.timezone),
         ("--hostname",        None,                        context.config.hostname),
-        (pwopt,               pwcred,                      password),
+        (pwopt,               None,                        password),
         ("--root-shell",      "passwd.shell.root",         context.config.root_shell),
     )
 
@@ -2386,7 +2385,7 @@ def run_firstboot(context: Context) -> None:
                 (context.root / "usr/lib/credstore").mkdir(exist_ok=True)
 
             for cred, value in creds:
-                with umask(~0o600 if "password" in cred else ~0o644):
+                with umask(~0o644):
                     (context.root / "usr/lib/credstore" / cred).write_text(value)
 
 
-- 
2.47.2