From 1b67c11396b98889184f337fc9229c715e04b9e3 Mon Sep 17 00:00:00 2001
From: Oliver Smith <ollieparanoid@postmarketos.org>
Date: Mon, 8 Feb 2021 22:46:37 +0100
Subject: [PATCH] install --ondev: run setup_login for installer OS (MR 2026)

Run setup_login() while creating the installer OS too, in order to
disable passwordless root login.

Note that this may sound like a security flaw, but it isn't.
* setup_login already ran for the target OS, meaning after the
  installation is done, one is not be able to login as root without
  password
* root login without password was only possible via serial console (or by
  attaching a keyboard), not via SSH
* getting root rights via serial in the installer OS is actually desired
  for debugging, we add a debug user with sudo set up by default:
  https://wiki.postmarketos.org/wiki/On-device_installer#Debug_user

So even though this isn't a problem, disable it to avoid confusion.
---
 pmb/install/_install.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pmb/install/_install.py b/pmb/install/_install.py
index d38200b1..c222e7f6 100644
--- a/pmb/install/_install.py
+++ b/pmb/install/_install.py
@@ -202,12 +202,14 @@ def set_user(args):
         pmb.chroot.root(args, ["addgroup", args.user, group], suffix)
 
 
-def setup_login(args):
+def setup_login(args, suffix):
     """
     Loop until the password for user has been set successfully, and disable root
     login.
+
+    :param suffix: of the chroot, where passwd will be execute (either the
+                   f"rootfs_{args.device}", or f"installer_{args.device}")
     """
-    suffix = "rootfs_" + args.device
     if not args.on_device_installer:
         # User password
         logging.info(" *** SET LOGIN PASSWORD FOR: '" + args.user + "' ***")
@@ -646,6 +648,9 @@ def install_on_device_installer(args, step, steps):
         logging.info(f"(native) rm {img_boot}")
         pmb.chroot.root(args, ["rm", f"/home/pmos/rootfs/{img_boot}"])
 
+    # Disable root login
+    setup_login(args, suffix_installer)
+
     # Generate installer image
     size_reserve = round(os.path.getsize(img_path_dest) / 1024 / 1024) + 200
     boot_label = "pmOS_inst_boot"
@@ -703,7 +708,7 @@ def create_device_rootfs(args, step, steps):
         pmb.chroot.initfs.build(args, flavor, suffix)
 
     # Set the user password
-    setup_login(args)
+    setup_login(args, suffix)
 
     # Set the keymap if the device requires it
     setup_keymap(args)