Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user: Unlock by default with no password, busybox #70897

Open
wants to merge 3 commits into
base: devel
Choose a base branch
from

Conversation

relrod
Copy link
Member

@relrod relrod commented Jul 26, 2020

SUMMARY

Change:

  • On busybox systems such as Alpine, user accounts which are created
    with no password are locked by default until their password is
    changed. For consistency with other platforms, if not given a
    password, manually unlock the account so that it is accessible by key
    access.

Test Plan:

  • Local Alpine VM

Tickets:

Signed-off-by: Rick Elrod rick@elrod.me

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

user module

Change:
- On busybox systems such as Alpine, user accounts which are created
  with no password are locked by default until their password is
  changed. For consistency with other platforms, if not given a
  password, manually unlock the account so that it is accessible by key
  access.

Test Plan:
- Local Alpine VM

Tickets:
- Fixes ansible#68676

Signed-off-by: Rick Elrod <rick@elrod.me>
@relrod relrod requested review from bcoca and samdoran July 26, 2020 04:44
@ansibot ansibot added affects_2.11 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category labels Jul 26, 2020
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
Signed-off-by: Rick Elrod <rick@elrod.me>
@relrod relrod requested a review from samdoran July 27, 2020 23:37
@samdoran samdoran removed the needs_triage Needs a first human triage before being processed. label Jul 28, 2020
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Aug 5, 2020
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. pre_azp This PR was last tested before migration to Azure Pipelines. and removed core_review In order to be merged, this PR must follow the core review workflow. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Dec 3, 2020
@mattclay
Copy link
Member

mattclay commented Dec 3, 2020

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. pre_azp This PR was last tested before migration to Azure Pipelines. core_review In order to be merged, this PR must follow the core review workflow. labels Dec 3, 2020
@ansibot ansibot added the core_review In order to be merged, this PR must follow the core review workflow. label Dec 8, 2020
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 16, 2020
@ansibot ansibot removed the support:community This issue/PR relates to code supported by the Ansible community. label Mar 6, 2021
@s-hertel s-hertel added the P3 Priority 3 - Approved, No Time Limitation label Aug 17, 2022
else:
out_lines.append(line)
with open(self.SHADOWFILE, 'w') as f:
f.writelines(out_lines)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should use atomic_writes (but given how containers normally mount the file, it should note that for them users might need a toggle to allow 'unsafe=true'

@ansibot ansibot added needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Nov 21, 2022
@webknjaz
Copy link
Member

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ansibot ansibot removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Nov 23, 2022
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 1, 2022
@zorun
Copy link
Contributor

zorun commented Feb 26, 2023

I have been annoyed by this issue for a long time, so I would love to see this in.

However, I believe reading and writing back /etc/shadow is too risky. You can actually get the same result with passwd -d <username> (it "deletes" the password, and that unlocks the account in the process). That requires the shadow package.

@webknjaz
Copy link
Member

webknjaz commented Jan 8, 2024

/azp run

Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@webknjaz
Copy link
Member

webknjaz commented Jan 8, 2024

This needs a rebase.

@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Jan 8, 2024
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed ci_verified Changes made in this PR are causing tests to fail. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Jan 8, 2024
@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Jan 8, 2024
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jan 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects_2.11 bug This issue/PR relates to a bug. ci_verified Changes made in this PR are causing tests to fail. core_review In order to be merged, this PR must follow the core review workflow. has_issue module This issue/PR relates to a module. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. P3 Priority 3 - Approved, No Time Limitation stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Ansible creates locked user on Alpine
9 participants