Patchwork dropbear: don't use IMAGE_FEATURES

login
register
mail settings
Submitter Martin Jansa
Date Jan. 7, 2013, 11:15 a.m.
Message ID <1357557340-28756-1-git-send-email-Martin.Jansa@gmail.com>
Download mbox | patch
Permalink /patch/42173/
State Not Applicable, archived
Headers show

Comments

Martin Jansa - Jan. 7, 2013, 11:15 a.m.
* IMAGE_FEATURES are image specific, but dropbear recipe isn't
* if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
  IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
  to debug as expected, but if you add debug-tweaks only in
  your-own-debug-image, then dropbear never sees debug-tweaks and
  your-own-debug-image won't allow empty password login.
* best way would be to patch dropbear to enable empty password by
  runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
  like openssh_allow_empty_password does, see
  http://permalink.gmane.org/gmane.network.ssh.dropbear/845

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
 meta/recipes-core/dropbear/dropbear.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Otavio Salvador - Jan. 7, 2013, 11:22 a.m.
On Mon, Jan 7, 2013 at 9:15 AM, Martin Jansa <martin.jansa@gmail.com> wrote:
> * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
>   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
>   to debug as expected, but if you add debug-tweaks only in
>   your-own-debug-image, then dropbear never sees debug-tweaks and
>   your-own-debug-image won't allow empty password login.
> * best way would be to patch dropbear to enable empty password by
>   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
>   like openssh_allow_empty_password does, see
>   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
>
> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

I just fail to see why to keep using DISTRO_TYPE in dropbear in this
case. You could just always include the patch.

Do you have any specific reason?

--
Otavio Salvador                             O.S. Systems
E-mail: otavio@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854              http://projetos.ossystems.com.br
Richard Purdie - Jan. 7, 2013, 11:36 a.m.
On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
>   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
>   to debug as expected, but if you add debug-tweaks only in
>   your-own-debug-image, then dropbear never sees debug-tweaks and
>   your-own-debug-image won't allow empty password login.
> * best way would be to patch dropbear to enable empty password by
>   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
>   like openssh_allow_empty_password does, see
>   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> 
> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ---
>  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index aa313df..2c170c6 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
>  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
>  SECTION = "console/network"
>  
> -INC_PR = "r0"
> +INC_PR = "r1"
>  
>  # some files are from other projects and have others license terms:
>  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
>  EXTRA_OECONF += "\
>   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
>  
> -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
> +DISTRO_TYPE ?= "debug"
>  
>  do_install() {
>  	install -d ${D}${sysconfdir} \

How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
DISTRO_FEATURES? This would bring it more into line with the other
places we do things like this.

FWIW I agree this should ideally be runtime configured and we should
really add an enhancement request to the bugzilla for that (or patches
welcome).

Cheers,

Richard
Martin Jansa - Jan. 7, 2013, 12:04 p.m.
On Mon, Jan 07, 2013 at 11:36:13AM +0000, Richard Purdie wrote:
> On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> >   to debug as expected, but if you add debug-tweaks only in
> >   your-own-debug-image, then dropbear never sees debug-tweaks and
> >   your-own-debug-image won't allow empty password login.
> > * best way would be to patch dropbear to enable empty password by
> >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> >   like openssh_allow_empty_password does, see
> >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > 
> > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > ---
> >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> > index aa313df..2c170c6 100644
> > --- a/meta/recipes-core/dropbear/dropbear.inc
> > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
> >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> >  SECTION = "console/network"
> >  
> > -INC_PR = "r0"
> > +INC_PR = "r1"
> >  
> >  # some files are from other projects and have others license terms:
> >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
> >  EXTRA_OECONF += "\
> >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
> >  
> > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
> > +DISTRO_TYPE ?= "debug"
> >  
> >  do_install() {
> >  	install -d ${D}${sysconfdir} \
> 
> How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> DISTRO_FEATURES? This would bring it more into line with the other
> places we do things like this.

Fine with me, I don't use dropbear, but I've spent some time to debug
why drobear sometimes doesn't work as expected and shared this change
just to make it more deterministic.

I'm fine with debug-tweaks DISTRO_FEATURES but afaik it's first use and
can be confusing with IMAGE_FEATURES with the same name, that's why I've
kept DISTRO_TYPE which was used at least in OE-classic days.

Cheers,

> FWIW I agree this should ideally be runtime configured and we should
> really add an enhancement request to the bugzilla for that (or patches
> welcome).
Paul Eggleton - Jan. 7, 2013, 8:11 p.m.
On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > 
> >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> >   to debug as expected, but if you add debug-tweaks only in
> >   your-own-debug-image, then dropbear never sees debug-tweaks and
> >   your-own-debug-image won't allow empty password login.
> > 
> > * best way would be to patch dropbear to enable empty password by
> > 
> >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> >   like openssh_allow_empty_password does, see
> >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > 
> > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > ---
> > 
> >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > --- a/meta/recipes-core/dropbear/dropbear.inc
> > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > implementation"> 
> >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> >  SECTION = "console/network"
> > 
> > -INC_PR = "r0"
> > +INC_PR = "r1"
> > 
> >  # some files are from other projects and have others license terms:
> >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > 
> > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> >  EXTRA_OECONF += "\
> >  
> >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> >   '--disable-pam', d)}"> 
> > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > 
> >  do_install() {
> >  
> >  	install -d ${D}${sysconfdir} \
> 
> How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> DISTRO_FEATURES? This would bring it more into line with the other
> places we do things like this.
> 
> FWIW I agree this should ideally be runtime configured and we should
> really add an enhancement request to the bugzilla for that (or patches
> welcome).

There's already a request open:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578

I'd suggest leaving the current behaviour (poor as it may be) until that bug 
is fixed.

Cheers,
Paul
Martin Jansa - Jan. 7, 2013, 8:31 p.m.
On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote:
> On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > > 
> > >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> > >   to debug as expected, but if you add debug-tweaks only in
> > >   your-own-debug-image, then dropbear never sees debug-tweaks and
> > >   your-own-debug-image won't allow empty password login.
> > > 
> > > * best way would be to patch dropbear to enable empty password by
> > > 
> > >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> > >   like openssh_allow_empty_password does, see
> > >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > > 
> > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > > ---
> > > 
> > >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > > --- a/meta/recipes-core/dropbear/dropbear.inc
> > > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > > implementation"> 
> > >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> > >  SECTION = "console/network"
> > > 
> > > -INC_PR = "r0"
> > > +INC_PR = "r1"
> > > 
> > >  # some files are from other projects and have others license terms:
> > >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > > 
> > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> > >  EXTRA_OECONF += "\
> > >  
> > >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> > >   '--disable-pam', d)}"> 
> > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > > 
> > >  do_install() {
> > >  
> > >  	install -d ${D}${sysconfdir} \
> > 
> > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> > DISTRO_FEATURES? This would bring it more into line with the other
> > places we do things like this.
> > 
> > FWIW I agree this should ideally be runtime configured and we should
> > really add an enhancement request to the bugzilla for that (or patches
> > welcome).
> 
> There's already a request open:
> 
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578
> 
> I'd suggest leaving the current behaviour (poor as it may be) until that bug 
> is fixed.

Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of
currently build image and even with OEBasicHash I don't know which
dropbear version will be used if I build 2 different images:
bitbake foo-image foo-debug-image

So changing it one way or another is IMHO improvement of current
situation until that bug is fixed properly.

Cheers,
Richard Purdie - Jan. 7, 2013, 8:46 p.m.
On Mon, 2013-01-07 at 21:31 +0100, Martin Jansa wrote:
> On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote:
> > On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> > > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > > > 
> > > >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> > > >   to debug as expected, but if you add debug-tweaks only in
> > > >   your-own-debug-image, then dropbear never sees debug-tweaks and
> > > >   your-own-debug-image won't allow empty password login.
> > > > 
> > > > * best way would be to patch dropbear to enable empty password by
> > > > 
> > > >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> > > >   like openssh_allow_empty_password does, see
> > > >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > > > 
> > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > > > ---
> > > > 
> > > >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > > > --- a/meta/recipes-core/dropbear/dropbear.inc
> > > > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > > > implementation"> 
> > > >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> > > >  SECTION = "console/network"
> > > > 
> > > > -INC_PR = "r0"
> > > > +INC_PR = "r1"
> > > > 
> > > >  # some files are from other projects and have others license terms:
> > > >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > > > 
> > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> > > >  EXTRA_OECONF += "\
> > > >  
> > > >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> > > >   '--disable-pam', d)}"> 
> > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > > > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > > > 
> > > >  do_install() {
> > > >  
> > > >  	install -d ${D}${sysconfdir} \
> > > 
> > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> > > DISTRO_FEATURES? This would bring it more into line with the other
> > > places we do things like this.
> > > 
> > > FWIW I agree this should ideally be runtime configured and we should
> > > really add an enhancement request to the bugzilla for that (or patches
> > > welcome).
> > 
> > There's already a request open:
> > 
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578
> > 
> > I'd suggest leaving the current behaviour (poor as it may be) until that bug 
> > is fixed.
> 
> Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of
> currently build image and even with OEBasicHash I don't know which
> dropbear version will be used if I build 2 different images:
> bitbake foo-image foo-debug-image
> 
> So changing it one way or another is IMHO improvement of current
> situation until that bug is fixed properly.

Having looked into it more, the current situation is a complete mess and
for something security sensitive like this, it *needs* to behave better.
I just raised the priority of the task (medium+).

Cheers,

Richard

Patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index aa313df..2c170c6 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -2,7 +2,7 @@  DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
 HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
 SECTION = "console/network"
 
-INC_PR = "r0"
+INC_PR = "r1"
 
 # some files are from other projects and have others license terms:
 #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
@@ -40,7 +40,7 @@  EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 EXTRA_OECONF += "\
  ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
 
-DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
+DISTRO_TYPE ?= "debug"
 
 do_install() {
 	install -d ${D}${sysconfdir} \