diff mbox series

[2/9] ref-manual: add a note about hard-coded passwords

Message ID 52c5571a8664a7547caed420ea83d77ab5d21d0f.1650591341.git.paul.eggleton@linux.microsoft.com
State New
Headers show
Series [1/9] migration-3.4: add missing entry on EXTRA_USERS_PARAMS | expand

Commit Message

Paul Eggleton April 22, 2022, 1:40 a.m. UTC 
From: Paul Eggleton <paul.eggleton@microsoft.com>

It seems prudent to point out that hard-coding passwords in the manner
detailed in the example is not a good idea in production. This type of
mistake has unfortunately been made by many device vendors (outside of
the Yocto Project context) leading to security vulnerabilities.

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
 documentation/ref-manual/classes.rst | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Peter Kjellerstedt April 22, 2022, 9:35 a.m. UTC | #1 
> -----Original Message-----
> From: docs@lists.yoctoproject.org <docs@lists.yoctoproject.org> On Behalf
> Of Paul Eggleton
> Sent: den 22 april 2022 03:41
> To: docs@lists.yoctoproject.org
> Subject: [docs] [PATCH 2/9] ref-manual: add a note about hard-coded
> passwords
> 
> From: Paul Eggleton <paul.eggleton@microsoft.com>
> 
> It seems prudent to point out that hard-coding passwords in the manner
> detailed in the example is not a good idea in production. This type of
> mistake has unfortunately been made by many device vendors (outside of
> the Yocto Project context) leading to security vulnerabilities.
> 
> Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
> ---
>  documentation/ref-manual/classes.rst | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
> index 6ba792d..13cc2bb 100644
> --- a/documentation/ref-manual/classes.rst
> +++ b/documentation/ref-manual/classes.rst
> @@ -576,6 +576,13 @@ Finally, here is an example that sets the root password::
>         usermod -p '${PASSWD}' root; \
>         "
> 
> +.. note::
> +
> +   From a security perspective, hardcoding a default password is not
> +   generally a good idea. It is recommended that you do not do this if you are

I would suggest adding "or even legal in some jurisdictions" after "good idea".

> +   building a production image.
> +
> +
>  .. _ref-classes-features_check:
> 
>  ``features_check.bbclass``
> --
> 1.8.3.1

//Peter
diff mbox series

Patch

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 6ba792d..13cc2bb 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -576,6 +576,13 @@  Finally, here is an example that sets the root password::
        usermod -p '${PASSWD}' root; \
        "
 
+.. note::
+
+   From a security perspective, hardcoding a default password is not
+   generally a good idea. It is recommended that you do not do this if you are
+   building a production image.
+
+
 .. _ref-classes-features_check:
 
 ``features_check.bbclass``