As the root filesystem in Citadel is read-only, the password file also cannot be changed. If the password file was made mutable with a bind mount or by symlinking into /storage, then it could be used for persistent code execution in Citadel by altering the shell field.
Ideally, it should also be possible to change this password from inside running application images and to keep the application image user password synchronized with the lockscreen password.
The solution I'm proposing is to use pam_userdb for authentication of only the the user account both in citadel and inside the application image and to RW bind-mount the database inside the application container.
As the root filesystem in Citadel is read-only, the password file also cannot be changed. If the password file was made mutable with a bind mount or by symlinking into /storage, then it could be used for persistent code execution in Citadel by altering the shell field.
Ideally, it should also be possible to change this password from inside running application images and to keep the application image user password synchronized with the lockscreen password.
The solution I'm proposing is to use pam_userdb for authentication of only the the user account both in citadel and inside the application image and to RW bind-mount the database inside the application container.