Closed eenblam closed 6 years ago
gobengo
commented
6 years ago crontab: https://github.com/sudomesh/sudowrt-firmware/blob/master/files/etc/crontabs/root
This is what cron runs: https://github.com/sudomesh/sudowrt-firmware/blob/master/files/opt/mesh/pw_reset
@Juul noted that the crontab is set to run at midnight. We dont' think it's actually wwaiting 24hrs...
gobengo
commented
6 years ago I suggested it would be a good design goal to have these scripts that run via cront not rm files when they run. Instead, they could create a file that's like '/opt/sudomesh/thing-did-run'. And then the script that runs on cron gets surrounded by a big if ! [ -f /opt/sudomesh/thing-did-run ] (if the file doesn't exist, go do some work and then create the file. Subsequent runs would not go down the if statement path. But nothing would be getting deleted, so debugging later wouldn't be so hard (no one would destroy evidence).
Juul
commented
6 years ago Here's a proposed fix in the form of an edit to /opt/mesh/pw_reset:
#!/bin/sh
DEFAULT_ROOT_PWHASH="$1$0gxKX05m$amoqWHXrWF/IwR/ZxGWs.0"
COUNTER_FILE=/opt/mesh/pw_counter
if [ ! -f "$COUNTER_FILE" ]; then
echo "0" > $COUNTER_FILE
fi
COUNTER=$(cat $COUNTER_FILE)
# This script is run every hour and increments a counter file
# until it reaches 24.
# Don't run this script if it's been less than 24 hours
if [ "$COUNTER" -ne "24" ]; then
echo $(($COUNTER + 1)) > $COUNTER_FILE
exit
fi
if grep $DEFAULT_ROOT_PWHASH shadow; then
# if the `passwd -d` command doesn't work
# sed -i.old 's/^root:.*/root:*:16031:0:99999:7:::/' shadow
passwd -d root
echo "password deleted, to set new password run, 'passwd username'" > /root/pw_reset_succeeded
else
echo "password was manually changed. doing nothing"
fi
# remove this cronjob
sed -i '/pw_reset/d' /etc/crontabs/rootEvery time the router is on when the hour changes (e.g. exactly 6:00 pm, exactly 7:00 pm) a counter is increased in the file /opt/mesh/pw_counter and when it reaches 24 it will remove the root password but only if the root password hasn't been changed by the user.
Question: In case the password isn't changed, and no ssh keys have been added to authorized_keys, after 24 hours should we install an ssh key so we can remotely reset the password for people?
Warning that I haven't actually tested the above on a sudowrt router yet.
Juul
commented
6 years ago Oh and for the above script change to work you will have to change /etc/contabs/root/ to:
*/1 * * * * /opt/mesh/retrieve_ip
0 * * * * /opt/mesh/pw_reset
bennlich
commented
6 years ago @Juul I like the password reset script change. :+1:
@gobengo I like the idea of not destroying evidence. Wondering if we can do it with fewer moving parts and unexpected behaviors (e.g. when deleting the "this_thing_happened" file, which could easily look like cruft, and accidentally enabling some sleeping tasks). What about leaving a commented version of the cron job in place, with an additional line of explanation. Like:
*/1 * * * * /opt/mesh/retrieve_ip
# pw_reset job below was canceled because root password was configured manually. good job node admin.
# 0 * * * * /opt/mesh/pw_reset
paidforby
commented
6 years ago I think I've addressed the issue with a lightly modified version the script suggested by @Juul . Tested on a virtual machine, and currently testing on an actual node (with an actual build of the firmware!). passwd -d appears to work and is a much better way of reseting passwords, good thinking! This password reset thing was a bit of an after-thought amongst all the autoconfiguration craziness. Thanks for the input everybody!
bennlich
commented
6 years ago ❤️❤️❤️ cool that it works with the admin password now too
Excerpt from meeting