Security Working Group meeting - Wednesday August 4 - all distro owners please review

[Joseph Reynolds]

On 8/3/21 10:28 PM, Patrick Williams wrote:
> On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:
>>   2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
>>      keeping the same cleartext password)
>>      https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214
>>      <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214>
> The big hangup on this one right now is that there are tons of overrides of
> EXTRA_USERS_PARAMS in a bunch of `local.conf.sample` files.  Does anyone know
> why these are there rather than relying on the ones we get for free from the
> meta-phosphor layer?  Does anyone have a problem if they are removed?
>
> ```
> $ find -name local.conf.sample | xargs grep usermod -B1
> ./meta-evb/meta-evb-aspeed/meta-evb-ast2500/conf/local.conf.sample-EXTRA_USERS_PARAMS = " \
> ./meta-evb/meta-evb-aspeed/meta-evb-ast2500/conf/local.conf.sample:  usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
> --
...snip...
> --
> ./meta-asrock/meta-e3c246d4i/conf/local.conf.sample-EXTRA_USERS_PARAMS = " \
> ./meta-asrock/meta-e3c246d4i/conf/local.conf.sample:  usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
> ```
>
> My feeling is that the majority of them can be removed and were probably just
> copy/paste jobs from somewhere else.  The only ones that we may need to
> reconsider are the ones in meta-evb because I'm not 100% convinced that those
> machines always use meta-phosphor.
>
> I haven't had time to yet, but I would suggest just making a commit to delete
> all of these and see who is outraged by it.

Although I don't see my role as to cause outrage, I created the commit here:
Please review https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45614

- Joseph