when/how does /etc/shadow get created on the live image?
OK, so deciding that the lord helps those who help themselves, I picked this problem up again last night and had another crack at it.
The shadow file is definitely not on the casper.squashfs root filesystem image when the filesystem is first mounted, and combing through the startup scripts on the filesystem yielded nothing, so I figured the answer had to be on the initramfs miniroot that init uses to bootstrap the system with before it mounts the root filesystem.
People who are unfamiliar with the boot process but who want to follow along can access the contents of the miniroot like so:
Note that this is just for the initramfs for the default boot off the iso image - if you are interested in the boot sequence for forensics mode or for the 800x600 framebuffer mode, then use the appropriate initrd file.Code:root@bt:~# mount -o loop /mnt/host-shared/bt4-final.iso /media/cdrom root@bt:~# mkdir initrd && cd initrd root@bt:~/initrd# gunzip -c /media/cdrom/boot/initrd.gz | cpio -id 38459 blocks root@bt:~/initrd# ls bin/ bootsplash conf/ etc/ init* initrd lib/ sbin/ scripts/ var/ root@bt:~/initrd# umount /media/cdrom root@bt:~/initrd#
Before I made my original post, I had previously given the image a quick (ie. lazy) scan for likely sounding keywords such as "shadow", "passwd", etc. and I hadn't had much luck.
This time around, I tried a different tack: I booted off the live image, noted down the shadow password entry, then searched for that instead and the answer just popped right out:
Now that's looking much more promising.Code:root@bt:~/initrd# find . -type f | xargs egrep -l U6aMy0wojraho ./scripts/casper-bottom/10adduser root@bt:~/initrd#
OK, so that looks like the answer to my question - the script /scripts/casper-bottom/10adduser on the miniroot attempts to chroot to the root filesystem and set the root password using debconf, then it chroots again, this time so that it can run /usr/lib/user-setup/user-setup-apply, which (among other things) enables shadow passwords and sets the encrypted root password to 'U6aMy0wojraho'.Code:root@bt:~/initrd# egrep -A 7 U6aMy0wojraho ./scripts/casper-bottom/10adduser # U6aMy0wojraho is just a blank password chroot /root debconf-communicate -fnoninteractive casper > /dev/null <<EOF set passwd/root-password-crypted * set passwd/user-password-crypted U6aMy0wojraho set passwd/user-fullname $USERFULLNAME set passwd/username $USERNAME set passwd/user-uid 999 EOF chroot /root /usr/lib/user-setup/user-setup-apply > /dev/null root@bt:~/initrd#
It's a pretty easy hack to try out a new password (I used 'test1' as the new password - note the first three characters of the new password hash), to roll it up into a new initrd.gz, to test it out with qemu, and finally to copy it overtop of the initrd.gz that I use on my custom USB live image and try it out.
It all works great. It's a lot of effort to go to just for the sake of a safer root password (next thing to try - MD5 password hashes instead of the old-school UNIX DES password hashes) but, meh, learning is it's own reward and I now know a hell of a lot more about Linux bootstrapping.Code:root@bt:~/initrd# sed -i s/U6aMy0wojraho/BT4AauaAzyUyU/ scripts/casper-bottom/10adduser root@bt:~/initrd# find . | cpio -o -H newc | gzip -c >../newinitrd.gz 38389 blocks root@bt:~/initrd# mount /dev/sdc2 /mnt/usb root@bt:~/initrd# mv /mnt/usb/boot/initrd.gz /mnt/usb/boot/initrd.gz.old root@bt:~/initrd# cp ../newinitrd.gz /mnt/usb/boot/initrd.gz root@bt:~/initrd# cd /mnt/usb root@bt:/mnt/usb# find . -type f | xargs md5sum >md5sum.txt root@bt:/mnt/usb# cd root@bt:~# umount /mnt/usb root@bt:~#
