From 64a09d61aa08fd0e1f5526b81b88252843a2a6d4 Mon Sep 17 00:00:00 2001 From: MoritzWeber Date: Mon, 11 Sep 2023 16:56:40 +0200 Subject: [PATCH] feat: Change password by directly writing to `/etc/shadow` The use of `passwd` is not possible in restricted environments. It produces `Authentication token manipulation error`. In one of our environments, session creation stopped after an OpenShift cluster update to version 4.11. Our suspect is the change of the Pod security admission. More information can be found in the release notes: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-auth-pod-security-admission --- remote/Dockerfile | 4 ++-- remote/startup.sh | 8 +++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/remote/Dockerfile b/remote/Dockerfile index 829451a1..35b00c0e 100644 --- a/remote/Dockerfile +++ b/remote/Dockerfile @@ -36,8 +36,8 @@ COPY supervisord.conf /etc/supervisord.conf # Allow any user to start the RDP server # Depending on the base image used, Xwrapper.config may (not) be available and has to be created. RUN sed -i 's/allowed_users=console/allowed_users=anybody/g' /etc/X11/Xwrapper.config \ - || echo "allowed_users=anybody" > /etc/X11/Xwrapper.config -RUN id techuser || useradd -l -m -u 1001000000 techuser && echo "techuser:tmp_passwd" | chpasswd + || echo "allowed_users=anybody" > /etc/X11/Xwrapper.config && \ + chmod 666 /etc/shadow # Set permissions RUN mkdir -p /run/xrdp/sockdir && \ diff --git a/remote/startup.sh b/remote/startup.sh index 142b5b60..9cc0504d 100755 --- a/remote/startup.sh +++ b/remote/startup.sh @@ -4,12 +4,10 @@ # SPDX-License-Identifier: Apache-2.0 set -e -if [ "$(whoami)" == "root" ]; +if [ "$(whoami)" == "root" ] || [ "$(whoami)" == "techuser" ]; then - echo -e "$RMT_PASSWORD\n$RMT_PASSWORD" | passwd techuser; -elif [ "$(whoami)" == "techuser" ]; -then - echo -e "tmp_passwd\n$RMT_PASSWORD\n$RMT_PASSWORD" | passwd; + line=$(grep techuser /etc/shadow); + echo ${line%%:*}:$(openssl passwd -6 -salt $(openssl rand -base64 16) $RMT_PASSWORD):${line#*:*:} > /etc/shadow; else echo "Only techuser and root are supported as users."; exit 1;