From 6f6fe2817e714309af62b71de88526a20377afaa Mon Sep 17 00:00:00 2001
From: Kyle MacLeod <kyle.macleod@windriver.com>
Date: Fri, 14 Mar 2025 18:01:47 -0400
Subject: [PATCH] miniboot: Lock the root account during subcloud install

The root account must be locked (any logins disallowed) during the
install, otherwise the user can login via BMC if they know the password.
This commit adds the 'passwd -l root' command to the miniboot kickstart.
A TODO is added to investigate removal of setting an initial root
password.

Test Plan:
PASS:
- Install a subcloud via redfish. Verify that the root account is
  locked upon install, and past the bootstrap/deployment stages, via
  'sudo passwd -S root'

Closes-Bug: 2102679
Change-Id: Ica4264d3dd86fef7ed508157a24fac92980e38e7
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
---
 kickstart/files/miniboot.cfg | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kickstart/files/miniboot.cfg b/kickstart/files/miniboot.cfg
index 57ccf12e..3e7b85d1 100644
--- a/kickstart/files/miniboot.cfg
+++ b/kickstart/files/miniboot.cfg
@@ -2348,7 +2348,14 @@ ilog "****    Post - Add user/groups                         **"
 ilog "*********************************************************"
 
 # Set password for root to 'root'
-usermod -p '$6$hEv/K.fPeg/$ezIWhJPrMG3WtdEwqQRdyBwdYmPZkqW2PONFAcDd6TqWliYc9dHAwW4MFTlLanVH3/clE0/34FheDMpbAqZVG.' root
+# usermod -p '$6$hEv/K.fPeg/$ezIWhJPrMG3WtdEwqQRdyBwdYmPZkqW2PONFAcDd6TqWliYc9dHAwW4MFTlLanVH3/clE0/34FheDMpbAqZVG.' root
+
+# To enable root password
+# 1. Uncomment set root password command above
+# 2. Comment out 'passwd -l root' command below
+
+# Lock the root password
+passwd -l root
 
 # Remove admin user whether it exists or not
 deluser admin || true