From fc8abfcaa9c71fba41b26fb4c62dcfe1081a5521 Mon Sep 17 00:00:00 2001 From: Filip Pytloun Date: Fri, 4 Mar 2016 01:22:44 +0100 Subject: Option to disable rsyslog and improvements (also security) - Introduce chroot_exec function - Allow choosing custom kernel - Install raspberrypi-bootloader-nokernel package instead of getting firmware with wget - Option to disable rsyslog and use only journald - [SECURITY] ensure ssh host keys are generated on first boot - allow control if default user is created - allow control of root ssh login --- README.md | 14 ++++++ rpi2-gen-image.sh | 145 +++++++++++++++++++++++++++++++++--------------------- 2 files changed, 104 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 912c7ce..998c534 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,10 @@ Enable IPv6 support. The network interface configuration is managed via systemd- ##### `ENABLE_SSHD`=true Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. +##### `ENABLE_RSYSLOG`=true +If set to false, disable and uninstall rsyslog (so logs will be available only +in journal files) + ##### `ENABLE_SOUND`=true Enable sound hardware and install Advanced Linux Sound Architecture. @@ -118,6 +122,16 @@ Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please ##### `ENABLE_IPTABLES`=false Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. +##### `ENABLE_USER`=true +Create pi user with password raspberry + +##### `ENABLE_ROOT`=true +Set root user password so root login will be enabled + +##### `ENABLE_ROOT_SSH`=true +Enable password root login via SSH. May be a security risk with default +password, use only in trusted environments. + ##### `ENABLE_HARDNET`=false Enable IPv4/IPv6 network stack hardening settings. diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index 6759f76..4a2ba7d 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -30,11 +30,17 @@ cleanup (){ trap - 0 1 2 3 6 } +# Exec command in chroot +chroot_exec() { + LANG=C LC_ALL=C chroot $R $* +} + set -e set -x # Debian release RELEASE=${RELEASE:=jessie} +KERNEL=${KERNEL:=3.18.0-trunk-rpi2} # Build settings BASEDIR=./images/${RELEASE} @@ -76,6 +82,10 @@ ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} ENABLE_MINGPU=${ENABLE_MINGPU:=false} ENABLE_XORG=${ENABLE_XORG:=false} ENABLE_WM=${ENABLE_WM:=""} +ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true} +ENABLE_USER=${ENABLE_USER:=true} +ENABLE_ROOT=${ENABLE_ROOT:=false} +ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false} # Advanced settings ENABLE_MINBASE=${ENABLE_MINBASE:=false} @@ -173,6 +183,10 @@ if [ "$ENABLE_HWRANDOM" = true ] ; then APT_INCLUDES="${APT_INCLUDES},rng-tools" fi +if [ "$ENABLE_USER" = true ]; then + APT_INCLUDES="${APT_INCLUDES},sudo" +fi + # Add fbturbo video driver if [ "$ENABLE_FBTURBO" = true ] ; then # Enable xorg package dependencies @@ -228,12 +242,12 @@ EOM # Set up timezone echo ${TIMEZONE} >$R/etc/timezone -LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata +chroot_exec dpkg-reconfigure -f noninteractive tzdata # Upgrade collabora package index and install collabora keyring echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list -LANG=C chroot $R apt-get -qq -y update -LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring +chroot_exec apt-get -qq -y update +chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring # Set up initial sources.list cat <$R/etc/apt/sources.list @@ -250,8 +264,8 @@ deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 EOM # Upgrade package index and update all installed packages and changed dependencies -LANG=C chroot $R apt-get -qq -y update -LANG=C chroot $R apt-get -qq -y -u dist-upgrade +chroot_exec apt-get -qq -y update +chroot_exec apt-get -qq -y -u dist-upgrade # Set up default locale and keyboard configuration if [ "$ENABLE_MINBASE" = false ] ; then @@ -259,60 +273,50 @@ if [ "$ENABLE_MINBASE" = false ] ; then # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 # ... so we have to set locales manually if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then - LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections + chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections else # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale - LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections - LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen + chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections + chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen fi - LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen - LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections - LANG=C chroot $R locale-gen - LANG=C chroot $R update-locale LANG=${DEFLOCAL} + chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen + chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections + chroot_exec locale-gen + chroot_exec update-locale LANG=${DEFLOCAL} # Keyboard configuration, if requested if [ "$XKBMODEL" != "" ] ; then - LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard + chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard fi if [ "$XKBLAYOUT" != "" ] ; then - LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard + chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard fi if [ "$XKBVARIANT" != "" ] ; then - LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard + chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard fi if [ "$XKBOPTIONS" != "" ] ; then - LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard + chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard fi - LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration + chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration # Set up font console case "${DEFLOCAL}" in *UTF-8) - LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup + chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup ;; *) - LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup + chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup ;; esac - LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup + chroot_exec dpkg-reconfigure -f noninteractive console-setup fi # Kernel installation # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot -LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 -LANG=C chroot $R apt-get -qq -y install flash-kernel +chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel +chroot_exec apt-get -qq -y install flash-kernel VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" [ -z "$VMLINUZ" ] && exit 1 -mkdir -p $R/boot/firmware - -# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") -wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin -wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat -wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat -wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat -wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf -wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf -wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf cp $VMLINUZ $R/boot/firmware/kernel7.img # Set up IPv4 hosts @@ -374,17 +378,27 @@ EOM fi # Enable systemd-networkd service -LANG=C chroot $R systemctl enable systemd-networkd +chroot_exec systemctl enable systemd-networkd # Generate crypt(3) password string ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` # Set up default user -LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi -LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi +if [ "$ENABLE_USER" = true ] ; then + chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi + chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi +fi -# Set up root password -LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root +# Set up root password or not +if [ "$ENABLE_ROOT" = true ]; then + chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root + + if [ "$ENABLE_ROOT_SSH" = true ]; then + sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config + fi +else + chroot_exec usermod -p \'!\' root +fi # Set up firmware boot cmdline CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" @@ -576,15 +590,36 @@ spoof warn EOM fi -# Regenerate openssh server host keys +# Ensure openssh server host keys are regenerated on first boot if [ "$ENABLE_SSHD" = true ] ; then - rm -fr $R/etc/ssh/ssh_host_* - LANG=C chroot $R dpkg-reconfigure openssh-server + cat <>$R/etc/rc.firstboot +#!/bin/sh +rm -f /etc/ssh/ssh_host_* +ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key +ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key +ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key +ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key +sync + +systemctl restart sshd +sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local +rm -f /etc/rc.firstboot +EOM + chmod +x $R/etc/rc.firstboot + sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local + rm -f $R/etc/ssh/ssh_host_* +fi + +# Disable rsyslog +if [ "$ENABLE_RSYSLOG" = false ]; then + sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf + chroot_exec systemctl disable rsyslog + chroot_exec apt-get purge -q -y --force-yes rsyslog fi # Enable serial console systemd style if [ "$ENABLE_CONSOLE" = true ] ; then - LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service + chroot_exec systemctl enable serial-getty\@ttyAMA0.service fi # Enable firewall based on iptables started by systemd service @@ -671,8 +706,8 @@ COMMIT EOM # Reload systemd configuration and enable iptables service - LANG=C chroot $R systemctl daemon-reload - LANG=C chroot $R systemctl enable iptables.service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable iptables.service if [ "$ENABLE_IPV6" = true ] ; then # Create ip6tables systemd service @@ -762,8 +797,8 @@ COMMIT EOM # Reload systemd configuration and enable iptables service - LANG=C chroot $R systemctl daemon-reload - LANG=C chroot $R systemctl enable ip6tables.service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable ip6tables.service fi fi @@ -775,7 +810,7 @@ fi # Install gcc/c++ build environment inside the chroot if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then - LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc + chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc fi # Fetch and build U-Boot bootloader @@ -784,7 +819,7 @@ if [ "$ENABLE_UBOOT" = true ] ; then git -C $R/tmp clone git://git.denx.de/u-boot.git # Build and install U-Boot inside chroot - LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all + chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all # Copy compiled bootloader binary and set config.txt to load it cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ @@ -809,7 +844,7 @@ bootz \${kernel_addr_r} EOM # Generate U-Boot image from command file - LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr + chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr fi # Fetch and build fbturbo Xorg driver @@ -818,10 +853,10 @@ if [ "$ENABLE_FBTURBO" = true ] ; then git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git # Install Xorg build dependencies - LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev + chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev # Build and install fbturbo driver inside chroot - LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" + chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" # Add fbturbo driver to Xorg configuration cat <$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf @@ -834,18 +869,18 @@ EndSection EOM # Remove Xorg build dependencies - LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev + chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev fi # Remove gcc/c++ build environment from the chroot if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then - LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make + chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make fi # Clean cached downloads -LANG=C chroot $R apt-get -y clean -LANG=C chroot $R apt-get -y autoclean -LANG=C chroot $R apt-get -y autoremove +chroot_exec apt-get -y clean +chroot_exec apt-get -y autoclean +chroot_exec apt-get -y autoremove # Unmount mounted filesystems umount -l $R/proc -- cgit v1.2.3 From 33668aa2768a52add75b575263ec5dc5cec7d145 Mon Sep 17 00:00:00 2001 From: Filip Pytloun Date: Fri, 4 Mar 2016 11:28:05 +0100 Subject: Option to expand partition and rootfs on first boot Initial version from vknecht --- README.md | 3 +++ rpi2-gen-image.sh | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 998c534..9afe18b 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,9 @@ Set default system locale. This setting can also be changed inside the running O ##### `TIMEZONE`="Europe/Berlin" Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. +##### `EXPANDROOT`=true +Expand the root partition and filesystem automatically on first boot. + #### Keyboard settings: These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command. ##### `XKBMODEL`="" diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index 4a2ba7d..391c870 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -55,6 +55,7 @@ XKBMODEL=${XKBMODEL:=""} XKBLAYOUT=${XKBLAYOUT:=""} XKBVARIANT=${XKBVARIANT:=""} XKBOPTIONS=${XKBOPTIONS:=""} +EXPANDROOT=${EXPANDROOT:=true} # Network settings ENABLE_DHCP=${ENABLE_DHCP:=true} @@ -158,6 +159,11 @@ else APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" fi +# Add parted package, required to get partprobe utility +if [ "$EXPANDROOT" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},parted" +fi + # Add dbus package, recommended if using systemd if [ "$ENABLE_DBUS" = true ] ; then APT_INCLUDES="${APT_INCLUDES},dbus" @@ -602,14 +608,73 @@ ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key sync systemctl restart sshd -sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local +sed -i '/.*rc.firstboot/d' /etc/rc.local rm -f /etc/rc.firstboot EOM chmod +x $R/etc/rc.firstboot - sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local + sed -i '/exit 0/d' $R/etc/rc.local + echo /etc/rc.firstboot >> $R/etc/rc.local rm -f $R/etc/ssh/ssh_host_* fi +if [ "$EXPANDROOT" = true ] ; then + cat < $R/etc/rc.expandroot +#!/bin/sh + +ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') +PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$') +case "\${ROOT_PART}" in + mmcblk0*) ROOT_DEV=mmcblk0 ;; + sda*) ROOT_DEV=sda ;; +esac +if [ "\$PART_NUM" = "\$ROOT_PART" ]; then + logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand" + return 0 +fi +# NOTE: the NOOBS partition layout confuses parted. For now, let's only +# agree to work with a sufficiently simple partition layout +if [ "\$PART_NUM" -gt 2 ]; then + logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool." + return 0 +fi +LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) +if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then + logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand" + return 0 +fi +# Get the starting offset of the root partition +PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') +[ "\$PART_START" ] || return 1 +# Get the possible last sector for the root partition +PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }') +[ "\$PART_LAST" ] || return 1 +# Return value will likely be error for fdisk as it fails to reload the +# partition table because the root fs is mounted +### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit +fdisk /dev/\${ROOT_DEV} <> $R/etc/rc.local +fi + # Disable rsyslog if [ "$ENABLE_RSYSLOG" = false ]; then sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf -- cgit v1.2.3 From a2923b42dbd061cd1bfe46c56dc0aff43ccb33f1 Mon Sep 17 00:00:00 2001 From: Filip Pytloun Date: Fri, 4 Mar 2016 14:07:10 +0100 Subject: Cleanup code by spliting files --- files/config.txt | 43 ++++ files/firstboot/10-begin.sh | 2 + files/firstboot/21-generate-ssh-keys.sh | 8 + files/firstboot/22-expandroot.sh | 52 +++++ files/firstboot/99-finish.sh | 3 + files/fstab | 2 + files/iptables/flush-ip6tables.sh | 15 ++ files/iptables/flush-iptables.sh | 10 + files/iptables/ip6tables.rules | 48 ++++ files/iptables/ip6tables.service | 15 ++ files/iptables/iptables.rules | 43 ++++ files/iptables/iptables.service | 15 ++ files/modprobe.d/raspi-blacklist.conf | 9 + files/sysctl.d/81-rpi-vm.conf | 6 + files/sysctl.d/82-rpi-net-hardening.conf | 59 +++++ rpi2-gen-image.sh | 384 +++---------------------------- 16 files changed, 356 insertions(+), 358 deletions(-) create mode 100644 files/config.txt create mode 100644 files/firstboot/10-begin.sh create mode 100644 files/firstboot/21-generate-ssh-keys.sh create mode 100644 files/firstboot/22-expandroot.sh create mode 100644 files/firstboot/99-finish.sh create mode 100644 files/fstab create mode 100644 files/iptables/flush-ip6tables.sh create mode 100644 files/iptables/flush-iptables.sh create mode 100644 files/iptables/ip6tables.rules create mode 100644 files/iptables/ip6tables.service create mode 100644 files/iptables/iptables.rules create mode 100644 files/iptables/iptables.service create mode 100644 files/modprobe.d/raspi-blacklist.conf create mode 100644 files/sysctl.d/81-rpi-vm.conf create mode 100644 files/sysctl.d/82-rpi-net-hardening.conf diff --git a/files/config.txt b/files/config.txt new file mode 100644 index 0000000..7491765 --- /dev/null +++ b/files/config.txt @@ -0,0 +1,43 @@ +# For more options and information see +# http://www.raspberrypi.org/documentation/configuration/config-txt.md +# Some settings may impact device functionality. See link above for details + +# uncomment if you get no picture on HDMI for a default "safe" mode +#hdmi_safe=1 + +# uncomment this if your display has a black border of unused pixels visible +# and your display can output without overscan +#disable_overscan=1 + +# uncomment the following to adjust overscan. Use positive numbers if console +# goes off screen, and negative if there is too much border +#overscan_left=16 +#overscan_right=16 +#overscan_top=16 +#overscan_bottom=16 + +# uncomment to force a console size. By default it will be display's size minus +# overscan. +#framebuffer_width=1280 +#framebuffer_height=720 + +# uncomment if hdmi display is not detected and composite is being output +#hdmi_force_hotplug=1 + +# uncomment to force a specific HDMI mode (this will force VGA) +#hdmi_group=1 +#hdmi_mode=1 + +# uncomment to force a HDMI mode rather than DVI. This can make audio work in +# DMT (computer monitor) modes +#hdmi_drive=2 + +# uncomment to increase signal to HDMI, if you have interference, blanking, or +# no display +#config_hdmi_boost=4 + +# uncomment for composite PAL +#sdtv_mode=2 + +# uncomment to overclock the arm. 700 MHz is the default. +#arm_freq=800 diff --git a/files/firstboot/10-begin.sh b/files/firstboot/10-begin.sh new file mode 100644 index 0000000..6258bb7 --- /dev/null +++ b/files/firstboot/10-begin.sh @@ -0,0 +1,2 @@ +#!/bin/sh -e +logger -t "rc.firstboot" "Starting first boot actions" diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/21-generate-ssh-keys.sh new file mode 100644 index 0000000..a6c567c --- /dev/null +++ b/files/firstboot/21-generate-ssh-keys.sh @@ -0,0 +1,8 @@ +logger -t "rc.firstboot" "Generating SSH host keys" +rm -f /etc/ssh/ssh_host_* +ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key +ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key +ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key +ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key + +systemctl restart sshd diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/22-expandroot.sh new file mode 100644 index 0000000..00b94af --- /dev/null +++ b/files/firstboot/22-expandroot.sh @@ -0,0 +1,52 @@ +logger -t "rc.firstboot" "Expanding root" +ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') +PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') +case "${ROOT_PART}" in + mmcblk0*) ROOT_DEV=mmcblk0 ;; + sda*) ROOT_DEV=sda ;; +esac +if [ "$PART_NUM" = "$ROOT_PART" ]; then + logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" + return 0 +fi + +# NOTE: the NOOBS partition layout confuses parted. For now, let's only +# agree to work with a sufficiently simple partition layout +if [ "$PART_NUM" -gt 2 ]; then + logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." + return 0 +fi +LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) +if [ $LAST_PART_NUM -ne $PART_NUM ]; then + logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand" + return 0 +fi + +# Get the starting offset of the root partition +PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') +[ "$PART_START" ] || return 1 + +# Get the possible last sector for the root partition +PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') +[ "$PART_LAST" ] || return 1 + +# Return value will likely be error for fdisk as it fails to reload the +# partition table because the root fs is mounted +### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit +fdisk /dev/${ROOT_DEV} <$R/boot/firmware/cmdline.txt # Set up firmware config -cat <$R/boot/firmware/config.txt -# For more options and information see -# http://www.raspberrypi.org/documentation/configuration/config-txt.md -# Some settings may impact device functionality. See link above for details - -# uncomment if you get no picture on HDMI for a default "safe" mode -#hdmi_safe=1 - -# uncomment this if your display has a black border of unused pixels visible -# and your display can output without overscan -#disable_overscan=1 - -# uncomment the following to adjust overscan. Use positive numbers if console -# goes off screen, and negative if there is too much border -#overscan_left=16 -#overscan_right=16 -#overscan_top=16 -#overscan_bottom=16 - -# uncomment to force a console size. By default it will be display's size minus -# overscan. -#framebuffer_width=1280 -#framebuffer_height=720 - -# uncomment if hdmi display is not detected and composite is being output -#hdmi_force_hotplug=1 - -# uncomment to force a specific HDMI mode (this will force VGA) -#hdmi_group=1 -#hdmi_mode=1 - -# uncomment to force a HDMI mode rather than DVI. This can make audio work in -# DMT (computer monitor) modes -#hdmi_drive=2 - -# uncomment to increase signal to HDMI, if you have interference, blanking, or -# no display -#config_hdmi_boost=4 - -# uncomment for composite PAL -#sdtv_mode=2 - -# uncomment to overclock the arm. 700 MHz is the default. -#arm_freq=800 -EOM +install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt # Load snd_bcm2835 kernel module at boot time if [ "$ENABLE_SOUND" = true ] ; then @@ -496,99 +452,17 @@ fi mkdir -p $R/etc/modprobe.d/ # Blacklist sound modules -cat <$R/etc/modprobe.d/raspi-blacklist.conf -blacklist snd_soc_core -blacklist snd_pcm -blacklist snd_pcm_dmaengine -blacklist snd_timer -blacklist snd_compress -blacklist snd_soc_pcm512x_i2c -blacklist snd_soc_pcm512x -blacklist snd_soc_tas5713 -blacklist snd_soc_wm8804 -EOM +install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf # Create default fstab -cat <$R/etc/fstab -/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 -/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 -EOM - -# Avoid swapping and increase cache sizes -cat <>$R/etc/sysctl.d/99-sysctl.conf +install -o root -g root -m 644 files/fstab $R/etc/fstab # Avoid swapping and increase cache sizes -vm.swappiness=1 -vm.dirty_background_ratio=20 -vm.dirty_ratio=40 -vm.dirty_writeback_centisecs=500 -vm.dirty_expire_centisecs=6000 -EOM +install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf # Enable network stack hardening if [ "$ENABLE_HARDNET" = true ] ; then - cat <>$R/etc/sysctl.d/99-sysctl.conf - -# Enable network stack hardening -net.ipv4.tcp_timestamps=0 -net.ipv4.tcp_syncookies=1 -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.default.send_redirects=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv4.conf.lo.accept_redirects=0 -net.ipv4.conf.lo.send_redirects=0 -net.ipv4.conf.lo.accept_source_route=0 -net.ipv4.conf.eth0.accept_redirects=0 -net.ipv4.conf.eth0.send_redirects=0 -net.ipv4.conf.eth0.accept_source_route=0 -net.ipv4.icmp_echo_ignore_broadcasts=1 -net.ipv4.icmp_ignore_bogus_error_responses=1 - -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.all.router_solicitations=0 -net.ipv6.conf.all.accept_ra_rtr_pref=0 -net.ipv6.conf.all.accept_ra_pinfo=0 -net.ipv6.conf.all.accept_ra_defrtr=0 -net.ipv6.conf.all.autoconf=0 -net.ipv6.conf.all.dad_transmits=0 -net.ipv6.conf.all.max_addresses=1 - -net.ipv6.conf.default.accept_redirects=0 -net.ipv6.conf.default.accept_source_route=0 -net.ipv6.conf.default.router_solicitations=0 -net.ipv6.conf.default.accept_ra_rtr_pref=0 -net.ipv6.conf.default.accept_ra_pinfo=0 -net.ipv6.conf.default.accept_ra_defrtr=0 -net.ipv6.conf.default.autoconf=0 -net.ipv6.conf.default.dad_transmits=0 -net.ipv6.conf.default.max_addresses=1 - -net.ipv6.conf.lo.accept_redirects=0 -net.ipv6.conf.lo.accept_source_route=0 -net.ipv6.conf.lo.router_solicitations=0 -net.ipv6.conf.lo.accept_ra_rtr_pref=0 -net.ipv6.conf.lo.accept_ra_pinfo=0 -net.ipv6.conf.lo.accept_ra_defrtr=0 -net.ipv6.conf.lo.autoconf=0 -net.ipv6.conf.lo.dad_transmits=0 -net.ipv6.conf.lo.max_addresses=1 - -net.ipv6.conf.eth0.accept_redirects=0 -net.ipv6.conf.eth0.accept_source_route=0 -net.ipv6.conf.eth0.router_solicitations=0 -net.ipv6.conf.eth0.accept_ra_rtr_pref=0 -net.ipv6.conf.eth0.accept_ra_pinfo=0 -net.ipv6.conf.eth0.accept_ra_defrtr=0 -net.ipv6.conf.eth0.autoconf=0 -net.ipv6.conf.eth0.dad_transmits=0 -net.ipv6.conf.eth0.max_addresses=1 -EOM + install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf # Enable resolver warnings about spoofed addresses cat <>$R/etc/host.conf @@ -596,85 +470,26 @@ spoof warn EOM fi +# First boot actions +cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot + # Ensure openssh server host keys are regenerated on first boot if [ "$ENABLE_SSHD" = true ] ; then - cat <>$R/etc/rc.firstboot -#!/bin/sh -rm -f /etc/ssh/ssh_host_* -ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key -ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key -ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key -ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -sync - -systemctl restart sshd -sed -i '/.*rc.firstboot/d' /etc/rc.local -rm -f /etc/rc.firstboot -EOM - chmod +x $R/etc/rc.firstboot - sed -i '/exit 0/d' $R/etc/rc.local - echo /etc/rc.firstboot >> $R/etc/rc.local + cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot rm -f $R/etc/ssh/ssh_host_* fi if [ "$EXPANDROOT" = true ] ; then - cat < $R/etc/rc.expandroot -#!/bin/sh - -ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') -PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$') -case "\${ROOT_PART}" in - mmcblk0*) ROOT_DEV=mmcblk0 ;; - sda*) ROOT_DEV=sda ;; -esac -if [ "\$PART_NUM" = "\$ROOT_PART" ]; then - logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand" - return 0 -fi -# NOTE: the NOOBS partition layout confuses parted. For now, let's only -# agree to work with a sufficiently simple partition layout -if [ "\$PART_NUM" -gt 2 ]; then - logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool." - return 0 -fi -LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) -if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then - logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand" - return 0 -fi -# Get the starting offset of the root partition -PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') -[ "\$PART_START" ] || return 1 -# Get the possible last sector for the root partition -PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }') -[ "\$PART_LAST" ] || return 1 -# Return value will likely be error for fdisk as it fails to reload the -# partition table because the root fs is mounted -### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit -fdisk /dev/\${ROOT_DEV} <> $R/etc/rc.local + cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot fi +cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot +chmod +x $R/etc/rc.firstboot + +sed -i '/exit 0/d' $R/etc/rc.local +echo /etc/rc.firstboot >> $R/etc/rc.local +echo exit 0 >> $R/etc/rc.local + # Disable rsyslog if [ "$ENABLE_RSYSLOG" = false ]; then sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf @@ -693,82 +508,13 @@ if [ "$ENABLE_IPTABLES" = true ] ; then mkdir -p "$R/etc/iptables" # Create iptables systemd service - cat <$R/etc/systemd/system/iptables.service -[Unit] -Description=Packet Filtering Framework -DefaultDependencies=no -After=systemd-sysctl.service -Before=sysinit.target -[Service] -Type=oneshot -ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules -ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules -ExecStop=/etc/iptables/flush-iptables.sh -RemainAfterExit=yes -[Install] -WantedBy=multi-user.target -EOM + install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service # Create flush-table script called by iptables service - cat <$R/etc/iptables/flush-iptables.sh -#!/bin/sh -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -P INPUT ACCEPT -iptables -P FORWARD ACCEPT -iptables -P OUTPUT ACCEPT -EOM + install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh # Create iptables rule file - cat <$R/etc/iptables/iptables.rules -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] -:TCP - [0:0] -:UDP - [0:0] -:SSH - [0:0] - -# Rate limit ping requests --A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT --A INPUT -p icmp --icmp-type echo-request -j DROP - -# Accept established connections --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -# Accept all traffic on loopback interface --A INPUT -i lo -j ACCEPT - -# Drop packets declared invalid --A INPUT -m conntrack --ctstate INVALID -j DROP - -# SSH rate limiting --A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH --A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP --A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP --A SSH -m recent --name sshbf --set -j ACCEPT - -# Send TCP and UDP connections to their respective rules chain --A INPUT -p udp -m conntrack --ctstate NEW -j UDP --A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP - -# Reject dropped packets with a RFC compliant responce --A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable --A INPUT -p tcp -j REJECT --reject-with tcp-rst --A INPUT -j REJECT --reject-with icmp-proto-unreachable - -## TCP PORT RULES -# -A TCP -p tcp -j LOG - -## UDP PORT RULES -# -A UDP -p udp -j LOG - -COMMIT -EOM + install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules # Reload systemd configuration and enable iptables service chroot_exec systemctl daemon-reload @@ -776,94 +522,16 @@ EOM if [ "$ENABLE_IPV6" = true ] ; then # Create ip6tables systemd service - cat <$R/etc/systemd/system/ip6tables.service -[Unit] -Description=Packet Filtering Framework -DefaultDependencies=no -After=systemd-sysctl.service -Before=sysinit.target -[Service] -Type=oneshot -ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules -ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules -ExecStop=/etc/iptables/flush-ip6tables.sh -RemainAfterExit=yes -[Install] -WantedBy=multi-user.target -EOM + install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service # Create ip6tables file - cat <$R/etc/iptables/flush-ip6tables.sh -#!/bin/sh -ip6tables -F -ip6tables -X -ip6tables -Z -for table in $($R/etc/iptables/ip6tables.rules -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] -:TCP - [0:0] -:UDP - [0:0] -:SSH - [0:0] - -# Drop packets with RH0 headers --A INPUT -m rt --rt-type 0 -j DROP --A OUTPUT -m rt --rt-type 0 -j DROP --A FORWARD -m rt --rt-type 0 -j DROP - -# Rate limit ping requests --A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT --A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP - -# Accept established connections --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -# Accept all traffic on loopback interface --A INPUT -i lo -j ACCEPT + install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh -# Drop packets declared invalid --A INPUT -m conntrack --ctstate INVALID -j DROP + install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules -# SSH rate limiting --A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH --A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP --A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP --A SSH -m recent --name sshbf --set -j ACCEPT - -# Send TCP and UDP connections to their respective rules chain --A INPUT -p udp -m conntrack --ctstate NEW -j UDP --A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP - -# Reject dropped packets with a RFC compliant responce --A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited --A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited --A INPUT -j REJECT --reject-with icmp6-adm-prohibited - -## TCP PORT RULES -# -A TCP -p tcp -j LOG - -## UDP PORT RULES -# -A UDP -p udp -j LOG - -COMMIT -EOM - - # Reload systemd configuration and enable iptables service - chroot_exec systemctl daemon-reload - chroot_exec systemctl enable ip6tables.service + # Reload systemd configuration and enable iptables service + chroot_exec systemctl daemon-reload + chroot_exec systemctl enable ip6tables.service fi fi -- cgit v1.2.3 From c8a035bfc03fabf4384f4e207571d2c81e028b65 Mon Sep 17 00:00:00 2001 From: Filip Pytloun Date: Sat, 5 Mar 2016 18:00:25 +0100 Subject: Fix escaping of adduser --- rpi2-gen-image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index 42a0b06..2a88c5b 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -391,7 +391,7 @@ ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` # Set up default user if [ "$ENABLE_USER" = true ] ; then - chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi + chroot_exec adduser --gecos \"Raspberry\ PI\ user\" --add_extra_groups --disabled-password pi chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi fi -- cgit v1.2.3