fixed user password not being set properly

sinisterMage · sinisterMage · commit db6b9d3e2648 · 2026-04-08T16:02:44.000+03:00
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: all dynamod installer rootfs iso clean distclean test-qemu test-qemu-serial test-qemu-install
+.PHONY: all dynamod installer rootfs iso clean distclean test-qemu test-qemu-serial test-qemu-install test-qemu-disk test-qemu-disk-serial
 
 ECLIPSE_VERSION ?= 0.1.0
 BUILD_DIR       := $(CURDIR)/build
@@ -96,6 +96,43 @@ test-qemu-install:
 		-device virtio-vga-gl \
 		-display gtk,gl=on
 
+test-qemu-disk:
+	@[ -f $(BUILD_DIR)/test-disk.qcow2 ] || { echo "ERROR: $(BUILD_DIR)/test-disk.qcow2 not found. Run 'make test-qemu-install' and install first."; exit 1; }
+	@echo "Booting from installed disk..."
+	@QEMU_EXTRA=""; \
+	if [ -w /dev/kvm ]; then \
+		QEMU_EXTRA="-enable-kvm -cpu host"; \
+		echo "KVM: enabled"; \
+	else \
+		echo "KVM: not available (will be slower)"; \
+	fi; \
+	qemu-system-x86_64 \
+		$$QEMU_EXTRA \
+		-drive file=$(BUILD_DIR)/test-disk.qcow2,format=qcow2,if=virtio \
+		-m 2048M \
+		-smp 2 \
+		-device virtio-vga-gl \
+		-display gtk,gl=on
+
+test-qemu-disk-serial:
+	@[ -f $(BUILD_DIR)/test-disk.qcow2 ] || { echo "ERROR: $(BUILD_DIR)/test-disk.qcow2 not found. Run 'make test-qemu-install' and install first."; exit 1; }
+	@echo "Booting from installed disk (serial console)..."
+	@echo "Tip: select 'Eclipse Linux (serial console)' from the GRUB menu."
+	@QEMU_EXTRA=""; \
+	if [ -w /dev/kvm ]; then \
+		QEMU_EXTRA="-enable-kvm -cpu host"; \
+		echo "KVM: enabled"; \
+	else \
+		echo "KVM: not available (will be slower)"; \
+	fi; \
+	qemu-system-x86_64 \
+		$$QEMU_EXTRA \
+		-drive file=$(BUILD_DIR)/test-disk.qcow2,format=qcow2,if=virtio \
+		-m 2048M \
+		-smp 2 \
+		-nographic \
+		-no-reboot
+
 clean:
 	rm -rf $(BUILD_DIR)
 
diff --git a/eclipse-installer/src/install.rs b/eclipse-installer/src/install.rs
@@ -462,15 +462,33 @@ fn setup_accounts(config: &InstallConfig) -> Result<(), String> {
         let _ = run_cmd("mount", &["--bind", &src, &dst]);
     }
 
-    // Set root password
-    log::log("Setting root password...");
-    if let Some(ref pass) = config.root_password {
-        run_chroot_stdin("chpasswd", &[], &format!("root:{}\n", pass))?;
-    } else {
-        run_chroot("passwd", &["-d", "root"])?;
+    // Ensure SHA-512 password hashing — musl's crypt() does not support
+    // yescrypt ($y$) which newer shadow packages may default to.
+    let login_defs = format!("{}/etc/login.defs", TARGET_MNT);
+    if Path::new(&login_defs).exists() {
+        if let Ok(content) = fs::read_to_string(&login_defs) {
+            let fixed: String = content
+                .lines()
+                .map(|line| {
+                    if line.starts_with("ENCRYPT_METHOD") {
+                        "ENCRYPT_METHOD SHA512"
+                    } else {
+                        line
+                    }
+                })
+                .collect::<Vec<_>>()
+                .join("\n");
+            let fixed = if content.ends_with('\n') && !fixed.ends_with('\n') {
+                fixed + "\n"
+            } else {
+                fixed
+            };
+            let _ = fs::write(&login_defs, &fixed);
+            log::log("login.defs: ENCRYPT_METHOD set to SHA512");
+        }
     }
 
-    // Create user account
+    // Create user account FIRST so all users exist before chpasswd runs
     log::log(&format!("Creating user {}...", config.username));
     run_chroot(
         "useradd",
@@ -484,17 +502,48 @@ fn setup_accounts(config: &InstallConfig) -> Result<(), String> {
         ],
     )?;
 
-    // Set user password
-    if let Some(ref pass) = config.user_password {
-        run_chroot_stdin(
-            "chpasswd",
-            &[],
-            &format!("{}:{}\n", config.username, pass),
-        )?;
-    } else {
+    // Handle passwordless accounts
+    if config.root_password.is_none() {
+        run_chroot("passwd", &["-d", "root"])?;
+    }
+    if config.user_password.is_none() {
         run_chroot("passwd", &["-d", &config.username])?;
     }
 
+    // Set all passwords in a SINGLE chpasswd invocation to avoid
+    // shadow file locking issues between separate calls.
+    let mut pw_data = String::new();
+    if let Some(ref pass) = config.root_password {
+        pw_data.push_str(&format!("root:{}\n", pass));
+    }
+    if let Some(ref pass) = config.user_password {
+        pw_data.push_str(&format!("{}:{}\n", config.username, pass));
+    }
+
+    if !pw_data.is_empty() {
+        log::log("Setting passwords via single chpasswd call...");
+        run_chroot_stdin("chpasswd", &[], &pw_data)?;
+
+        // Verify each password was set
+        for user in &["root", config.username.as_str()] {
+            if is_shadow_locked(user) {
+                log::log(&format!("WARNING: chpasswd did not set hash for {user}, trying usermod fallback..."));
+                let hash = generate_password_hash(user, config)?;
+                if !hash.is_empty() {
+                    run_chroot("usermod", &["-p", &hash, user])?;
+                    if is_shadow_locked(user) {
+                        return Err(format!("Failed to set password for {user}"));
+                    }
+                    log::log(&format!("OK: password set for {user} via usermod fallback"));
+                } else {
+                    return Err(format!("Failed to set password for {user} — no hash generation method available"));
+                }
+            } else {
+                log::log(&format!("OK: password set for {user}"));
+            }
+        }
+    }
+
     Ok(())
 }
 
@@ -829,6 +878,43 @@ fn copy_glob_files_with_prefix(search_dir: &str, pattern: &str, staging: &str, t
     }
 }
 
+/// Check whether a user's shadow entry is still locked (!, !!, *, or empty).
+fn is_shadow_locked(user: &str) -> bool {
+    let shadow_path = format!("{}/etc/shadow", TARGET_MNT);
+    if let Ok(content) = fs::read_to_string(&shadow_path) {
+        let prefix = format!("{user}:");
+        if let Some(line) = content.lines().find(|l| l.starts_with(&prefix)) {
+            let hash = line.split(':').nth(1).unwrap_or("");
+            return hash.is_empty()
+                || hash == "!"
+                || hash == "!!"
+                || hash == "*"
+                || hash.starts_with("!$");
+        }
+    }
+    true
+}
+
+/// Generate a SHA-512 password hash via openssl inside the chroot.
+fn generate_password_hash(user: &str, config: &InstallConfig) -> Result<String, String> {
+    let pass = if user == "root" {
+        config.root_password.as_deref().unwrap_or("")
+    } else {
+        config.user_password.as_deref().unwrap_or("")
+    };
+    if pass.is_empty() {
+        return Ok(String::new());
+    }
+    let result = run_chroot_stdin("openssl", &["passwd", "-6", "-stdin"], &format!("{pass}\n"));
+    if let Ok(output) = result {
+        let hash = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if hash.starts_with("$6$") {
+            return Ok(hash);
+        }
+    }
+    Err("openssl passwd not available or failed".to_string())
+}
+
 fn find_first_existing(candidates: &[&str]) -> Option<String> {
     candidates
         .iter()
diff --git a/scripts/eclipse-install b/scripts/eclipse-install
@@ -498,23 +498,57 @@ mount --bind /proc "$TARGET_MNT/proc" 2>/dev/null || true
 mount --bind /dev  "$TARGET_MNT/dev"  2>/dev/null || true
 mount --bind /sys  "$TARGET_MNT/sys"  2>/dev/null || true
 
-# Set root password
-log "Setting root password..."
-if [ -n "$PASS1" ]; then
-    echo "root:$PASS1" | chroot "$TARGET_MNT" chpasswd >> "$LOG" 2>&1
+# Ensure SHA-512 password hashing — musl's crypt() does not support
+# yescrypt ($y$) which newer shadow packages may default to.
+log "Ensuring SHA-512 password hashing in login.defs..."
+if [ -f "$TARGET_MNT/etc/login.defs" ]; then
+    sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/' "$TARGET_MNT/etc/login.defs"
+    log "login.defs ENCRYPT_METHOD set to SHA512"
 else
-    chroot "$TARGET_MNT" passwd -d root >> "$LOG" 2>&1
+    log "WARNING: /etc/login.defs not found"
 fi
 
-# Create user account
+# Create user account FIRST so all users exist before chpasswd runs
 log "Creating user $USERNAME..."
 chroot "$TARGET_MNT" useradd -m -G wheel,audio,video,input,_seatd -s /usr/bin/fish "$USERNAME" >> "$LOG" 2>&1
-if [ -n "$USER_PASS1" ]; then
-    echo "$USERNAME:$USER_PASS1" | chroot "$TARGET_MNT" chpasswd >> "$LOG" 2>&1
-else
+
+# Handle passwordless accounts
+if [ -z "$PASS1" ]; then
+    chroot "$TARGET_MNT" passwd -d root >> "$LOG" 2>&1
+fi
+if [ -z "$USER_PASS1" ]; then
     chroot "$TARGET_MNT" passwd -d "$USERNAME" >> "$LOG" 2>&1
 fi
 
+# Set all passwords in a SINGLE chpasswd invocation to avoid
+# shadow file locking issues between separate calls.
+PW_INPUT=""
+[ -n "$PASS1" ]      && PW_INPUT="root:${PASS1}"
+if [ -n "$USER_PASS1" ]; then
+    [ -n "$PW_INPUT" ] && PW_INPUT="${PW_INPUT}
+"
+    PW_INPUT="${PW_INPUT}${USERNAME}:${USER_PASS1}"
+fi
+
+if [ -n "$PW_INPUT" ]; then
+    log "Setting passwords via single chpasswd call..."
+    printf '%s\n' "$PW_INPUT" | chroot "$TARGET_MNT" chpasswd >> "$LOG" 2>&1
+    log "chpasswd exited $?"
+
+    # Verify each password was set
+    for _u in root "$USERNAME"; do
+        _hash=$(grep "^${_u}:" "$TARGET_MNT/etc/shadow" 2>/dev/null | cut -d: -f2)
+        case "$_hash" in
+            '!'*|'*'|'')
+                log "WARNING: password not set for $_u (field='$_hash')"
+                ;;
+            *)
+                log "OK: password set for $_u (${#_hash} chars)"
+                ;;
+        esac
+    done
+fi
+
 dialog --backtitle "$BACKTITLE" --title "Configuring Bootloader" \
     --infobox "Installing GRUB bootloader..." 4 50
 
