Prevent password masking from becoming password (#1873) (#1874)

There is a path, likely retry or recoverying but at this time unconfirmed, by which the password masking can be set as the password. This expressly checks for the value having been masked and refuses to change the password to that value. This is a very focused change to address specifically the observed behaviour as the implications of a revert or moving the code to other units are not understood at this time. Issue was introduced in 3c5cd51 (cherry picked from commit 5184475)
vmware · Jul 3, 2018 · ad7eb5f · ad7eb5f
1 parent 7ce70c6
commit ad7eb5f
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/installer/build/scripts/systemd/scripts/vic-appliance-environment.sh b/installer/build/scripts/systemd/scripts/vic-appliance-environment.sh
@@ -14,6 +14,8 @@
 # limitations under the License.
 set -euf -o pipefail
 
+declare -r mask="*******"
+
 umask 077
 
 ENV_FILE="/etc/vmware/environment"
@@ -53,7 +55,13 @@ function detectHostname() {
 
 function firstboot() {
   set +e
-  echo "root:$(ovfenv --key appliance.root_pwd)" | chpasswd
+  local tmp
+  tmp="$(ovfenv --key appliance.root_pwd)"
+  if [[ "$tmp" == "$mask" ]]; then
+    return
+  fi
+
+  echo "root:$tmp" | chpasswd
   # Reset password expiration to 90 days by default
   chage -d $(date +"%Y-%m-%d") -m 0 -M 90 root
   set -e
@@ -62,8 +70,8 @@ function firstboot() {
 function clearPrivate() {
   # We then obscure the root password, if the VM is reconfigured with another
   # password after deployment, we don't act on it and keep obscuring it.
-  if [[ $(ovfenv --key appliance.root_pwd) != '*******' ]]; then
-    ovfenv --key appliance.root_pwd --set '*******'
+  if [[ "$(ovfenv --key appliance.root_pwd)" != "$mask" ]]; then
+    ovfenv --key appliance.root_pwd --set "$mask"
   fi
 }