Generate random passwords for Kickstart's rootpw section

evgenyz · evgenyz · commit 2198eef2d45b · 2024-08-08T18:13:48.000+02:00
While the password is pseudo-random it is still better than
accidentally having a server with 'changeme' password.
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1776,17 +1776,21 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
 	oscap_iterator_free(rules_to_fix_it);
 
 	_write_text_to_fd(output_fd, "\n");
-	const char *common = (
+	const char *common_template = (
 		"# Default values for automated installation\n"
 		"lang en_US.UTF-8\n"
 		"keyboard --vckeymap us\n"
 		"timezone --utc America/New_York\n"
 		"\n"
 		"# Root password is required for system rescue tasks\n"
-		"rootpw changeme\n"
+		"rootpw %s\n"
 		"\n"
 	);
+	char *password = oscap_generate_random_string(24, NULL);
+	char *common = oscap_sprintf(common_template, password);
 	_write_text_to_fd(output_fd, common);
+	free(password);
+	free(common);
 
 	_generate_kickstart_pre(&cmds, output_fd);
 
diff --git a/src/common/util.c b/src/common/util.c
@@ -25,6 +25,7 @@
 #include <config.h>
 #endif
 
+#include <time.h>
 #include <fcntl.h>
 #include <string.h>
 #include <ctype.h>
@@ -50,6 +51,24 @@
 
 #define PATH_SEPARATOR '/'
 
+char *oscap_generate_random_string(size_t len, char *charset)
+{
+	char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	char *res = NULL;
+	charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset;
+	size_t charset_len = strlen(charset);
+	if (len > 0) {
+		srand(time(NULL));
+		res = malloc(len+1);
+		res[len] = 0;
+		while (len-- > 0) {
+			size_t index = (double) rand() / RAND_MAX * (charset_len-1);
+			res[len] = charset[index];
+		}
+	}
+	return res;
+}
+
 int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
 {
 	__attribute__nonnull__(map);
diff --git a/src/common/util.h b/src/common/util.h
@@ -384,6 +384,18 @@ char *oscap_trim(char *str);
 /// Print to a newly allocated string using a va_list.
 char *oscap_vsprintf(const char *fmt, va_list ap);
 
+/**
+ * Generates a pseudorandom string of a given length.
+ * If charset string is not NULL and its length is greater than 0,
+ * it will be used as a dictionary, otherwise a default alphanumeric set
+ * will be the base for the generated string.
+ * Caller is responsible for freeing the returned string.
+ * @param len desired string length (must be greater than 0)
+ * @param charset a dictionary string, could be NULL
+ * @return A random string of desired length.
+ */
+char *oscap_generate_random_string(size_t len, char *charset);
+
 /**
  * Join 2 paths in an intelligent way.
  * Both paths are allowed to be NULL.
diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart.sh b/tests/API/XCCDF/unittests/test_remediation_kickstart.sh
@@ -10,11 +10,13 @@ function test_normal {
     kickstart_modified=$(mktemp)
 
     sed "/This file was generated by OpenSCAP .* using:/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
+    sed "/rootpw .*/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
     sed -i "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$expected_modified"
 
     $OSCAP xccdf generate fix --fix-type kickstart --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"
 
     sed "/This file was generated by OpenSCAP .* using:/d" "$kickstart" > "$kickstart_modified"
+    sed "/rootpw .*/d" "$kickstart" > "$kickstart_modified"
 
     diff -u "$expected_modified" "$kickstart_modified"
 
