Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #285 from naturallaw777/copilot/fix-legacy-migration-flow

Browse Source 
Fix legacy migration flow: defer chpasswd to password-acknowledge
This commit is contained in:
Sovran Systems
2026-04-29 20:45:20 -05:00
committed by GitHub
parent 281b08dcd4 b5715e05c6
commit c1c0827604
2 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/sovran_systemsos_web/server.py
+37 -1
View File
@@ -2019,13 +2019,49 @@ async def api_migration_password_status():
@app.post("/api/migration/password-acknowledge") @app.post("/api/migration/password-acknowledge")
async def api_migration_password_acknowledge(): async def api_migration_password_acknowledge():
"""Acknowledge and clear the migration password disclosure marker.""" """Acknowledge the migration password and update /etc/shadow to match."""
# Read the new password before deleting the file
new_password = None
try:
with open(MIGRATION_NEWPASS_FILE, "r") as f:
new_password = f.read().strip()
except FileNotFoundError:
pass
except OSError as exc:
raise HTTPException(status_code=500, detail=f"Could not read migration password: {exc}")
# Update /etc/shadow so GDM accepts the new password going forward
if new_password:
chpasswd_bin = (
shutil.which("chpasswd")
or ("/run/current-system/sw/bin/chpasswd"
if os.path.isfile("/run/current-system/sw/bin/chpasswd") else None)
)
if chpasswd_bin:
try:
result = subprocess.run(
[chpasswd_bin],
input=f"free:{new_password}",
capture_output=True,
text=True,
)
if result.returncode != 0:
logger.warning(
"chpasswd failed during migration acknowledge (rc=%d): %s",
result.returncode,
(result.stderr or result.stdout).strip(),
)
except Exception as exc:
logger.warning("chpasswd exception during migration acknowledge: %s", exc)
# Clear the pending marker
try: try:
os.remove(MIGRATION_NEWPASS_FILE) os.remove(MIGRATION_NEWPASS_FILE)
except FileNotFoundError: except FileNotFoundError:
pass pass
except OSError as exc: except OSError as exc:
raise HTTPException(status_code=500, detail=f"Could not clear migration password: {exc}") raise HTTPException(status_code=500, detail=f"Could not clear migration password: {exc}")
return {"ok": True} return {"ok": True}
modules/credentials.nix
-1
View File
@@ -226,7 +226,6 @@ in
printf '%s\n' "$FREE_PASS" > "$SECRET_FILE" printf '%s\n' "$FREE_PASS" > "$SECRET_FILE"
chmod 600 "$SECRET_FILE" chmod 600 "$SECRET_FILE"
printf 'free:%s\n' "$FREE_PASS" | chpasswd
printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE" printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE"
chmod 600 "$NEWPASS_FILE" chmod 600 "$NEWPASS_FILE"