Makefile: add fix for CVE-2019-5021

The previous instances of the docker image allowed for passwordless root login. Update the default shadow setting so the root account to disallow this.

Makefile: add fix for CVE-2019-5021
The previous instances of the docker image allowed for passwordless root login. Update the default shadow setting so the root account to disallow this.
19fb8aeb · Santiago Torres-Arias · b274212c · 19fb8aeb
Unverified Commit 19fb8aeb authored Oct 06, 2019 by Santiago Torres-Arias
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,10 @@ rootfs: hooks
 		--noscriptlet \
 		--hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages)
 	cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
+	
+	# remove passwordless login for root (see CVE-2019-5021 for reference)
+	sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
+
 	tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
 	rm -rf $(BUILDDIR) alpm-hooks