luci-base: explicitly invoke busybox applet for password change

Ensure to invoke the Busybox `passwd` applet to change the system password
in a non-interactive manner. Non-Busybox variants may not take the new
password input from stdin or use password hashes which are not supported
by musl's `crypt()` implementation by default.

Fixes: #5629
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-base/root/usr/libexec/rpcd/luci b/modules/luci-base/root/usr/libexec/rpcd/luci
index dccdbee900db6a111ded6929c440d90148303b20..d17a7cf40e80c57766d5cf393cbfc681c6ca3e18 100755 (executable)
--- a/modules/luci-base/root/usr/libexec/rpcd/luci
+++ b/modules/luci-base/root/usr/libexec/rpcd/luci
@@ -447,7 +447,7 @@ local methods = {
                call = function(args)
                        local util = require "luci.util"
                        return {
-                               result = (os.execute("(echo %s; sleep 1; echo %s) | passwd %s >/dev/null 2>&1" %{
+                               result = (os.execute("(echo %s; sleep 1; echo %s) | /bin/busybox passwd %s >/dev/null 2>&1" %{
                                        luci.util.shellquote(args.password),
                                        luci.util.shellquote(args.password),
                                        luci.util.shellquote(args.username)