User-manager default group roles

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Wed Nov 18 04:21:49 AEDT 2020 

Hi Joseph,

For SSH to work fine, user must be part of priv-admin and must have 
command/shell as /bin/sh under /etc/passwd file instead of /bin/nologin. 
Note: There is no direct group called ssh under /etc/group, instead it 
is just emulated one from phosphor-user-manager to add corresponding 
shell binary to the user.
usermod --shell /bin/sh -G priv-admin ${USER}

If requirement is SSH to be allowed based on group and allowed for all 
user privileges, then user shell can be updated using usermod --shell 
/bin/sh itself, but need to remove EXTRA_ARGS from the dropbear.default 
<https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default>

Regards,

Richard

On 11/17/2020 3:49 AM, Joseph Reynolds wrote:
>
> What is the right way to assign default phosphor-user-manager "group 
> roles" to dynamically created users?
>
> Background: Currently, when a new local user is created via Redfish 
> API POST /redfish/v1/AccountService/Accounts you have to specify a 
> Redfish RoleId.  BMCWeb maps the RoleId to a phosphor user manager 
> "Privilege Role" [1] and assigns ALL of the "group roles" to the new 
> user [2].  Per [3] this is not intended, and I need to fix this for my 
> use case.
>
usermod --shell /bin/sh -G priv-admin ${USER} is the correct command for 
per[3].
> IMHO, the correct approach is for the project to define a mapping from 
> "role" to "privilege role" that can be used when dynamically creating 
> a new user.  For example, the admin role maps to "ssh ipmi redfish 
> web" whereas the readonly role maps to "ipmi redfish web" (omits 
> "ssh").  Then images can customize this as needed.
>
> But where should this mapping be applied?  Does it belong in BMCWeb or 
> in phosphor-user-manager [4]?  Should we have another D-Bus property 
> [5] to give this mapping?
As of today, we are not separating user groups. All users created in 
OpenBMC belongs to the build time configured groups.
>
> - Joseph
>
> [1]: 
> https://github.com/openbmc/docs/blob/master/architecture/user-management.md
> [2]: 
> https://github.com/openbmc/bmcweb/blob/929d4b57f10bc4200e16b71fbcf32521d8cc23c1/redfish-core/lib/account_service.hpp#L1435
> [3]: https://github.com/openbmc/openbmc/issues/3643
> [4]: 
> https://github.com/openbmc/phosphor-user-manager/blob/master/user_mgr.hpp
> [5]: 
> https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/xyz/openbmc_project/User/Manager.interface.yaml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20201117/55865c45/attachment.htm>

More information about the openbmc mailing list