meta-phosphor: enable `allow-root-login`?

[Patrick Williams]

Hello,

Looking for opinions, especially from security minded individuals...

In many of our `local.conf.sample` files we enable "debug-tweaks" but for
production builds this is probably not a good idea.  I had it turned off on a
production build and ran into a case where we could not log in as root on SSH.
We debugged this down to missing the 'priv-admin' group for root, which is
typically enabled in `phosphor-rootfs-postcommands.bbclass` when either
"debug-tweaks" or "allow-root-login" is enabled.

I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
happen again.  Is there any reason why we wouldn't want to enable it by default
in meta-phosphor?  There isn't really full support for non-root users in the
base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
enabled by default?

I'm fine leaving this in meta-facebook, but I'm trying to prevent someone else
from having the same issue for what seems like a default case presently.

1. https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/phosphor-rootfs-postcommands.bbclass#L10

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20211230/36ca713c/attachment.sig>