Fwd: Reg libpam from yocto - destination folder

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Thu Aug 30 03:04:12 AEST 2018 

After further investigation, i am aligning with this implementation, and 
want to make sure that community is OK with this approach. Let me know 
community comments, else will go ahead and make changes for the same.

1. We can move all the pam modules from /lib/security to 
/usr/lib/security (i.e. from initramfs to rofs). This way, the size 
issue is going to be resolved (Hope that rofs is having some space to 
include these).

2. Catch will be, if rofs can't be mounted, then user account 
authentication can't be performed, as all pam authentication modules is 
in rofs. (In production systems this should be fine, at-least from 
security point of it), but want to make sure that we are ok with Debug 
images too (or has to update pam configuration files accordingly and 
reload).

Note: Today we enable OpenBMC as password in initramfs /etc/passwd file 
itself (instead of rwfs i.e. obmc-phosphor-image), i feel that this is 
wrong, as this can be used as a hack to corrupt rwfs, and login to linux 
shell and recover the same by using OpenBMC as password   (Even though 
user has updated this root password to different one, as the update 
happens in rwfs and not in initramfs). Will roll out a fix to add root 
password only to obmc-phosphor-image (/etc/shadow) and not in 
initramfs(etc/shadow). Let me know if it is not needed.

Regards,

Richard


On 8/20/2018 11:54 PM, Thomaiyar, Richard Marian wrote:
>
> Hi Brad / Vernon,
>
> Regarding
> https://gerrit.openbmc-project.xyz/#/c/openbmc/openbmc/+/11497/
> (extending from yocto to receipe-core (to add few more pam modules),
> which is why it is getting added by default in /lib/security, which is
> part of initramfs).
>
> Currently this breaks palmetto, zaius & romulus. Not sure, what should
> be direction in order to fix the build failure (whether to clean / steal
> from rw fs?).
>
> In today's call, there was a question about why it has to be in
> initramfs and not in rofs, and this are the following, and it can be
> changed in different way, if it is not required
>
> i.e If rofs is not mapped / any problem with it, we still need to allow
> the root user login, which require's pam_unix.so in initramfs itself
> i.e. under /lib/security
>
> if above requirement is not needed, then the the same can be pulled and
> installed under /usr/lib/security  (which will be in rofs instead of
> initramfs).
>
> Let me know your thoughts.
>
> regards,
>
> Richard
>

More information about the openbmc mailing list