Re: Re: How can I add a user for openbmc and remove the default root user?
Joseph Reynolds
jrey at linux.ibm.com
Thu Dec 19 17:36:28 AEDT 2019
On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
> Hi Gunnar,
>
> Yes root user can't be deleted (basically uid 0), can't be deleted.
> The method works for other users only, like in case Liu, he wants to
> delete the newly created user.
FWIW, I am interested in moving the OpenBMC project away from having
root login access enabled by default, and specifically disabling SSH
access in general, and root access to the BMC's shell. I also want to
have a secure way to re-enable this when needed. See
https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if
you have any ideas on this topic.
I had understood the original question in this email thread as a request
to "disable root access" so "root cannot login". (Note that one
consequence of disabling root login is that once you remove root access,
it is hard to get back. You'll have to use the sudo comand or su
command from another user account, and I don't think sudo is present on
OpenBMC systems.)
I understand that deleting the root user is not advisable because the
system will break. Instead the alternative is to disable access to the
root account, for example, by doing one of:
- Change root's login shell to /sbin/nologin
- Change the root password to empty or lock the root password
- Change Linux-PAM to deny root account access
- Expire the root account (chage -E0 root)
Any idea which approach works best for OpenBMC?
- Joseph
>
> Regards,
>
> Richard
>
>
> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>
>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>
>>> Delete interface is exposed as part of the user object itself.
>>> Sample busctl command to do the delete of an user under
>>> phosphor-user-manager
>>>
>>> busctl call xyz.openbmc_project.User.Manager
>>> /xyz/openbmc_project/user/<username>
>>> xyz.openbmc_project.Object.Delete Delete
>>>
>>>
>>
>> I am missing something here.. This does not work for me. I didn't
>> think we allowed removing the root user, which is why it is disabled
>> on the WebUI? If we do allow deleting the root user, should this be
>> allowed from the WebUI?
>>
>> When sshed as root:
>> busctl call xyz.openbmc_project.User.Manager
>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>> Call failed: The operation failed internally.
>>
>> In the journal I see
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is
>> currently used by process 1
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>> internally.
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>> internally.
>>
>>
>> When sshed as an "Administrator" role account, with the same call:
>> Call failed: Access denied
>>
>> NOTE: As an "Administrator" role I can't delete a user using "busctl
>> call" only from the Redfish/WebUI, am I able to.
>>
>> Thanks!
>> Gunnar
More information about the openbmc
mailing list