Re: Re: How can I add a user for openbmc and remove the default root user?

Joseph Reynolds jrey at linux.ibm.com
Thu Dec 19 17:36:28 AEDT 2019 

On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
> Hi Gunnar,
>
> Yes root user can't be deleted (basically uid 0), can't be deleted. 
> The method works for other users only, like in case Liu, he wants to 
> delete the newly created user.

FWIW, I am interested in moving the OpenBMC project away from having 
root login access enabled by default, and specifically disabling SSH 
access in general, and root access to the BMC's shell.  I also want to 
have a secure way to re-enable this when needed.  See 
https://github.com/ibm-openbmc/dev/issues/1528   Please let me know if 
you have any ideas on this topic.


I had understood the original question in this email thread as a request 
to "disable root access" so "root cannot login".  (Note that one 
consequence of disabling root login is that once you remove root access, 
it is hard to get back.  You'll have to use the sudo comand or su 
command from another user account, and I don't think sudo is present on 
OpenBMC systems.)

I understand that deleting the root user is not advisable because the 
system will break.  Instead the alternative is to disable access to the 
root account, for example, by doing one of:
- Change root's login shell to /sbin/nologin
- Change the root password to empty or lock the root password
- Change Linux-PAM to deny root account access
- Expire the root account (chage -E0 root)

Any idea which approach works best for OpenBMC?

- Joseph

>
> Regards,
>
> Richard
>
>
> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>
>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>
>>> Delete interface is exposed as part of the user object itself. 
>>> Sample busctl command to do the delete of an user under 
>>> phosphor-user-manager
>>>
>>> busctl call xyz.openbmc_project.User.Manager 
>>> /xyz/openbmc_project/user/<username> 
>>> xyz.openbmc_project.Object.Delete Delete
>>>
>>>
>>
>> I am missing something here.. This does not work for me. I didn't 
>> think we allowed removing the root user, which is why it is disabled 
>> on the WebUI? If we do allow deleting the root user, should this be 
>> allowed from the WebUI?
>>
>> When sshed as root:
>> busctl call xyz.openbmc_project.User.Manager 
>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>> Call failed: The operation failed internally.
>>
>> In the journal I see
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is 
>> currently used by process 1
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>> internally.
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>> internally.
>>
>>
>> When sshed as an "Administrator" role account,  with the same call:
>> Call failed: Access denied
>>
>> NOTE: As an "Administrator" role I can't delete a user using "busctl 
>> call" only from the Redfish/WebUI, am I able to.
>>
>> Thanks!
>> Gunnar

More information about the openbmc mailing list