Re: Re: How can I add a user for openbmc and remove the default root user?

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Thu Dec 19 20:09:40 AEDT 2019 

On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>> Hi Gunnar,
>>
>> Yes root user can't be deleted (basically uid 0), can't be deleted. 
>> The method works for other users only, like in case Liu, he wants to 
>> delete the newly created user.
>
> FWIW, I am interested in moving the OpenBMC project away from having 
> root login access enabled by default, and specifically disabling SSH 
> access in general, and root access to the BMC's shell.  I also want to 
> have a secure way to re-enable this when needed.  See 
> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if 
> you have any ideas on this topic.
>
Currently you will be. Remove debug-tweaks & allow-root-login from 
IMAGE_FEATURES, then the build will make sure that root user looses 
group permissions, and OpenBMC is with no user accounts. Any new user 
accounts must be created from Host interface through IPMI interface 
(that's the logic we currently have).

Note:

1. This will not remove the root user (uid 0, which is needed as you 
mentioned below), but will not have any password (In order to remove the 
password in the OpenBMC it needs one line change to remove usermod in 
phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have a 
patch in the down-stream for the same, as community still needs root 
user account, but OpenBMC has been updated to remove root user from 
Admin & other group privileges, when debug-tweaks / allow-root-logins 
are not defined.

>
> I had understood the original question in this email thread as a 
> request to "disable root access" so "root cannot login".  (Note that 
> one consequence of disabling root login is that once you remove root 
> access, it is hard to get back.  You'll have to use the sudo comand or 
> su command from another user account, and I don't think sudo is 
> present on OpenBMC systems.)
>
> I understand that deleting the root user is not advisable because the 
> system will break.  Instead the alternative is to disable access to 
> the root account, for example, by doing one of:
> - Change root's login shell to /sbin/nologin
> - Change the root password to empty or lock the root password
> - Change Linux-PAM to deny root account access
> - Expire the root account (chage -E0 root)
>
> Any idea which approach works best for OpenBMC?

If you have removed the password, then it can't be used. But if you need 
to enable it for debug or on special use case, then it requires a method 
to set a password. We enable setting the root

password using Set special user password OEM Command 
(https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).

Let me know your thoughts, As i see a decision can be made, i think we 
can write a document (with community feedback), and move to a common 
solution.

>
> - Joseph
>
>>
>> Regards,
>>
>> Richard
>>
>>
>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>
>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>
>>>> Delete interface is exposed as part of the user object itself. 
>>>> Sample busctl command to do the delete of an user under 
>>>> phosphor-user-manager
>>>>
>>>> busctl call xyz.openbmc_project.User.Manager 
>>>> /xyz/openbmc_project/user/<username> 
>>>> xyz.openbmc_project.Object.Delete Delete
>>>>
>>>>
>>>
>>> I am missing something here.. This does not work for me. I didn't 
>>> think we allowed removing the root user, which is why it is disabled 
>>> on the WebUI? If we do allow deleting the root user, should this be 
>>> allowed from the WebUI?
>>>
>>> When sshed as root:
>>> busctl call xyz.openbmc_project.User.Manager 
>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>>> Call failed: The operation failed internally.
>>>
>>> In the journal I see
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root 
>>> is currently used by process 1
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>>> internally.
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>>> internally.
>>>
>>>
>>> When sshed as an "Administrator" role account,  with the same call:
>>> Call failed: Access denied
>>>
>>> NOTE: As an "Administrator" role I can't delete a user using "busctl 
>>> call" only from the Redfish/WebUI, am I able to.
>>>
>>> Thanks!
>>> Gunnar
> Regards,
Richard

More information about the openbmc mailing list