Re: Re: How can I add a user for openbmc and remove the default root user?
Joseph Reynolds
jrey at linux.ibm.com
Thu Jan 2 14:16:02 AEDT 2020
On 12/19/19 3:09 AM, Thomaiyar, Richard Marian wrote:
>
> On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
>> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>>> Hi Gunnar,
>>>
>>> Yes root user can't be deleted (basically uid 0), can't be deleted.
>>> The method works for other users only, like in case Liu, he wants to
>>> delete the newly created user.
>>
>> FWIW, I am interested in moving the OpenBMC project away from having
>> root login access enabled by default, and specifically disabling SSH
>> access in general, and root access to the BMC's shell. I also want
>> to have a secure way to re-enable this when needed. See
>> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if
>> you have any ideas on this topic.
>>
> Currently you will be. Remove debug-tweaks & allow-root-login from
> IMAGE_FEATURES, then the build will make sure that root user looses
> group permissions, and OpenBMC is with no user accounts. Any new user
> accounts must be created from Host interface through IPMI interface
> (that's the logic we currently have).
>
> Note:
>
> 1. This will not remove the root user (uid 0, which is needed as you
> mentioned below), but will not have any password (In order to remove
> the password in the OpenBMC it needs one line change to remove usermod
> in phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have
> a patch in the down-stream for the same, as community still needs root
> user account, but OpenBMC has been updated to remove root user from
> Admin & other group privileges, when debug-tweaks / allow-root-logins
> are not defined.
Nice! Thank you for referencing that (I missed that review). It seems
to me that phosphor-defaults.inc should set the root user password only
when IMAGE_FEATURES includes allow-root-login, and otherwise not allow
login. My bitbake is weak, but something like this:
# Set the root password to '0penBmc' if IMAGE_FEATURES contains
allow-root-login,
# otherwise use "!" so root cannot login.
EXTRA_USERS_PARAMS_pn-obmc-phosphor-image = " \
usermod -p \
${@bb.utils.contains("IMAGE_FEATURES", 'allow-root-login', "", "!", d}\
'\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
"
(except use correct bitbake syntax).
BTW, we ought to update the [password hash algorithm][], currently
$1$=MD5 to $5$=SHA-256 or $6$=SHA-512.
[password hash algorithm]: https://en.wikipedia.org/wiki/Passwd
>
>>
>> I had understood the original question in this email thread as a
>> request to "disable root access" so "root cannot login". (Note that
>> one consequence of disabling root login is that once you remove root
>> access, it is hard to get back. You'll have to use the sudo comand
>> or su command from another user account, and I don't think sudo is
>> present on OpenBMC systems.)
>>
>> I understand that deleting the root user is not advisable because the
>> system will break. Instead the alternative is to disable access to
>> the root account, for example, by doing one of:
>> - Change root's login shell to /sbin/nologin
>> - Change the root password to empty or lock the root password
>> - Change Linux-PAM to deny root account access
>> - Expire the root account (chage -E0 root)
>>
>> Any idea which approach works best for OpenBMC?
>
> If you have removed the password, then it can't be used. But if you
> need to enable it for debug or on special use case, then it requires a
> method to set a password. We enable setting the root
> password using Set special user password OEM Command
> (https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).
>
> Let me know your thoughts, As i see a decision can be made, i think we
> can write a document (with community feedback), and move to a common
> solution.
That sounds right to me. I think various OpenBMC users have these use
cases:
Use case 1: remove root access by default
We share the use case of removing root access by default which we can do
by removing 'allow-root-login' from IMAGE_FEATURES.
I would like to see the OpenBMC project should move toward this as the
default. That bring me to use case 2...
Use case 2: have a way to re-enable root access
We also need a way to re-enable root access to the BMC's shell. I
suggest we design a phosphor D-Bus API as the common way to enable and
disable root login access.
I see divergent use cases for root shell access. OpenBMC developers
will continue to need root login (for example, SSH to the BMC using
default root credentials) on a regular basis. They will also need that
access when they are called upon to debug systems currently running a
workload.
However, users with sensitive data on their host system will want to
lock out the root user, all SSH access, and especially root SSH access
because of the additional capabilities root has compared with regular
Administrator users and because of the difficulty in monitoring and
auditing shell commands. Specifically, I think root login access and
SSH access must both be addressed. In my opinion, if we give any users
SSH access to the BMC shell, it is too easy for them to escalate that
privilege to root, so we should have a way to lock out SSH access.
The solution you presented is an IPMI OEM command. Another idea is a
Phosphor REST or Redfish API to control these items (root login and SSH
server capability), and limit that to the BMC Administrator role. Those
APIs would use the D-Bus API as the underlying implementation.
I think OpenBMC needs an easy way to re-enable root access before we can
remove root access.
Use case 3: create an admin user by default
A related topic is the use cases for the "genesis experience", that is,
the first time a BMC admin uses their newly-installed BMC. The options
include:
A. The BMC has no default users. When needed, they are created via
unauthenticated host access.
B. The BMC has no default users. An Administrator account is created by
the initial user to access the system. This would make OpenBMC behave
like other operating systems (such as Ubuntu) and devices.
C. The BMC has a user with username=admin and role=Administrator and a
default password. This is close to what OpenBMC has now and what I
would propose for the project default. (Naturally, we would add
'no-admin-user' to IMAGE_FEATURES for use cases that do not want this user.)
The options above all assume the current genesis & provisioning
experience. It would be possible to provision the BMC with its firmware
image, custom user access credentials, an IP address, etc., before
powering on the BMC for the first time. I would like to explore the
possibilities in that space, but the remainder of this note assumes the
traditional genesis experience described in the options above.
In any case, the admin user will have a way to gain root login access
for themselves and to lock out root access by non-admin users.
I think OpenBMC needs to document how to access and provision the BMC,
including details such as how to login as root and how to lock out root
access.
___
As usual, I've written too much. I would be happy to hear your ideas,
review your solution, and help where I can.
- Joseph
TL;DR: More ramblings for the use cases above: Have a way for a BMC
Administrator to gain root access to the BMC shell.
What is the use case to allow a non-root user to use the BMC shell (via
SSH or other access)? What will that let them do? I think you need to
have sudo access for commands like journalctl and systemctl, or to
invoke D-Bus APIs. I mean I think what you can do with the BMC's shell
is extremely limited without sudo access. Are we thinking we should set
up sudo?
If we have sudo access (so I can, for example: `ssh admin1@${bmc_ip}
sudo`) then why would I need to login as root. Would root login be
needed? I think we can do without root logins, but we would need to get
sudo working...and havde a way to control when sudo is enabled. (In
other words, I don't have good idea how to handle this.)
Note: Per the [phosphor user management group roles][], should the
[access via SSH][] be changed to the "ssh" group? It is currently
restricted to the priv-admin group.
[phosphor user management group roles]:
https://github.com/openbmc/docs/blob/master/architecture/user_management.md#supported-group-roles
[Access via SSH]:
https://github.com/openbmc/openbmc/blob/adb78181f2183a3b0aa016cfd5d754710b828f30/meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default
>
>>
>> - Joseph
>>
>>>
>>> Regards,
>>>
>>> Richard
>>>
>>>
>>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>>
>>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>>
>>>>> Delete interface is exposed as part of the user object itself.
>>>>> Sample busctl command to do the delete of an user under
>>>>> phosphor-user-manager
>>>>>
>>>>> busctl call xyz.openbmc_project.User.Manager
>>>>> /xyz/openbmc_project/user/<username>
>>>>> xyz.openbmc_project.Object.Delete Delete
>>>>>
>>>>>
>>>>
>>>> I am missing something here.. This does not work for me. I didn't
>>>> think we allowed removing the root user, which is why it is
>>>> disabled on the WebUI? If we do allow deleting the root user,
>>>> should this be allowed from the WebUI?
>>>>
>>>> When sshed as root:
>>>> busctl call xyz.openbmc_project.User.Manager
>>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete
>>>> Delete
>>>> Call failed: The operation failed internally.
>>>>
>>>> In the journal I see
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root
>>>> is currently used by process 1
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation
>>>> failed internally.
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation
>>>> failed internally.
>>>>
>>>>
>>>> When sshed as an "Administrator" role account, with the same call:
>>>> Call failed: Access denied
>>>>
>>>> NOTE: As an "Administrator" role I can't delete a user using
>>>> "busctl call" only from the Redfish/WebUI, am I able to.
>>>>
>>>> Thanks!
>>>> Gunnar
>> Regards,
> Richard
More information about the openbmc
mailing list