meta-phosphor: enable `allow-root-login`?
Ed Tanous
edtanous at google.com
Wed Jan 5 05:32:06 AEDT 2022
On Thu, Dec 30, 2021 at 5:52 AM Patrick Williams <patrick at stwcx.xyz> wrote:
>
> Hello,
>
> Looking for opinions, especially from security minded individuals...
>
> In many of our `local.conf.sample` files we enable "debug-tweaks" but for
> production builds this is probably not a good idea. I had it turned off on a
> production build and ran into a case where we could not log in as root on SSH.
> We debugged this down to missing the 'priv-admin' group for root, which is
> typically enabled in `phosphor-rootfs-postcommands.bbclass` when either
> "debug-tweaks" or "allow-root-login" is enabled.
>
> I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
> happen again. Is there any reason why we wouldn't want to enable it by default
> in meta-phosphor? There isn't really full support for non-root users in the
> base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
> enabled by default?
Doesn't this directly violate the principle of least privilege? I
wouldn't expect root to be usable to outside users, given that it
gives significantly more permissions than any outside user should have
access to. My understanding was that priv-admin was supposed to be
the privilege level for "all permissions for things that an external
user should be able to do". Is that not working for your use case?
It'd be interesting to understand what permissions priv-admin is
missing. I don't really think giving out root to external users is a
good idea in general.
>
> I'm fine leaving this in meta-facebook, but I'm trying to prevent someone else
> from having the same issue for what seems like a default case presently.
>
> 1. https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/phosphor-rootfs-postcommands.bbclass#L10
>
> --
> Patrick Williams
More information about the openbmc
mailing list