[PATCH v2 00/13] User support and client permissions

Mon Dec 3 16:23:22 AEDT 2018

On Wed, 2018-11-28 at 15:19 +1100, Samuel Mendoza-Jonas wrote:
> There has been interest in having methods to "lock down" Petitboot for a
> while now (existing changes like restricting access to the shell,
> requested features such as adding a big "Password" screen before being
> able to do anything), and this makes a big jump in that direction as
> part of the overall journey to trusted/secure boot.
> 
> Rather than rely on implementing a bunch of password checks in ncurses
> and keeping the user from getting shell access this instead leans on
> having Linux do it for us for the most part by running all user facing
> parts of Petitboot as an unprivileged user, with only pb-discover and
> its utilities running with root permissions. Assuming the environment
> has been set up correctly this means that when a user drops to the shell
> they are completely unprivileged unless they know the root password.
> 
> Since non-root users can't init, mount, or kexec anything all normal
> actions must be done via pb-discover. Unless the user authorises with
> pb-discover (handled by a new nc-auth subscreen) they are restricted to
> a subset of actions that don't affect the configuration or default boot
> option of the system.
> For platform-powerpc clients are restricted by default if we find a
> "petitboot,password" value in NVRAM which is a hash of the password to
> be used as the root password. Users can also set a password which will
> be hashed and stored in NVRAM. In the future this could be something we
> do with a TPM but as a first step this should be sufficient as NVRAM is
> only accessible by root anyway.
> 
> Along the way we also pick up some fixes that make using the shell a
> little nicer such as actual job control finally.
> Thoughts, comments, and criticisms welcome, I'm sure I've stared at this
> for too long and forgotten something. Note also that this depends on
> proper user accounts being configured by Buildroot for example.
> 
> Changes in v2:
> lib/crypt: Don't set hashes for blank passwords, don't overwrite /etc/shadow
> discover/discover-server: Cleanup auth_waiter on expiry and client exit
> ui/ncurses/nc-auth: Hide password field input

This has been solid under testing, so let's go ahead and merge it as
87017f0

> 
> Samuel Mendoza-Jonas (13):
>   utils/pb-console: Support agetty's autologin option
>   utils/pb-sos: Don't create files in root by default
>   utils/pb-console: Set up controlling terminal
>   utils/pb-console: Ignore SIGINT
>   lib/crypt: Add helpers for operating on /etc/shadow
>   lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATE
>   discover/discover-server: Restrict clients based on uid
>   discover/device-handler: Prevent normal users changing boot target
>   discover/platform-powerpc: Read and write password hash from NVRAM
>   ui/ncurses: Simplify starting shell
>   ui/common: Client authentication helpers
>   ui/ncurses: Add nc-auth and authenticate when required.
>   ui/ncurses: Keep track of the default boot option
> 
>  configure.ac                  |  22 +++
>  discover/device-handler.c     |  18 +-
>  discover/device-handler.h     |   2 +-
>  discover/discover-server.c    | 247 +++++++++++++++++++++++++++-
>  discover/discover-server.h    |   3 +
>  discover/pb-discover.c        |   3 +
>  discover/platform-powerpc.c   |  29 ++++
>  discover/platform.c           |  13 ++
>  discover/platform.h           |   4 +
>  discover/user-event.c         |   7 +-
>  lib/Makefile.am               |   9 +
>  lib/crypt/crypt.c             | 217 ++++++++++++++++++++++++
>  lib/crypt/crypt.h             |  49 ++++++
>  lib/param_list/param_list.c   |   1 +
>  lib/pb-protocol/pb-protocol.c |  94 +++++++++++
>  lib/pb-protocol/pb-protocol.h |  26 +++
>  lib/types/types.h             |   1 +
>  ui/common/discover-client.c   |  81 +++++++++
>  ui/common/discover-client.h   |  12 ++
>  ui/ncurses/Makefile.am        |   4 +-
>  ui/ncurses/nc-add-url.c       |  63 ++++---
>  ui/ncurses/nc-auth.c          | 299 ++++++++++++++++++++++++++++++++++
>  ui/ncurses/nc-auth.h          |  33 ++++
>  ui/ncurses/nc-config.c        |  64 ++++++--
>  ui/ncurses/nc-cui.c           | 204 ++++++++++++++++++++---
>  ui/ncurses/nc-cui.h           |   6 +
>  ui/ncurses/nc-lang.c          | 127 ++++++++++-----
>  ui/ncurses/nc-plugin.c        |  44 ++---
>  ui/ncurses/nc-plugin.h        |   2 -
>  ui/ncurses/nc-scr.h           |   1 +
>  ui/ncurses/nc-widgets.c       |  12 +-
>  ui/ncurses/nc-widgets.h       |   3 +
>  utils/pb-console              |  18 +-
>  utils/pb-sos                  |  13 +-
>  34 files changed, 1593 insertions(+), 138 deletions(-)
>  create mode 100644 lib/crypt/crypt.c
>  create mode 100644 lib/crypt/crypt.h
>  create mode 100644 ui/ncurses/nc-auth.c
>  create mode 100644 ui/ncurses/nc-auth.h
>