Implementing Users/Passwords in Petitboot

[Samuel Mendoza-Jonas]

(Apologies if this appears twice, I had to resend due to reasons[0])

Hi All,

In some circles there has been talk of password-protecting Petitboot to
restrict access to certain configuration options or the ability to modify disk
contents for example.  Rather than attempt to implement this in ncurses and try
to stop the user from accessing the root-shell my intent is to actually have
real users in the Skiroot environment and run each petitboot-nc instance as a
non-privileged user.

A basic implementation of this is pretty straightforward:
- Create a user & group at build time that only has the ability to connect to
  the PB_SOCKET_PATH socket.
- The pb-discover server still runs as root but sets permissions on
  PB_SOCKET_PATH so that the non-privileged users can connect.
- pb-discover reads, for example, "petitboot,password" from NVRAM which is a
  hash of the desired root password.
- pb-discover sets this as the current root password with putspent().
- Use agetty to spawn petitboot-nc instances running as this user.

In this way connected users can't do anything except communicate with the
pb-discover server to boot and change options.  I have a PoC of this that works
as expected and the patches are fairly simple, but with a few interested
parties I thought I would send out an overview that people can discuss.

Some open questions:
- Is NVRAM a sufficient storage method for the time being, without going
  full-blown TPM?
- How should we restrict config-access? Get the user to enter the root password
  when trying to save settings, or make them enter an "elevated" instance which
  runs as a different user, or something else?
- If "petitboot,password" isn't present do we set some default password?

Cheers,
Sam


[0] Don't worry if you accidentally send an email from your work account,
turns out it will never make it to the outside world anyway...