[PATCH 00/13] User support and client permissions
Samuel Mendoza-Jonas
sam at mendozajonas.com
Fri Nov 23 10:36:17 AEDT 2018
There has been interest in having methods to "lock down" Petitboot for a
while now (existing changes like restricting access to the shell,
requested features such as adding a big "Password" screen before being
able to do anything), and this makes a big jump in that direction as
part of the overall journey to trusted/secure boot.
Rather than rely on implementing a bunch of password checks in ncurses
and keeping the user from getting shell access this instead leans on
having Linux do it for us for the most part by running all user facing
parts of Petitboot as an unprivileged user, with only pb-discover and
its utilities running with root permissions. Assuming the environment
has been set up correctly this means that when a user drops to the shell
they are completely unprivileged unless they know the root password.
Since non-root users can't init, mount, or kexec anything all normal
actions must be done via pb-discover. Unless the user authorises with
pb-discover (handled by a new nc-auth subscreen) they are restricted to
a subset of actions that don't affect the configuration or default boot
option of the system.
For platform-powerpc clients are restricted by default if we find a
"petitboot,password" value in NVRAM which is a hash of the password to
be used as the root password. Users can also set a password which will
be hashed and stored in NVRAM. In the future this could be something we
do with a TPM but as a first step this should be sufficient as NVRAM is
only accessible by root anyway.
Along the way we also pick up some fixes that make using the shell a
little nicer such as actual job control finally.
Thoughts, comments, and criticisms welcome, I'm sure I've stared at this
for too long and forgotten something. Note also that this depends on
proper user accounts being configured by Buildroot for example.
Samuel Mendoza-Jonas (13):
utils/pb-console: Support agetty's autologin option
utils/pb-sos: Don't create files in root by default
utils/pb-console: Set up controlling terminal
utils/pb-console: Ignore SIGINT
lib/crypt: Add helpers for operating on /etc/shadow
lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATE
discover/discover-server: Restrict clients based on uid
discover/device-handler: Prevent normal users changing boot target
discover/platform-powerpc: Read and write password hash from NVRAM
ui/ncurses: Simplify starting shell
ui/common: Client authentication helpers
ui/ncurses: Add nc-auth and authenticate when required.
ui/ncurses: Keep track of the default boot option
configure.ac | 22 +++
discover/device-handler.c | 18 +-
discover/device-handler.h | 2 +-
discover/discover-server.c | 236 ++++++++++++++++++++++++++-
discover/discover-server.h | 3 +
discover/pb-discover.c | 3 +
discover/platform-powerpc.c | 29 ++++
discover/platform.c | 13 ++
discover/platform.h | 4 +
discover/user-event.c | 7 +-
lib/Makefile.am | 9 +
lib/crypt/crypt.c | 126 ++++++++++++++
lib/crypt/crypt.h | 49 ++++++
lib/param_list/param_list.c | 1 +
lib/pb-protocol/pb-protocol.c | 94 +++++++++++
lib/pb-protocol/pb-protocol.h | 26 +++
lib/types/types.h | 1 +
ui/common/discover-client.c | 81 +++++++++
ui/common/discover-client.h | 12 ++
ui/ncurses/Makefile.am | 4 +-
ui/ncurses/nc-add-url.c | 63 ++++---
ui/ncurses/nc-auth.c | 299 ++++++++++++++++++++++++++++++++++
ui/ncurses/nc-auth.h | 33 ++++
ui/ncurses/nc-config.c | 64 ++++++--
ui/ncurses/nc-cui.c | 204 ++++++++++++++++++++---
ui/ncurses/nc-cui.h | 6 +
ui/ncurses/nc-lang.c | 127 ++++++++++-----
ui/ncurses/nc-plugin.c | 44 ++---
ui/ncurses/nc-plugin.h | 2 -
ui/ncurses/nc-scr.h | 1 +
ui/ncurses/nc-widgets.h | 1 +
utils/pb-console | 18 +-
utils/pb-sos | 13 +-
33 files changed, 1479 insertions(+), 136 deletions(-)
create mode 100644 lib/crypt/crypt.c
create mode 100644 lib/crypt/crypt.h
create mode 100644 ui/ncurses/nc-auth.c
create mode 100644 ui/ncurses/nc-auth.h
--
2.19.1
More information about the Petitboot
mailing list