How can I add a user for openbmc and remove the default root user?

How can I add a user for openbmc and remove the default root user?

[=?gb18030?B?xM/SsKXgpeult6WopemltA==?=]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="gb18030", Size: 339 bytes --]

Greetings!
    I am using openbmc, and I want to remove the default root user and add a new user.
    I use useradd add a user, I can use curl with this username and passwd to connect to openbmc, But when I use ipmitool, it fails
    Can any one tell me what can I  do?


Best Regards!
Liu Hongwei

[-- Attachment #2: Type: text/html, Size: 406 bytes --]

Re: How can I add a user for openbmc and remove the default root user?

[Thomaiyar, Richard Marian]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 664 bytes --]

Hi Liu,

Please refer earlier response on the same

https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html

Lately i am seeing many people asking for this password override for 
IPMI, Will try to override the same using bbclass for ipmi password too

Regards,

Richard

On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Greetings!
> 0„2 0„2 I am using openbmc, and I want to remove the default root user and 
> add a new user.
> 0„2 0„2 I use useradd add a user, I can use curl with this username and 
> passwd to connect to openbmc, But when I use ipmitool, it fails
> 0„2 0„2 Can any one tell me what can I0„2 do?
>
> Best Regards!
> Liu Hongwei

=?gb18030?B?UmWjuiBIb3cgY2FuIEkgYWRkIGEgdXNlciBmb3Igb3BlbmJtYyBhbmQgcmVtb3ZlIHRoZSBkZWZhdWx0IHJvb3QgdXNlcj8=?=

[=?gb18030?B?xM/SsKXgpeult6WopemltA==?=]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: Type: text/plain; charset="gb18030", Size: 1995 bytes --]

Hi Thomaiyar


Thanks for your advices. Acctually I want to add a user dynamically when after openbmc is running, not in the image building time. And I do some trials, and it seems to work.
1. After login in as root, I use busctl to call the CreateUser method of phosphor-user-manager

2. After that, I use passwd command to change user liu3's password. The password can not be too simple, and I set password as "qwertyuiop[]123".

3. Then I can see two user in /xyz/openbmc_project/user. They are root and liu3

4. In another computer(accutally I run openbmc in qemu, and "another computer" means the host system), I try to access the openbmc with curl and ipmitool. And it seems to work.

Although I can add a user, but I still do not know how to delete the added user. I haven't found a deleteuser d-bus interface like createuser interface.


Best Regards!
Liu Hongwei
------------------ Ô­Ê¼Óʼþ ------------------
·¢¼þÈË:&nbsp;"Thomaiyar, Richard Marian"<richard.marian.thomaiyar@linux.intel.com&gt;;
·¢ËÍʱ¼ä:&nbsp;2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
ÊÕ¼þÈË:&nbsp;"ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com&gt;;"openbmc"<openbmc@lists.ozlabs.org&gt;;

Ö÷Ìâ:&nbsp;Re: How can I add a user for openbmc and remove the default root user?



Hi Liu,

Please refer earlier response on the same

https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html

Lately i am seeing many people asking for this password override for 
IPMI, Will try to override the same using bbclass for ipmi password too

Regards,

Richard

On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
&gt; Greetings!
&gt; &nbsp; &nbsp; I am using openbmc, and I want to remove the default root user and 
&gt; add a new user.
&gt; &nbsp; &nbsp; I use useradd add a user, I can use curl with this username and 
&gt; passwd to connect to openbmc, But when I use ipmitool, it fails
&gt; &nbsp; &nbsp; Can any one tell me what can I&nbsp; do?
&gt;
&gt; Best Regards!
&gt; Liu Hongwei

[-- Attachment #1.2: Type: text/html, Size: 2983 bytes --]

[-- Attachment #2: 0190C061@AD915844.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]

[-- Attachment #3: 03DDD2A3@E221B725.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]

[-- Attachment #4: 5F6A67C8@97254D7F.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]

[-- Attachment #5: 368D2BA4@C480D813.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]

Re: Re： How can I add a user for openbmc and remove the default root user?

[Thomaiyar, Richard Marian]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 2325 bytes --]

Delete interface is exposed as part of the user object itself. Sample 
busctl command to do the delete of an user under phosphor-user-manager

busctl call xyz.openbmc_project.User.Manager 
/xyz/openbmc_project/user/<username> xyz.openbmc_project.Object.Delete 
Delete

Regards,

Richard


On 12/16/2019 2:31 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Hi Thomaiyar
>
> Thanks for your advices. Acctually I want to add a user dynamically 
> when after openbmc is running, not in the image building time. And I 
> do some trials, and it seems to work.
> 1. After login in as root, I use busctl to call the CreateUser method 
> of phosphor-user-manager
> 2. After that, I use passwd command to change user liu3's password. 
> The password can not be too simple, and I set password as 
> "qwertyuiop[]123".
> 3. Then I can see two user in /xyz/openbmc_project/user. They are root 
> and liu3
> 4. In another computer(accutally I run openbmc in qemu, and "another 
> computer" means the host system), I try to access the openbmc with 
> curl and ipmitool. And it seems to work.
> Although I can add a user, but I still do not know how to delete the 
> added user. I haven't found a deleteuser d-bus interface like 
> createuser interface.
>
> Best Regards!
> Liu Hongwei
> ------------------0„2ԭʼÓʼþ0„2------------------
> *·¢¼þÈË:*0„2"Thomaiyar, Richard 
> Marian"<richard.marian.thomaiyar@linux.intel.com>;
> *·¢ËÍʱ¼ä:*0„22019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
> *ÊÕ¼þÈË:*0„2"ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com>;"openbmc"<openbmc@lists.ozlabs.org>;
> *Ö÷Ìâ:*0„2Re: How can I add a user for openbmc and remove the default root 
> user?
>
> Hi Liu,
>
> Please refer earlier response on the same
>
> https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
>
> Lately i am seeing many people asking for this password override for
> IPMI, Will try to override the same using bbclass for ipmi password too
>
> Regards,
>
> Richard
>
> On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> > Greetings!
> > 0„2 0„2 I am using openbmc, and I want to remove the default root user and
> > add a new user.
> > 0„2 0„2 I use useradd add a user, I can use curl with this username and
> > passwd to connect to openbmc, But when I use ipmitool, it fails
> > 0„2 0„2 Can any one tell me what can I0„2 do?
> >
> > Best Regards!
> > Liu Hongwei

[-- Attachment #2.1: Type: text/html, Size: 4882 bytes --]

[-- Attachment #2.2: 0190C061@AD915844.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]

[-- Attachment #2.3: 03DDD2A3@E221B725.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]

[-- Attachment #2.4: 5F6A67C8@97254D7F.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]

[-- Attachment #2.5: 368D2BA4@C480D813.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]

=?gb18030?B?u9i4tKO6IFJlo7ogSG93IGNhbiBJIGFkZCBhIHVzZXIgZm9yIG9wZW5ibWMgYW5kIHJlbW92ZSB0aGUgZGVmYXVsdCByb290IHVzZXI/?=

[=?gb18030?B?xM/SsKXgpeult6WopemltA==?=]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: Type: text/plain; charset="gb18030", Size: 3512 bytes --]

Hi, Richard


It works! Thanks for your help.


Best Regards!
Liu Hongwei
------------------ Ô­Ê¼Óʼþ ------------------
·¢¼þÈË:&nbsp;"Thomaiyar, Richard Marian"<richard.marian.thomaiyar@linux.intel.com&gt;;
·¢ËÍʱ¼ä:&nbsp;2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÍíÉÏ10:14
ÊÕ¼þÈË:&nbsp;"ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com&gt;;"openbmc"<openbmc@lists.ozlabs.org&gt;;

Ö÷Ìâ:&nbsp;Re: Re£º How can I add a user for openbmc and remove the default root user?



                   
Delete interface is exposed as part of the user object itself.       Sample busctl command to do the delete of an user under       phosphor-user-manager
     
busctl call xyz.openbmc_project.User.Manager       /xyz/openbmc_project/user/<username&gt;       xyz.openbmc_project.Object.Delete Delete
     
Regards,
     
Richard
     
     

     
     On 12/16/2019 2:31 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
     
                   Hi Thomaiyar
       
       
       Thanks for your advices. Acctually I want to add a user         dynamically when after openbmc is running, not in the image         building time. And I do some trials, and it seems to work.
       1. After login in as root, I use busctl to call the         CreateUser method of phosphor-user-manager
       
                2. After that, I use passwd command to change user liu3's           password. The password can not be too simple, and I set           password as "qwertyuiop[]123".
         
         3. Then I can see two user in /xyz/openbmc_project/user.           They are root and liu3
         
         4. In another computer(accutally I run openbmc in qemu, and           "another computer" means the host system), I try to access the           openbmc with curl and ipmitool. And it seems to work.
         
         Although I can add a user, but I still do not know how to           delete the added user. I haven't found a deleteuser d-bus           interface like createuser interface.
         
         
         Best Regards!
         Liu Hongwei
         ------------------&nbsp;ԭʼÓʼþ&nbsp;------------------
                    ·¢¼þÈË:&nbsp;"Thomaiyar, Richard             Marian"<richard.marian.thomaiyar@linux.intel.com&gt;;
           ·¢ËÍʱ¼ä:&nbsp;2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
           ÊÕ¼þÈË:&nbsp;"ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com&gt;;"openbmc"<openbmc@lists.ozlabs.org&gt;;
           Ö÷Ìâ:&nbsp;Re: How can I add a user for openbmc and             remove the default root user?
         
         
         
         Hi Liu,
         
         Please refer earlier response on the same
         
         https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
         
         Lately i am seeing many people asking for this password override         for 
         IPMI, Will try to override the same using bbclass for ipmi         password too
         
         Regards,
         
         Richard
         
         On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
         &gt; Greetings!
         &gt; &nbsp; &nbsp; I am using openbmc, and I want to remove the default         root user and 
         &gt; add a new user.
         &gt; &nbsp; &nbsp; I use useradd add a user, I can use curl with this         username and 
         &gt; passwd to connect to openbmc, But when I use ipmitool, it         fails
         &gt; &nbsp; &nbsp; Can any one tell me what can I&nbsp; do?
         &gt;
         &gt; Best Regards!
         &gt; Liu Hongwei

[-- Attachment #1.2: Type: text/html, Size: 5348 bytes --]

[-- Attachment #2: 57A32DD6@E119DC44.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]

[-- Attachment #3: F9834A97@9A34DB26.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]

[-- Attachment #4: 917A12D6@9D3ED838.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]

[-- Attachment #5: CF1D8946@53065E7B.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]

Re: Re： How can I add a user for openbmc and remove the default root user?

[Gunnar Mills]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 1346 bytes --]


On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>
> Delete interface is exposed as part of the user object itself. Sample 
> busctl command to do the delete of an user under phosphor-user-manager
>
> busctl call xyz.openbmc_project.User.Manager 
> /xyz/openbmc_project/user/<username> xyz.openbmc_project.Object.Delete 
> Delete
>
>

I am missing something here.. This does not work for me. I didn't think 
we allowed removing the root user, which is why it is disabled on the 
WebUI? If we do allow deleting the root user, should this be allowed 
from the WebUI?

When sshed as root:
busctl call xyz.openbmc_project.User.Manager 
/xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
Call failed: The operation failed internally.

In the journal I see
Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is 
currently used by process 1
Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
internally.
Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
internally.


When sshed as an "Administrator" role account,0„2 with the same call:
Call failed: Access denied

NOTE: As an "Administrator" role I can't delete a user using "busctl 
call" only from the Redfish/WebUI, am I able to.

Thanks!
Gunnar

Re: Re： How can I add a user for openbmc and remove the default root user?

[Thomaiyar, Richard Marian]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 1655 bytes --]

Hi Gunnar,

Yes root user can't be deleted (basically uid 0), can't be deleted. The 
method works for other users only, like in case Liu, he wants to delete 
the newly created user.

Regards,

Richard


On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>
> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>
>> Delete interface is exposed as part of the user object itself. Sample 
>> busctl command to do the delete of an user under phosphor-user-manager
>>
>> busctl call xyz.openbmc_project.User.Manager 
>> /xyz/openbmc_project/user/<username> 
>> xyz.openbmc_project.Object.Delete Delete
>>
>>
>
> I am missing something here.. This does not work for me. I didn't 
> think we allowed removing the root user, which is why it is disabled 
> on the WebUI? If we do allow deleting the root user, should this be 
> allowed from the WebUI?
>
> When sshed as root:
> busctl call xyz.openbmc_project.User.Manager 
> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
> Call failed: The operation failed internally.
>
> In the journal I see
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is 
> currently used by process 1
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
> internally.
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
> internally.
>
>
> When sshed as an "Administrator" role account,0„2 with the same call:
> Call failed: Access denied
>
> NOTE: As an "Administrator" role I can't delete a user using "busctl 
> call" only from the Redfish/WebUI, am I able to.
>
> Thanks!
> Gunnar

Re: Re： How can I add a user for openbmc and remove the default root user?

[Joseph Reynolds]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 2988 bytes --]

On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
> Hi Gunnar,
>
> Yes root user can't be deleted (basically uid 0), can't be deleted. 
> The method works for other users only, like in case Liu, he wants to 
> delete the newly created user.

FWIW, I am interested in moving the OpenBMC project away from having 
root login access enabled by default, and specifically disabling SSH 
access in general, and root access to the BMC's shell.0„2 I also want to 
have a secure way to re-enable this when needed.0„2 See 
https://github.com/ibm-openbmc/dev/issues/15280„20„2 Please let me know if 
you have any ideas on this topic.


I had understood the original question in this email thread as a request 
to "disable root access" so "root cannot login".0„2 (Note that one 
consequence of disabling root login is that once you remove root access, 
it is hard to get back.0„2 You'll have to use the sudo comand or su 
command from another user account, and I don't think sudo is present on 
OpenBMC systems.)

I understand that deleting the root user is not advisable because the 
system will break.0„2 Instead the alternative is to disable access to the 
root account, for example, by doing one of:
- Change root's login shell to /sbin/nologin
- Change the root password to empty or lock the root password
- Change Linux-PAM to deny root account access
- Expire the root account (chage -E0 root)

Any idea which approach works best for OpenBMC?

- Joseph

>
> Regards,
>
> Richard
>
>
> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>
>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>
>>> Delete interface is exposed as part of the user object itself. 
>>> Sample busctl command to do the delete of an user under 
>>> phosphor-user-manager
>>>
>>> busctl call xyz.openbmc_project.User.Manager 
>>> /xyz/openbmc_project/user/<username> 
>>> xyz.openbmc_project.Object.Delete Delete
>>>
>>>
>>
>> I am missing something here.. This does not work for me. I didn't 
>> think we allowed removing the root user, which is why it is disabled 
>> on the WebUI? If we do allow deleting the root user, should this be 
>> allowed from the WebUI?
>>
>> When sshed as root:
>> busctl call xyz.openbmc_project.User.Manager 
>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>> Call failed: The operation failed internally.
>>
>> In the journal I see
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is 
>> currently used by process 1
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>> internally.
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>> internally.
>>
>>
>> When sshed as an "Administrator" role account,0„2 with the same call:
>> Call failed: Access denied
>>
>> NOTE: As an "Administrator" role I can't delete a user using "busctl 
>> call" only from the Redfish/WebUI, am I able to.
>>
>> Thanks!
>> Gunnar

Re: Re： How can I add a user for openbmc and remove the default root user?

[Thomaiyar, Richard Marian]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 4474 bytes --]


On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>> Hi Gunnar,
>>
>> Yes root user can't be deleted (basically uid 0), can't be deleted. 
>> The method works for other users only, like in case Liu, he wants to 
>> delete the newly created user.
>
> FWIW, I am interested in moving the OpenBMC project away from having 
> root login access enabled by default, and specifically disabling SSH 
> access in general, and root access to the BMC's shell.0„2 I also want to 
> have a secure way to re-enable this when needed.0„2 See 
> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if 
> you have any ideas on this topic.
>
Currently you will be. Remove debug-tweaks & allow-root-login from 
IMAGE_FEATURES, then the build will make sure that root user looses 
group permissions, and OpenBMC is with no user accounts. Any new user 
accounts must be created from Host interface through IPMI interface 
(that's the logic we currently have).

Note:

1. This will not remove the root user (uid 0, which is needed as you 
mentioned below), but will not have any password (In order to remove the 
password in the OpenBMC it needs one line change to remove usermod in 
phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have a 
patch in the down-stream for the same, as community still needs root 
user account, but OpenBMC has been updated to remove root user from 
Admin & other group privileges, when debug-tweaks / allow-root-logins 
are not defined.

>
> I had understood the original question in this email thread as a 
> request to "disable root access" so "root cannot login".0„2 (Note that 
> one consequence of disabling root login is that once you remove root 
> access, it is hard to get back.0„2 You'll have to use the sudo comand or 
> su command from another user account, and I don't think sudo is 
> present on OpenBMC systems.)
>
> I understand that deleting the root user is not advisable because the 
> system will break.0„2 Instead the alternative is to disable access to 
> the root account, for example, by doing one of:
> - Change root's login shell to /sbin/nologin
> - Change the root password to empty or lock the root password
> - Change Linux-PAM to deny root account access
> - Expire the root account (chage -E0 root)
>
> Any idea which approach works best for OpenBMC?

If you have removed the password, then it can't be used. But if you need 
to enable it for debug or on special use case, then it requires a method 
to set a password. We enable setting the root

password using Set special user password OEM Command 
(https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).

Let me know your thoughts, As i see a decision can be made, i think we 
can write a document (with community feedback), and move to a common 
solution.

>
> - Joseph
>
>>
>> Regards,
>>
>> Richard
>>
>>
>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>
>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>
>>>> Delete interface is exposed as part of the user object itself. 
>>>> Sample busctl command to do the delete of an user under 
>>>> phosphor-user-manager
>>>>
>>>> busctl call xyz.openbmc_project.User.Manager 
>>>> /xyz/openbmc_project/user/<username> 
>>>> xyz.openbmc_project.Object.Delete Delete
>>>>
>>>>
>>>
>>> I am missing something here.. This does not work for me. I didn't 
>>> think we allowed removing the root user, which is why it is disabled 
>>> on the WebUI? If we do allow deleting the root user, should this be 
>>> allowed from the WebUI?
>>>
>>> When sshed as root:
>>> busctl call xyz.openbmc_project.User.Manager 
>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>>> Call failed: The operation failed internally.
>>>
>>> In the journal I see
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root 
>>> is currently used by process 1
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>>> internally.
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed 
>>> internally.
>>>
>>>
>>> When sshed as an "Administrator" role account,0„2 with the same call:
>>> Call failed: Access denied
>>>
>>> NOTE: As an "Administrator" role I can't delete a user using "busctl 
>>> call" only from the Redfish/WebUI, am I able to.
>>>
>>> Thanks!
>>> Gunnar
> Regards,
Richard

Re: Re： How can I add a user for openbmc and remove the default root user?

[Joseph Reynolds]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 10299 bytes --]



On 12/19/19 3:09 AM, Thomaiyar, Richard Marian wrote:
>
> On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
>> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>>> Hi Gunnar,
>>>
>>> Yes root user can't be deleted (basically uid 0), can't be deleted. 
>>> The method works for other users only, like in case Liu, he wants to 
>>> delete the newly created user.
>>
>> FWIW, I am interested in moving the OpenBMC project away from having 
>> root login access enabled by default, and specifically disabling SSH 
>> access in general, and root access to the BMC's shell.0„2 I also want 
>> to have a secure way to re-enable this when needed.0„2 See 
>> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if 
>> you have any ideas on this topic.
>>
> Currently you will be. Remove debug-tweaks & allow-root-login from 
> IMAGE_FEATURES, then the build will make sure that root user looses 
> group permissions, and OpenBMC is with no user accounts. Any new user 
> accounts must be created from Host interface through IPMI interface 
> (that's the logic we currently have).
>
> Note:
>
> 1. This will not remove the root user (uid 0, which is needed as you 
> mentioned below), but will not have any password (In order to remove 
> the password in the OpenBMC it needs one line change to remove usermod 
> in phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have 
> a patch in the down-stream for the same, as community still needs root 
> user account, but OpenBMC has been updated to remove root user from 
> Admin & other group privileges, when debug-tweaks / allow-root-logins 
> are not defined.

Nice!0„2 Thank you for referencing that (I missed that review).0„2 It seems 
to me that phosphor-defaults.inc should0„2 set the root user password only 
when IMAGE_FEATURES includes allow-root-login, and otherwise not allow 
login.0„2 My bitbake is weak, but something like this:

# Set the root password to '0penBmc' if IMAGE_FEATURES contains 
allow-root-login,
# otherwise use "!" so root cannot login.
EXTRA_USERS_PARAMS_pn-obmc-phosphor-image = " \
usermod -p \
${@bb.utils.contains("IMAGE_FEATURES", 'allow-root-login', "", "!", d}\
'\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
"
(except use correct bitbake syntax).


BTW, we ought to update the [password hash algorithm][], currently 
$1$=MD5 to $5$=SHA-256 or $6$=SHA-512.
[password hash algorithm]: https://en.wikipedia.org/wiki/Passwd


>
>>
>> I had understood the original question in this email thread as a 
>> request to "disable root access" so "root cannot login".0„2 (Note that 
>> one consequence of disabling root login is that once you remove root 
>> access, it is hard to get back.0„2 You'll have to use the sudo comand 
>> or su command from another user account, and I don't think sudo is 
>> present on OpenBMC systems.)
>>
>> I understand that deleting the root user is not advisable because the 
>> system will break.0„2 Instead the alternative is to disable access to 
>> the root account, for example, by doing one of:
>> - Change root's login shell to /sbin/nologin
>> - Change the root password to empty or lock the root password
>> - Change Linux-PAM to deny root account access
>> - Expire the root account (chage -E0 root)
>>
>> Any idea which approach works best for OpenBMC?
>
> If you have removed the password, then it can't be used. But if you 
> need to enable it for debug or on special use case, then it requires a 
> method to set a password. We enable setting the root
> password using Set special user password OEM Command 
> (https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).
>
> Let me know your thoughts, As i see a decision can be made, i think we 
> can write a document (with community feedback), and move to a common 
> solution.

That sounds right to me.0„2 I think various OpenBMC users have these use 
cases:

Use case 1: remove root access by default

We share the use case of removing root access by default which we can do 
by removing 'allow-root-login' from IMAGE_FEATURES.

I would like to see the OpenBMC project should move toward this as the 
default.0„2 That bring me to use case 2...


Use case 2: have a way to re-enable root access

We also need a way to re-enable root access to the BMC's shell. I 
suggest we design a phosphor D-Bus API as the common way to enable and 
disable root login access.

I see divergent use cases for root shell access.0„2 OpenBMC developers 
will continue to need root login (for example, SSH to the BMC using 
default root credentials) on a regular basis.0„2 They will also need that 
access when they are called upon to debug systems currently running a 
workload.

However, users with sensitive data on their host system will want to 
lock out the root user, all SSH access, and especially root SSH access 
because of the additional capabilities root has compared with regular 
Administrator users and because of the difficulty in monitoring and 
auditing shell commands.0„2 Specifically, I think root login access and 
SSH access must both be addressed.0„2 In my opinion, if we give any users 
SSH access to the BMC shell, it is too easy for them to escalate that 
privilege to root, so we should have a way to lock out SSH access.

The solution you presented is an IPMI OEM command. Another idea is a 
Phosphor REST or Redfish API to control these items (root login and SSH 
server capability), and limit that to the BMC Administrator role.0„2 Those 
APIs would use the D-Bus API as the underlying implementation.

I think OpenBMC needs an easy way to re-enable root access before we can 
remove root access.


Use case 3: create an admin user by default

A related topic is the use cases for the "genesis experience", that is, 
the first time a BMC admin uses their newly-installed BMC.0„2 The options 
include:
A. The BMC has no default users.0„2 When needed, they are created via 
unauthenticated host access.
B. The BMC has no default users.0„2 An Administrator account is created by 
the initial user to access the system.0„2 This would make OpenBMC behave 
like other operating systems (such as Ubuntu) and devices.
C. The BMC has a user with username=admin and role=Administrator and a 
default password.0„2 This is close to what OpenBMC has now and what I 
would propose for the project default.0„2 (Naturally, we would add 
'no-admin-user' to IMAGE_FEATURES for use cases that do not want this user.)

The options above all assume the current genesis & provisioning 
experience.0„2 It would be possible to provision the BMC with its firmware 
image, custom user access credentials, an IP address, etc., before 
powering on the BMC for the first time.0„2 I would like to explore the 
possibilities in that space, but the remainder of this note assumes the 
traditional genesis experience described in the options above.

In any case, the admin user will have a way to gain root login access 
for themselves and to lock out root access by non-admin users.

I think OpenBMC needs to document how to access and provision the BMC, 
including details such as how to login as root and how to lock out root 
access.

___

As usual, I've written too much.0„2 I would be happy to hear your ideas, 
review your solution, and help where I can.

- Joseph


TL;DR: More ramblings for the use cases above: Have a way for a BMC 
Administrator to gain root access to the BMC shell.

What is the use case to allow a non-root user to use the BMC shell (via 
SSH or other access)?0„2 What will that let them do?0„2 I think you need to 
have sudo access for commands like journalctl and systemctl, or to 
invoke D-Bus APIs.0„2 I mean I think what you can do with the BMC's shell 
is extremely limited without sudo access.0„2 Are we thinking we should set 
up sudo?

If we have sudo access (so I can, for example: `ssh admin1@${bmc_ip} 
sudo`) then why would I need to login as root.0„2 Would root login be 
needed?0„2 I think we can do without root logins, but we would need to get 
sudo working...and havde a way to control when sudo is enabled. (In 
other words, I don't have good idea how to handle this.)

Note: Per the [phosphor user management group roles][], should the 
[access via SSH][] be changed to the "ssh" group?0„2 It is currently 
restricted to the priv-admin group.

[phosphor user management group roles]: 
https://github.com/openbmc/docs/blob/master/architecture/user_management.md#supported-group-roles
[Access via SSH]: 
https://github.com/openbmc/openbmc/blob/adb78181f2183a3b0aa016cfd5d754710b828f30/meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default


>
>>
>> - Joseph
>>
>>>
>>> Regards,
>>>
>>> Richard
>>>
>>>
>>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>>
>>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>>
>>>>> Delete interface is exposed as part of the user object itself. 
>>>>> Sample busctl command to do the delete of an user under 
>>>>> phosphor-user-manager
>>>>>
>>>>> busctl call xyz.openbmc_project.User.Manager 
>>>>> /xyz/openbmc_project/user/<username> 
>>>>> xyz.openbmc_project.Object.Delete Delete
>>>>>
>>>>>
>>>>
>>>> I am missing something here.. This does not work for me. I didn't 
>>>> think we allowed removing the root user, which is why it is 
>>>> disabled on the WebUI? If we do allow deleting the root user, 
>>>> should this be allowed from the WebUI?
>>>>
>>>> When sshed as root:
>>>> busctl call xyz.openbmc_project.User.Manager 
>>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete 
>>>> Delete
>>>> Call failed: The operation failed internally.
>>>>
>>>> In the journal I see
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root 
>>>> is currently used by process 1
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation 
>>>> failed internally.
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation 
>>>> failed internally.
>>>>
>>>>
>>>> When sshed as an "Administrator" role account,0„2 with the same call:
>>>> Call failed: Access denied
>>>>
>>>> NOTE: As an "Administrator" role I can't delete a user using 
>>>> "busctl call" only from the Redfish/WebUI, am I able to.
>>>>
>>>> Thanks!
>>>> Gunnar
>> Regards,
> Richard