* How can I add a user for openbmc and remove the default root user?
@ 2019-12-14 9:57 =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-16 6:48 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 10+ messages in thread
From: =?gb18030?B?xM/SsKXgpeult6WopemltA==?= @ 2019-12-14 9:57 UTC (permalink / raw)
To: =?gb18030?B?b3BlbmJtYw==?=
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="gb18030", Size: 339 bytes --]
Greetings!
I am using openbmc, and I want to remove the default root user and add a new user.
I use useradd add a user, I can use curl with this username and passwd to connect to openbmc, But when I use ipmitool, it fails
Can any one tell me what can I do?
Best Regards!
Liu Hongwei
[-- Attachment #2: Type: text/html, Size: 406 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How can I add a user for openbmc and remove the default root user?
2019-12-14 9:57 How can I add a user for openbmc and remove the default root user? =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
@ 2019-12-16 6:48 ` Thomaiyar, Richard Marian
2019-12-16 9:01 ` =?gb18030?B?UmWjuiBIb3cgY2FuIEkgYWRkIGEgdXNlciBmb3Igb3BlbmJtYyBhbmQgcmVtb3ZlIHRoZSBkZWZhdWx0IHJvb3QgdXNlcj8=?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
0 siblings, 1 reply; 10+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-12-16 6:48 UTC (permalink / raw)
To: 南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 664 bytes --]
Hi Liu,
Please refer earlier response on the same
https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
Lately i am seeing many people asking for this password override for
IPMI, Will try to override the same using bbclass for ipmi password too
Regards,
Richard
On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Greetings!
> 02 02 I am using openbmc, and I want to remove the default root user and
> add a new user.
> 02 02 I use useradd add a user, I can use curl with this username and
> passwd to connect to openbmc, But when I use ipmitool, it fails
> 02 02 Can any one tell me what can I02 do?
>
> Best Regards!
> Liu Hongwei
^ permalink raw reply [flat|nested] 10+ messages in thread
* =?gb18030?B?UmWjuiBIb3cgY2FuIEkgYWRkIGEgdXNlciBmb3Igb3BlbmJtYyBhbmQgcmVtb3ZlIHRoZSBkZWZhdWx0IHJvb3QgdXNlcj8=?=
2019-12-16 6:48 ` Thomaiyar, Richard Marian
@ 2019-12-16 9:01 ` =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-16 13:44 ` Re: How can I add a user for openbmc and remove the default root user? Thomaiyar, Richard Marian
0 siblings, 1 reply; 10+ messages in thread
From: =?gb18030?B?xM/SsKXgpeult6WopemltA==?= @ 2019-12-16 9:01 UTC (permalink / raw)
To: =?gb18030?B?VGhvbWFpeWFyLCBSaWNoYXJkIE1hcmlhbg==?=,
=?gb18030?B?b3BlbmJtYw==?=
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: Type: text/plain; charset="gb18030", Size: 1995 bytes --]
Hi Thomaiyar
Thanks for your advices. Acctually I want to add a user dynamically when after openbmc is running, not in the image building time. And I do some trials, and it seems to work.
1. After login in as root, I use busctl to call the CreateUser method of phosphor-user-manager
2. After that, I use passwd command to change user liu3's password. The password can not be too simple, and I set password as "qwertyuiop[]123".
3. Then I can see two user in /xyz/openbmc_project/user. They are root and liu3
4. In another computer(accutally I run openbmc in qemu, and "another computer" means the host system), I try to access the openbmc with curl and ipmitool. And it seems to work.
Although I can add a user, but I still do not know how to delete the added user. I haven't found a deleteuser d-bus interface like createuser interface.
Best Regards!
Liu Hongwei
------------------ ÔʼÓʼþ ------------------
·¢¼þÈË: "Thomaiyar, Richard Marian"<richard.marian.thomaiyar@linux.intel.com>;
·¢ËÍʱ¼ä: 2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
ÊÕ¼þÈË: "ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com>;"openbmc"<openbmc@lists.ozlabs.org>;
Ö÷Ìâ: Re: How can I add a user for openbmc and remove the default root user?
Hi Liu,
Please refer earlier response on the same
https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
Lately i am seeing many people asking for this password override for
IPMI, Will try to override the same using bbclass for ipmi password too
Regards,
Richard
On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Greetings!
> I am using openbmc, and I want to remove the default root user and
> add a new user.
> I use useradd add a user, I can use curl with this username and
> passwd to connect to openbmc, But when I use ipmitool, it fails
> Can any one tell me what can I do?
>
> Best Regards!
> Liu Hongwei
[-- Attachment #1.2: Type: text/html, Size: 2983 bytes --]
[-- Attachment #2: 0190C061@AD915844.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]
[-- Attachment #3: 03DDD2A3@E221B725.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]
[-- Attachment #4: 5F6A67C8@97254D7F.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]
[-- Attachment #5: 368D2BA4@C480D813.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-16 9:01 ` =?gb18030?B?UmWjuiBIb3cgY2FuIEkgYWRkIGEgdXNlciBmb3Igb3BlbmJtYyBhbmQgcmVtb3ZlIHRoZSBkZWZhdWx0IHJvb3QgdXNlcj8=?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
@ 2019-12-16 13:44 ` Thomaiyar, Richard Marian
2019-12-17 2:16 ` =?gb18030?B?u9i4tKO6IFJlo7ogSG93IGNhbiBJIGFkZCBhIHVzZXIgZm9yIG9wZW5ibWMgYW5kIHJlbW92ZSB0aGUgZGVmYXVsdCByb290IHVzZXI/?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-17 21:08 ` Re: How can I add a user for openbmc and remove the default root user? Gunnar Mills
0 siblings, 2 replies; 10+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-12-16 13:44 UTC (permalink / raw)
To: 南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 2325 bytes --]
Delete interface is exposed as part of the user object itself. Sample
busctl command to do the delete of an user under phosphor-user-manager
busctl call xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/<username> xyz.openbmc_project.Object.Delete
Delete
Regards,
Richard
On 12/16/2019 2:31 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Hi Thomaiyar
>
> Thanks for your advices. Acctually I want to add a user dynamically
> when after openbmc is running, not in the image building time. And I
> do some trials, and it seems to work.
> 1. After login in as root, I use busctl to call the CreateUser method
> of phosphor-user-manager
> 2. After that, I use passwd command to change user liu3's password.
> The password can not be too simple, and I set password as
> "qwertyuiop[]123".
> 3. Then I can see two user in /xyz/openbmc_project/user. They are root
> and liu3
> 4. In another computer(accutally I run openbmc in qemu, and "another
> computer" means the host system), I try to access the openbmc with
> curl and ipmitool. And it seems to work.
> Although I can add a user, but I still do not know how to delete the
> added user. I haven't found a deleteuser d-bus interface like
> createuser interface.
>
> Best Regards!
> Liu Hongwei
> ------------------02ÔʼÓʼþ02------------------
> *·¢¼þÈË:*02"Thomaiyar, Richard
> Marian"<richard.marian.thomaiyar@linux.intel.com>;
> *·¢ËÍʱ¼ä:*022019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
> *ÊÕ¼þÈË:*02"ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com>;"openbmc"<openbmc@lists.ozlabs.org>;
> *Ö÷Ìâ:*02Re: How can I add a user for openbmc and remove the default root
> user?
>
> Hi Liu,
>
> Please refer earlier response on the same
>
> https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
>
> Lately i am seeing many people asking for this password override for
> IPMI, Will try to override the same using bbclass for ipmi password too
>
> Regards,
>
> Richard
>
> On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> > Greetings!
> > 02 02 I am using openbmc, and I want to remove the default root user and
> > add a new user.
> > 02 02 I use useradd add a user, I can use curl with this username and
> > passwd to connect to openbmc, But when I use ipmitool, it fails
> > 02 02 Can any one tell me what can I02 do?
> >
> > Best Regards!
> > Liu Hongwei
[-- Attachment #2.1: Type: text/html, Size: 4882 bytes --]
[-- Attachment #2.2: 0190C061@AD915844.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]
[-- Attachment #2.3: 03DDD2A3@E221B725.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]
[-- Attachment #2.4: 5F6A67C8@97254D7F.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]
[-- Attachment #2.5: 368D2BA4@C480D813.D047F75D.PNG.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* =?gb18030?B?u9i4tKO6IFJlo7ogSG93IGNhbiBJIGFkZCBhIHVzZXIgZm9yIG9wZW5ibWMgYW5kIHJlbW92ZSB0aGUgZGVmYXVsdCByb290IHVzZXI/?=
2019-12-16 13:44 ` Re: How can I add a user for openbmc and remove the default root user? Thomaiyar, Richard Marian
@ 2019-12-17 2:16 ` =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-17 21:08 ` Re: How can I add a user for openbmc and remove the default root user? Gunnar Mills
1 sibling, 0 replies; 10+ messages in thread
From: =?gb18030?B?xM/SsKXgpeult6WopemltA==?= @ 2019-12-17 2:16 UTC (permalink / raw)
To: =?gb18030?B?VGhvbWFpeWFyLCBSaWNoYXJkIE1hcmlhbg==?=,
=?gb18030?B?b3BlbmJtYw==?=
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: Type: text/plain; charset="gb18030", Size: 3512 bytes --]
Hi, Richard
It works! Thanks for your help.
Best Regards!
Liu Hongwei
------------------ ÔʼÓʼþ ------------------
·¢¼þÈË: "Thomaiyar, Richard Marian"<richard.marian.thomaiyar@linux.intel.com>;
·¢ËÍʱ¼ä: 2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÍíÉÏ10:14
ÊÕ¼þÈË: "ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com>;"openbmc"<openbmc@lists.ozlabs.org>;
Ö÷Ìâ: Re: Re£º How can I add a user for openbmc and remove the default root user?
Delete interface is exposed as part of the user object itself. Sample busctl command to do the delete of an user under phosphor-user-manager
busctl call xyz.openbmc_project.User.Manager /xyz/openbmc_project/user/<username> xyz.openbmc_project.Object.Delete Delete
Regards,
Richard
On 12/16/2019 2:31 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
Hi Thomaiyar
Thanks for your advices. Acctually I want to add a user dynamically when after openbmc is running, not in the image building time. And I do some trials, and it seems to work.
1. After login in as root, I use busctl to call the CreateUser method of phosphor-user-manager
2. After that, I use passwd command to change user liu3's password. The password can not be too simple, and I set password as "qwertyuiop[]123".
3. Then I can see two user in /xyz/openbmc_project/user. They are root and liu3
4. In another computer(accutally I run openbmc in qemu, and "another computer" means the host system), I try to access the openbmc with curl and ipmitool. And it seems to work.
Although I can add a user, but I still do not know how to delete the added user. I haven't found a deleteuser d-bus interface like createuser interface.
Best Regards!
Liu Hongwei
------------------ ÔʼÓʼþ ------------------
·¢¼þÈË: "Thomaiyar, Richard Marian"<richard.marian.thomaiyar@linux.intel.com>;
·¢ËÍʱ¼ä: 2019Äê12ÔÂ16ÈÕ(ÐÇÆÚÒ») ÏÂÎç3:18
ÊÕ¼þÈË: "ÄÏÒ°¥à¥ë¥·¥¨¥é¥´"<1181052146@qq.com>;"openbmc"<openbmc@lists.ozlabs.org>;
Ö÷Ìâ: Re: How can I add a user for openbmc and remove the default root user?
Hi Liu,
Please refer earlier response on the same
https://lists.ozlabs.org/pipermail/openbmc/2019-June/016515.html
Lately i am seeing many people asking for this password override for
IPMI, Will try to override the same using bbclass for ipmi password too
Regards,
Richard
On 12/14/2019 3:27 PM, ÄÏÒ°¥à¥ë¥·¥¨¥é¥´ wrote:
> Greetings!
> I am using openbmc, and I want to remove the default root user and
> add a new user.
> I use useradd add a user, I can use curl with this username and
> passwd to connect to openbmc, But when I use ipmitool, it fails
> Can any one tell me what can I do?
>
> Best Regards!
> Liu Hongwei
[-- Attachment #1.2: Type: text/html, Size: 5348 bytes --]
[-- Attachment #2: 57A32DD6@E119DC44.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 39229 bytes --]
[-- Attachment #3: F9834A97@9A34DB26.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 18854 bytes --]
[-- Attachment #4: 917A12D6@9D3ED838.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 15473 bytes --]
[-- Attachment #5: CF1D8946@53065E7B.6A3AF85D.jpg --]
[-- Type: image/jpeg, Size: 13741 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-16 13:44 ` Re: How can I add a user for openbmc and remove the default root user? Thomaiyar, Richard Marian
2019-12-17 2:16 ` =?gb18030?B?u9i4tKO6IFJlo7ogSG93IGNhbiBJIGFkZCBhIHVzZXIgZm9yIG9wZW5ibWMgYW5kIHJlbW92ZSB0aGUgZGVmYXVsdCByb290IHVzZXI/?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
@ 2019-12-17 21:08 ` Gunnar Mills
2019-12-18 12:42 ` Thomaiyar, Richard Marian
1 sibling, 1 reply; 10+ messages in thread
From: Gunnar Mills @ 2019-12-17 21:08 UTC (permalink / raw)
To: Thomaiyar, Richard Marian,
南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 1346 bytes --]
On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>
> Delete interface is exposed as part of the user object itself. Sample
> busctl command to do the delete of an user under phosphor-user-manager
>
> busctl call xyz.openbmc_project.User.Manager
> /xyz/openbmc_project/user/<username> xyz.openbmc_project.Object.Delete
> Delete
>
>
I am missing something here.. This does not work for me. I didn't think
we allowed removing the root user, which is why it is disabled on the
WebUI? If we do allow deleting the root user, should this be allowed
from the WebUI?
When sshed as root:
busctl call xyz.openbmc_project.User.Manager
/xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
Call failed: The operation failed internally.
In the journal I see
Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is
currently used by process 1
Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
internally.
Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
internally.
When sshed as an "Administrator" role account,02 with the same call:
Call failed: Access denied
NOTE: As an "Administrator" role I can't delete a user using "busctl
call" only from the Redfish/WebUI, am I able to.
Thanks!
Gunnar
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-17 21:08 ` Re: How can I add a user for openbmc and remove the default root user? Gunnar Mills
@ 2019-12-18 12:42 ` Thomaiyar, Richard Marian
2019-12-19 6:36 ` Joseph Reynolds
0 siblings, 1 reply; 10+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-12-18 12:42 UTC (permalink / raw)
To: Gunnar Mills,
南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 1655 bytes --]
Hi Gunnar,
Yes root user can't be deleted (basically uid 0), can't be deleted. The
method works for other users only, like in case Liu, he wants to delete
the newly created user.
Regards,
Richard
On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>
> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>
>> Delete interface is exposed as part of the user object itself. Sample
>> busctl command to do the delete of an user under phosphor-user-manager
>>
>> busctl call xyz.openbmc_project.User.Manager
>> /xyz/openbmc_project/user/<username>
>> xyz.openbmc_project.Object.Delete Delete
>>
>>
>
> I am missing something here.. This does not work for me. I didn't
> think we allowed removing the root user, which is why it is disabled
> on the WebUI? If we do allow deleting the root user, should this be
> allowed from the WebUI?
>
> When sshed as root:
> busctl call xyz.openbmc_project.User.Manager
> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
> Call failed: The operation failed internally.
>
> In the journal I see
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is
> currently used by process 1
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
> internally.
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
> internally.
>
>
> When sshed as an "Administrator" role account,02 with the same call:
> Call failed: Access denied
>
> NOTE: As an "Administrator" role I can't delete a user using "busctl
> call" only from the Redfish/WebUI, am I able to.
>
> Thanks!
> Gunnar
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-18 12:42 ` Thomaiyar, Richard Marian
@ 2019-12-19 6:36 ` Joseph Reynolds
2019-12-19 9:09 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 10+ messages in thread
From: Joseph Reynolds @ 2019-12-19 6:36 UTC (permalink / raw)
To: Thomaiyar, Richard Marian, Gunnar Mills,
南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 2988 bytes --]
On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
> Hi Gunnar,
>
> Yes root user can't be deleted (basically uid 0), can't be deleted.
> The method works for other users only, like in case Liu, he wants to
> delete the newly created user.
FWIW, I am interested in moving the OpenBMC project away from having
root login access enabled by default, and specifically disabling SSH
access in general, and root access to the BMC's shell.02 I also want to
have a secure way to re-enable this when needed.02 See
https://github.com/ibm-openbmc/dev/issues/15280202 Please let me know if
you have any ideas on this topic.
I had understood the original question in this email thread as a request
to "disable root access" so "root cannot login".02 (Note that one
consequence of disabling root login is that once you remove root access,
it is hard to get back.02 You'll have to use the sudo comand or su
command from another user account, and I don't think sudo is present on
OpenBMC systems.)
I understand that deleting the root user is not advisable because the
system will break.02 Instead the alternative is to disable access to the
root account, for example, by doing one of:
- Change root's login shell to /sbin/nologin
- Change the root password to empty or lock the root password
- Change Linux-PAM to deny root account access
- Expire the root account (chage -E0 root)
Any idea which approach works best for OpenBMC?
- Joseph
>
> Regards,
>
> Richard
>
>
> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>
>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>
>>> Delete interface is exposed as part of the user object itself.
>>> Sample busctl command to do the delete of an user under
>>> phosphor-user-manager
>>>
>>> busctl call xyz.openbmc_project.User.Manager
>>> /xyz/openbmc_project/user/<username>
>>> xyz.openbmc_project.Object.Delete Delete
>>>
>>>
>>
>> I am missing something here.. This does not work for me. I didn't
>> think we allowed removing the root user, which is why it is disabled
>> on the WebUI? If we do allow deleting the root user, should this be
>> allowed from the WebUI?
>>
>> When sshed as root:
>> busctl call xyz.openbmc_project.User.Manager
>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>> Call failed: The operation failed internally.
>>
>> In the journal I see
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root is
>> currently used by process 1
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>> internally.
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>> internally.
>>
>>
>> When sshed as an "Administrator" role account,02 with the same call:
>> Call failed: Access denied
>>
>> NOTE: As an "Administrator" role I can't delete a user using "busctl
>> call" only from the Redfish/WebUI, am I able to.
>>
>> Thanks!
>> Gunnar
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-19 6:36 ` Joseph Reynolds
@ 2019-12-19 9:09 ` Thomaiyar, Richard Marian
2020-01-02 3:16 ` Joseph Reynolds
0 siblings, 1 reply; 10+ messages in thread
From: Thomaiyar, Richard Marian @ 2019-12-19 9:09 UTC (permalink / raw)
To: Joseph Reynolds, Gunnar Mills,
南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 4474 bytes --]
On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>> Hi Gunnar,
>>
>> Yes root user can't be deleted (basically uid 0), can't be deleted.
>> The method works for other users only, like in case Liu, he wants to
>> delete the newly created user.
>
> FWIW, I am interested in moving the OpenBMC project away from having
> root login access enabled by default, and specifically disabling SSH
> access in general, and root access to the BMC's shell.02 I also want to
> have a secure way to re-enable this when needed.02 See
> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if
> you have any ideas on this topic.
>
Currently you will be. Remove debug-tweaks & allow-root-login from
IMAGE_FEATURES, then the build will make sure that root user looses
group permissions, and OpenBMC is with no user accounts. Any new user
accounts must be created from Host interface through IPMI interface
(that's the logic we currently have).
Note:
1. This will not remove the root user (uid 0, which is needed as you
mentioned below), but will not have any password (In order to remove the
password in the OpenBMC it needs one line change to remove usermod in
phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have a
patch in the down-stream for the same, as community still needs root
user account, but OpenBMC has been updated to remove root user from
Admin & other group privileges, when debug-tweaks / allow-root-logins
are not defined.
>
> I had understood the original question in this email thread as a
> request to "disable root access" so "root cannot login".02 (Note that
> one consequence of disabling root login is that once you remove root
> access, it is hard to get back.02 You'll have to use the sudo comand or
> su command from another user account, and I don't think sudo is
> present on OpenBMC systems.)
>
> I understand that deleting the root user is not advisable because the
> system will break.02 Instead the alternative is to disable access to
> the root account, for example, by doing one of:
> - Change root's login shell to /sbin/nologin
> - Change the root password to empty or lock the root password
> - Change Linux-PAM to deny root account access
> - Expire the root account (chage -E0 root)
>
> Any idea which approach works best for OpenBMC?
If you have removed the password, then it can't be used. But if you need
to enable it for debug or on special use case, then it requires a method
to set a password. We enable setting the root
password using Set special user password OEM Command
(https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).
Let me know your thoughts, As i see a decision can be made, i think we
can write a document (with community feedback), and move to a common
solution.
>
> - Joseph
>
>>
>> Regards,
>>
>> Richard
>>
>>
>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>
>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>
>>>> Delete interface is exposed as part of the user object itself.
>>>> Sample busctl command to do the delete of an user under
>>>> phosphor-user-manager
>>>>
>>>> busctl call xyz.openbmc_project.User.Manager
>>>> /xyz/openbmc_project/user/<username>
>>>> xyz.openbmc_project.Object.Delete Delete
>>>>
>>>>
>>>
>>> I am missing something here.. This does not work for me. I didn't
>>> think we allowed removing the root user, which is why it is disabled
>>> on the WebUI? If we do allow deleting the root user, should this be
>>> allowed from the WebUI?
>>>
>>> When sshed as root:
>>> busctl call xyz.openbmc_project.User.Manager
>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete Delete
>>> Call failed: The operation failed internally.
>>>
>>> In the journal I see
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root
>>> is currently used by process 1
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>>> internally.
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation failed
>>> internally.
>>>
>>>
>>> When sshed as an "Administrator" role account,02 with the same call:
>>> Call failed: Access denied
>>>
>>> NOTE: As an "Administrator" role I can't delete a user using "busctl
>>> call" only from the Redfish/WebUI, am I able to.
>>>
>>> Thanks!
>>> Gunnar
> Regards,
Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re: How can I add a user for openbmc and remove the default root user?
2019-12-19 9:09 ` Thomaiyar, Richard Marian
@ 2020-01-02 3:16 ` Joseph Reynolds
0 siblings, 0 replies; 10+ messages in thread
From: Joseph Reynolds @ 2020-01-02 3:16 UTC (permalink / raw)
To: Thomaiyar, Richard Marian, Gunnar Mills,
南野ムルシエラゴ,
openbmc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=gb18030; format=flowed, Size: 10299 bytes --]
On 12/19/19 3:09 AM, Thomaiyar, Richard Marian wrote:
>
> On 12/19/2019 12:06 PM, Joseph Reynolds wrote:
>> On 12/18/19 6:42 AM, Thomaiyar, Richard Marian wrote:
>>> Hi Gunnar,
>>>
>>> Yes root user can't be deleted (basically uid 0), can't be deleted.
>>> The method works for other users only, like in case Liu, he wants to
>>> delete the newly created user.
>>
>> FWIW, I am interested in moving the OpenBMC project away from having
>> root login access enabled by default, and specifically disabling SSH
>> access in general, and root access to the BMC's shell.02 I also want
>> to have a secure way to re-enable this when needed.02 See
>> https://github.com/ibm-openbmc/dev/issues/1528 Please let me know if
>> you have any ideas on this topic.
>>
> Currently you will be. Remove debug-tweaks & allow-root-login from
> IMAGE_FEATURES, then the build will make sure that root user looses
> group permissions, and OpenBMC is with no user accounts. Any new user
> accounts must be created from Host interface through IPMI interface
> (that's the logic we currently have).
>
> Note:
>
> 1. This will not remove the root user (uid 0, which is needed as you
> mentioned below), but will not have any password (In order to remove
> the password in the OpenBMC it needs one line change to remove usermod
> in phosphor-defaults.inc & the /etc/ipmi_pass file, currently we have
> a patch in the down-stream for the same, as community still needs root
> user account, but OpenBMC has been updated to remove root user from
> Admin & other group privileges, when debug-tweaks / allow-root-logins
> are not defined.
Nice!02 Thank you for referencing that (I missed that review).02 It seems
to me that phosphor-defaults.inc should02 set the root user password only
when IMAGE_FEATURES includes allow-root-login, and otherwise not allow
login.02 My bitbake is weak, but something like this:
# Set the root password to '0penBmc' if IMAGE_FEATURES contains
allow-root-login,
# otherwise use "!" so root cannot login.
EXTRA_USERS_PARAMS_pn-obmc-phosphor-image = " \
usermod -p \
${@bb.utils.contains("IMAGE_FEATURES", 'allow-root-login', "", "!", d}\
'\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
"
(except use correct bitbake syntax).
BTW, we ought to update the [password hash algorithm][], currently
$1$=MD5 to $5$=SHA-256 or $6$=SHA-512.
[password hash algorithm]: https://en.wikipedia.org/wiki/Passwd
>
>>
>> I had understood the original question in this email thread as a
>> request to "disable root access" so "root cannot login".02 (Note that
>> one consequence of disabling root login is that once you remove root
>> access, it is hard to get back.02 You'll have to use the sudo comand
>> or su command from another user account, and I don't think sudo is
>> present on OpenBMC systems.)
>>
>> I understand that deleting the root user is not advisable because the
>> system will break.02 Instead the alternative is to disable access to
>> the root account, for example, by doing one of:
>> - Change root's login shell to /sbin/nologin
>> - Change the root password to empty or lock the root password
>> - Change Linux-PAM to deny root account access
>> - Expire the root account (chage -E0 root)
>>
>> Any idea which approach works best for OpenBMC?
>
> If you have removed the password, then it can't be used. But if you
> need to enable it for debug or on special use case, then it requires a
> method to set a password. We enable setting the root
> password using Set special user password OEM Command
> (https://github.com/openbmc/intel-ipmi-oem/blob/master/src/oemcommands.cpp#L1130).
>
> Let me know your thoughts, As i see a decision can be made, i think we
> can write a document (with community feedback), and move to a common
> solution.
That sounds right to me.02 I think various OpenBMC users have these use
cases:
Use case 1: remove root access by default
We share the use case of removing root access by default which we can do
by removing 'allow-root-login' from IMAGE_FEATURES.
I would like to see the OpenBMC project should move toward this as the
default.02 That bring me to use case 2...
Use case 2: have a way to re-enable root access
We also need a way to re-enable root access to the BMC's shell. I
suggest we design a phosphor D-Bus API as the common way to enable and
disable root login access.
I see divergent use cases for root shell access.02 OpenBMC developers
will continue to need root login (for example, SSH to the BMC using
default root credentials) on a regular basis.02 They will also need that
access when they are called upon to debug systems currently running a
workload.
However, users with sensitive data on their host system will want to
lock out the root user, all SSH access, and especially root SSH access
because of the additional capabilities root has compared with regular
Administrator users and because of the difficulty in monitoring and
auditing shell commands.02 Specifically, I think root login access and
SSH access must both be addressed.02 In my opinion, if we give any users
SSH access to the BMC shell, it is too easy for them to escalate that
privilege to root, so we should have a way to lock out SSH access.
The solution you presented is an IPMI OEM command. Another idea is a
Phosphor REST or Redfish API to control these items (root login and SSH
server capability), and limit that to the BMC Administrator role.02 Those
APIs would use the D-Bus API as the underlying implementation.
I think OpenBMC needs an easy way to re-enable root access before we can
remove root access.
Use case 3: create an admin user by default
A related topic is the use cases for the "genesis experience", that is,
the first time a BMC admin uses their newly-installed BMC.02 The options
include:
A. The BMC has no default users.02 When needed, they are created via
unauthenticated host access.
B. The BMC has no default users.02 An Administrator account is created by
the initial user to access the system.02 This would make OpenBMC behave
like other operating systems (such as Ubuntu) and devices.
C. The BMC has a user with username=admin and role=Administrator and a
default password.02 This is close to what OpenBMC has now and what I
would propose for the project default.02 (Naturally, we would add
'no-admin-user' to IMAGE_FEATURES for use cases that do not want this user.)
The options above all assume the current genesis & provisioning
experience.02 It would be possible to provision the BMC with its firmware
image, custom user access credentials, an IP address, etc., before
powering on the BMC for the first time.02 I would like to explore the
possibilities in that space, but the remainder of this note assumes the
traditional genesis experience described in the options above.
In any case, the admin user will have a way to gain root login access
for themselves and to lock out root access by non-admin users.
I think OpenBMC needs to document how to access and provision the BMC,
including details such as how to login as root and how to lock out root
access.
___
As usual, I've written too much.02 I would be happy to hear your ideas,
review your solution, and help where I can.
- Joseph
TL;DR: More ramblings for the use cases above: Have a way for a BMC
Administrator to gain root access to the BMC shell.
What is the use case to allow a non-root user to use the BMC shell (via
SSH or other access)?02 What will that let them do?02 I think you need to
have sudo access for commands like journalctl and systemctl, or to
invoke D-Bus APIs.02 I mean I think what you can do with the BMC's shell
is extremely limited without sudo access.02 Are we thinking we should set
up sudo?
If we have sudo access (so I can, for example: `ssh admin1@${bmc_ip}
sudo`) then why would I need to login as root.02 Would root login be
needed?02 I think we can do without root logins, but we would need to get
sudo working...and havde a way to control when sudo is enabled. (In
other words, I don't have good idea how to handle this.)
Note: Per the [phosphor user management group roles][], should the
[access via SSH][] be changed to the "ssh" group?02 It is currently
restricted to the priv-admin group.
[phosphor user management group roles]:
https://github.com/openbmc/docs/blob/master/architecture/user_management.md#supported-group-roles
[Access via SSH]:
https://github.com/openbmc/openbmc/blob/adb78181f2183a3b0aa016cfd5d754710b828f30/meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default
>
>>
>> - Joseph
>>
>>>
>>> Regards,
>>>
>>> Richard
>>>
>>>
>>> On 12/18/2019 2:38 AM, Gunnar Mills wrote:
>>>>
>>>> On 12/16/2019 7:44 AM, Thomaiyar, Richard Marian wrote:
>>>>>
>>>>> Delete interface is exposed as part of the user object itself.
>>>>> Sample busctl command to do the delete of an user under
>>>>> phosphor-user-manager
>>>>>
>>>>> busctl call xyz.openbmc_project.User.Manager
>>>>> /xyz/openbmc_project/user/<username>
>>>>> xyz.openbmc_project.Object.Delete Delete
>>>>>
>>>>>
>>>>
>>>> I am missing something here.. This does not work for me. I didn't
>>>> think we allowed removing the root user, which is why it is
>>>> disabled on the WebUI? If we do allow deleting the root user,
>>>> should this be allowed from the WebUI?
>>>>
>>>> When sshed as root:
>>>> busctl call xyz.openbmc_project.User.Manager
>>>> /xyz/openbmc_project/user/root xyz.openbmc_project.Object.Delete
>>>> Delete
>>>> Call failed: The operation failed internally.
>>>>
>>>> In the journal I see
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: userdel: user root
>>>> is currently used by process 1
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation
>>>> failed internally.
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: User delete failed
>>>> Dec 17 20:57:56 w37 phosphor-user-manager[220]: The operation
>>>> failed internally.
>>>>
>>>>
>>>> When sshed as an "Administrator" role account,02 with the same call:
>>>> Call failed: Access denied
>>>>
>>>> NOTE: As an "Administrator" role I can't delete a user using
>>>> "busctl call" only from the Redfish/WebUI, am I able to.
>>>>
>>>> Thanks!
>>>> Gunnar
>> Regards,
> Richard
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-01-02 3:16 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-14 9:57 How can I add a user for openbmc and remove the default root user? =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-16 6:48 ` Thomaiyar, Richard Marian
2019-12-16 9:01 ` =?gb18030?B?UmWjuiBIb3cgY2FuIEkgYWRkIGEgdXNlciBmb3Igb3BlbmJtYyBhbmQgcmVtb3ZlIHRoZSBkZWZhdWx0IHJvb3QgdXNlcj8=?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-16 13:44 ` Re: How can I add a user for openbmc and remove the default root user? Thomaiyar, Richard Marian
2019-12-17 2:16 ` =?gb18030?B?u9i4tKO6IFJlo7ogSG93IGNhbiBJIGFkZCBhIHVzZXIgZm9yIG9wZW5ibWMgYW5kIHJlbW92ZSB0aGUgZGVmYXVsdCByb290IHVzZXI/?= =?gb18030?B?xM/SsKXgpeult6WopemltA==?=
2019-12-17 21:08 ` Re: How can I add a user for openbmc and remove the default root user? Gunnar Mills
2019-12-18 12:42 ` Thomaiyar, Richard Marian
2019-12-19 6:36 ` Joseph Reynolds
2019-12-19 9:09 ` Thomaiyar, Richard Marian
2020-01-02 3:16 ` Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).