[Buildroot] [PATCH v3 7/8] package/petitboot: enable user separation
Reza Arbab
arbab at linux.ibm.com
Thu Nov 9 16:16:42 UTC 2023
On Sun, Nov 05, 2023 at 07:26:16PM +0100, Arnout Vandecappelle wrote:
>On 09/10/2023 17:17, Reza Arbab wrote:
>>Run the petitboot UI as an unprivileged user. This requires using the
>>agetty package instead of the busybox getty utility, running the initial
>>pb-console helper at user login rather than directly.
>
> That sounds counterproductive though? It means you have to log in
>before the boot menu is displayed? Or perhaps I misunderstand the
>statement here.
>
> It's also not clear why it would need agetty instead of busybox getty.
Sorry, I didn't explain it very well. The chain goes like this:
1. /etc/init.d/pb-console start console
2. /usr/libexec/petitboot/pb-console --getty --detach -- -n -i 0 console linux
3. /sbin/getty -l/usr/libexec/petitboot/pb-console -n -i 0 console linux
4. /usr/libexec/petitboot/pb-console
5. /usr/sbin/petiboot-nc
After the change:
1. /etc/init.d/pb-console start console
2. /usr/libexec/petitboot/pb-console --getty=/sbin/agetty --detach -- -a petituser -n -i console linux
3. /sbin/agetty -a petituser -n -i console linux
4. /home/petituser/.profile
5. /usr/libexec/petitboot/pb-console
6. /usr/sbin/petiboot-nc
Because we're using the -a (autologin) feature of agetty, everything
from (4) down is running as petituser. If you select "drop to shell"
from the menu, you then also do
7. /home/petituser/.shrc (the $ENV set in .profile)
8. /bin/sh
>>If sudo is installed, with a sudoers policy allowing petituser to
>>perform sudo with no password (or a blank password), the "drop to shell"
>>feature of petitboot will automatically become a root shell.
>
> It seems to me that the logical thing to do would be to drop into an
>actual getty, which asks for a login and password.
At this point we're already running getty and (auto)logged in as
petituser. The sudo integration allos system-specific flexibility in
if/how the the shell may be elevated. As petituser, the shell has
permission to collect diagnostics/logs by running pb-sos.
>>--- a/package/petitboot/S15pb-discover
>>+++ b/package/petitboot/S15pb-discover
>>@@ -12,7 +12,9 @@ fi
>> start() {
>> printf 'Starting %s: ' "$DAEMON"
>>- mkdir -p /var/log/petitboot
>>+ # shellcheck disable=SC2174 # only apply -m to deepest dir
>>+ mkdir -p -m 0775 /var/log/petitboot
>>+ chown root:petitgroup /var/log/petitboot
>
> Why is it owned by root and not petituser?
I don't see any reason why it couldn't be owned by petituser.
>>@@ -84,4 +88,12 @@ endef
>> PETITBOOT_POST_INSTALL_TARGET_HOOKS += PETITBOOT_POST_INSTALL
>>+define PETITBOOT_USERS
>>+ petituser -1 petitgroup -1 * /home/petituser /bin/sh - petitboot user
>
> Are petitgroup and petituser standard names? If not, we normally use
>the package name as username and group name, i.e.
>
> petitboot -1 petitboot -1 ...
I think we could change petituser to petitboot, but there is a hardcoded
reference to petitgroup in the code:
discover/discover-server.c: group = getgrnam("petitgroup");
>>+define PETITBOOT_PERMISSIONS
>>+ /var/petitboot d 775 root petitgroup - - - - -
>
> What is /var/petitboot used for?
That is where pb-discover mounts devices, looking for boot sources:
/var/petitboot/mnt/dev/nvme0n1p1/grub2/grub.cfg
/var/petitboot/mnt/dev/nvme0n1p1/vmlinux
--
Reza Arbab
More information about the buildroot
mailing list