[Buildroot] [PATCH v3 7/8] package/petitboot: enable user separation

Reza Arbab arbab at linux.ibm.com
Thu Nov 9 16:16:42 UTC 2023 

On Sun, Nov 05, 2023 at 07:26:16PM +0100, Arnout Vandecappelle wrote:
>On 09/10/2023 17:17, Reza Arbab wrote:
>>Run the petitboot UI as an unprivileged user. This requires using the
>>agetty package instead of the busybox getty utility, running the initial
>>pb-console helper at user login rather than directly.
>
> That sounds counterproductive though? It means you have to log in 
>before the boot menu is displayed? Or perhaps I misunderstand the 
>statement here.
>
> It's also not clear why it would need agetty instead of busybox getty.

Sorry, I didn't explain it very well. The chain goes like this:

1. /etc/init.d/pb-console start console
2. /usr/libexec/petitboot/pb-console --getty --detach -- -n -i 0 console linux
3. /sbin/getty -l/usr/libexec/petitboot/pb-console -n -i 0 console linux
4. /usr/libexec/petitboot/pb-console
5. /usr/sbin/petiboot-nc
  
After the change:

1. /etc/init.d/pb-console start console
2. /usr/libexec/petitboot/pb-console --getty=/sbin/agetty --detach -- -a petituser -n -i console linux
3. /sbin/agetty -a petituser -n -i console linux
4. /home/petituser/.profile
5. /usr/libexec/petitboot/pb-console
6. /usr/sbin/petiboot-nc

Because we're using the -a (autologin) feature of agetty, everything 
from (4) down is running as petituser. If you select "drop to shell" 
from the menu, you then also do

7. /home/petituser/.shrc (the $ENV set in .profile)
8. /bin/sh

>>If sudo is installed, with a sudoers policy allowing petituser to
>>perform sudo with no password (or a blank password), the "drop to shell"
>>feature of petitboot will automatically become a root shell.
>
> It seems to me that the logical thing to do would be to drop into an 
>actual getty, which asks for a login and password.

At this point we're already running getty and (auto)logged in as
petituser. The sudo integration allos system-specific flexibility in 
if/how the the shell may be elevated. As petituser, the shell has 
permission to collect diagnostics/logs by running pb-sos.

>>--- a/package/petitboot/S15pb-discover
>>+++ b/package/petitboot/S15pb-discover
>>@@ -12,7 +12,9 @@ fi
>>  start() {
>>  	printf 'Starting %s: ' "$DAEMON"
>>-	mkdir -p /var/log/petitboot
>>+	# shellcheck disable=SC2174 # only apply -m to deepest dir
>>+	mkdir -p -m 0775 /var/log/petitboot
>>+	chown root:petitgroup /var/log/petitboot
>
> Why is it owned by root and not petituser?

I don't see any reason why it couldn't be owned by petituser.

>>@@ -84,4 +88,12 @@ endef
>>  PETITBOOT_POST_INSTALL_TARGET_HOOKS += PETITBOOT_POST_INSTALL
>>+define PETITBOOT_USERS
>>+	petituser -1 petitgroup -1 * /home/petituser /bin/sh - petitboot user
>
> Are petitgroup and petituser standard names? If not, we normally use 
>the package name as username and group name, i.e.
>
>	petitboot -1 petitboot -1 ...

I think we could change petituser to petitboot, but there is a hardcoded 
reference to petitgroup in the code:

   discover/discover-server.c:     group = getgrnam("petitgroup");

>>+define PETITBOOT_PERMISSIONS
>>+	/var/petitboot d 775 root petitgroup - - - - -
>
> What is /var/petitboot used for?

That is where pb-discover mounts devices, looking for boot sources:

   /var/petitboot/mnt/dev/nvme0n1p1/grub2/grub.cfg
   /var/petitboot/mnt/dev/nvme0n1p1/vmlinux

-- 
Reza Arbab

More information about the buildroot mailing list