* meta-phosphor: enable `allow-root-login`?
@ 2021-12-30 13:52 Patrick Williams
2022-01-04 15:32 ` Johnathan Mantey
2022-01-04 18:32 ` Ed Tanous
0 siblings, 2 replies; 5+ messages in thread
From: Patrick Williams @ 2021-12-30 13:52 UTC (permalink / raw)
To: OpenBMC List
[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]
Hello,
Looking for opinions, especially from security minded individuals...
In many of our `local.conf.sample` files we enable "debug-tweaks" but for
production builds this is probably not a good idea. I had it turned off on a
production build and ran into a case where we could not log in as root on SSH.
We debugged this down to missing the 'priv-admin' group for root, which is
typically enabled in `phosphor-rootfs-postcommands.bbclass` when either
"debug-tweaks" or "allow-root-login" is enabled.
I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
happen again. Is there any reason why we wouldn't want to enable it by default
in meta-phosphor? There isn't really full support for non-root users in the
base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
enabled by default?
I'm fine leaving this in meta-facebook, but I'm trying to prevent someone else
from having the same issue for what seems like a default case presently.
1. https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/phosphor-rootfs-postcommands.bbclass#L10
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: meta-phosphor: enable `allow-root-login`?
2021-12-30 13:52 meta-phosphor: enable `allow-root-login`? Patrick Williams
@ 2022-01-04 15:32 ` Johnathan Mantey
2022-01-04 18:26 ` Patrick Williams
2022-01-04 18:32 ` Ed Tanous
1 sibling, 1 reply; 5+ messages in thread
From: Johnathan Mantey @ 2022-01-04 15:32 UTC (permalink / raw)
To: Patrick Williams, OpenBMC List
[-- Attachment #1.1: Type: text/plain, Size: 1303 bytes --]
Patrick....
On 12/30/21 05:52, Patrick Williams wrote:
<snip>
>
> I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
> happen again. Is there any reason why we wouldn't want to enable it by default
> in meta-phosphor? There isn't really full support for non-root users in the
> base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
> enabled by default?
Intel explicitly requires root login to be disabled for production
releases. Especially since the default password is a known quantity.
The Intel security audit group enforced blocking a default user for the
S2600 WF/BNP/STP series of servers. All user accounts are created using
local IPMI commands.
Intel will prefer the existing behavior remain.
>
> I'm fine leaving this in meta-facebook, but I'm trying to prevent someone else
> from having the same issue for what seems like a default case presently.
>
> 1. https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/phosphor-rootfs-postcommands.bbclass#L10
>
--
Johnathan Mantey
Senior Software Engineer
*azad te**chnology partners*
Contributing to Technology Innovation since 1992
Phone: (503) 712-6764
Email: johnathanx.mantey@intel.com <mailto:johnathanx.mantey@intel.com>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: meta-phosphor: enable `allow-root-login`?
2022-01-04 15:32 ` Johnathan Mantey
@ 2022-01-04 18:26 ` Patrick Williams
2022-01-04 19:24 ` Johnathan Mantey
0 siblings, 1 reply; 5+ messages in thread
From: Patrick Williams @ 2022-01-04 18:26 UTC (permalink / raw)
To: Johnathan Mantey; +Cc: OpenBMC List
[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]
On Tue, Jan 04, 2022 at 07:32:06AM -0800, Johnathan Mantey wrote:
> Patrick....
>
> On 12/30/21 05:52, Patrick Williams wrote:
> > I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
> > happen again. Is there any reason why we wouldn't want to enable it by default
> > in meta-phosphor? There isn't really full support for non-root users in the
> > base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
> > enabled by default?
>
> Intel explicitly requires root login to be disabled for production
> releases. Especially since the default password is a known quantity.
>
> The Intel security audit group enforced blocking a default user for the
> S2600 WF/BNP/STP series of servers. All user accounts are created using
> local IPMI commands.
Is this currently able to be done with all upstream functionality or something
that only works in your own forks?
> Intel will prefer the existing behavior remain.
It seems to me that the current behavior is broken for typical cases using
currently upstreamed functionality and so that's why I'm suggesting that
meta-phosphor be "fixed". It'd be pretty easy to IMAGE_FEATURE:remove this
for meta-intel-bmc, right?
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: meta-phosphor: enable `allow-root-login`?
2021-12-30 13:52 meta-phosphor: enable `allow-root-login`? Patrick Williams
2022-01-04 15:32 ` Johnathan Mantey
@ 2022-01-04 18:32 ` Ed Tanous
1 sibling, 0 replies; 5+ messages in thread
From: Ed Tanous @ 2022-01-04 18:32 UTC (permalink / raw)
To: Patrick Williams; +Cc: OpenBMC List
On Thu, Dec 30, 2021 at 5:52 AM Patrick Williams <patrick@stwcx.xyz> wrote:
>
> Hello,
>
> Looking for opinions, especially from security minded individuals...
>
> In many of our `local.conf.sample` files we enable "debug-tweaks" but for
> production builds this is probably not a good idea. I had it turned off on a
> production build and ran into a case where we could not log in as root on SSH.
> We debugged this down to missing the 'priv-admin' group for root, which is
> typically enabled in `phosphor-rootfs-postcommands.bbclass` when either
> "debug-tweaks" or "allow-root-login" is enabled.
>
> I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
> happen again. Is there any reason why we wouldn't want to enable it by default
> in meta-phosphor? There isn't really full support for non-root users in the
> base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
> enabled by default?
Doesn't this directly violate the principle of least privilege? I
wouldn't expect root to be usable to outside users, given that it
gives significantly more permissions than any outside user should have
access to. My understanding was that priv-admin was supposed to be
the privilege level for "all permissions for things that an external
user should be able to do". Is that not working for your use case?
It'd be interesting to understand what permissions priv-admin is
missing. I don't really think giving out root to external users is a
good idea in general.
>
> I'm fine leaving this in meta-facebook, but I'm trying to prevent someone else
> from having the same issue for what seems like a default case presently.
>
> 1. https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/phosphor-rootfs-postcommands.bbclass#L10
>
> --
> Patrick Williams
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: meta-phosphor: enable `allow-root-login`?
2022-01-04 18:26 ` Patrick Williams
@ 2022-01-04 19:24 ` Johnathan Mantey
0 siblings, 0 replies; 5+ messages in thread
From: Johnathan Mantey @ 2022-01-04 19:24 UTC (permalink / raw)
To: Patrick Williams; +Cc: OpenBMC List
[-- Attachment #1.1.1: Type: text/plain, Size: 1696 bytes --]
On 1/4/22 10:26, Patrick Williams wrote:
> On Tue, Jan 04, 2022 at 07:32:06AM -0800, Johnathan Mantey wrote:
>> Patrick....
>>
>> On 12/30/21 05:52, Patrick Williams wrote:
>>> I am currently enabling this IMAGE_FEATURE in meta-facebook to avoid having this
>>> happen again. Is there any reason why we wouldn't want to enable it by default
>>> in meta-phosphor? There isn't really full support for non-root users in the
>>> base systems anyhow, so is there anyone that wouldn't want "allow-root-login"
>>> enabled by default?
>> Intel explicitly requires root login to be disabled for production
>> releases. Especially since the default password is a known quantity.
>>
>> The Intel security audit group enforced blocking a default user for the
>> S2600 WF/BNP/STP series of servers. All user accounts are created using
>> local IPMI commands.
> Is this currently able to be done with all upstream functionality or something
> that only works in your own forks?
As a developer for Intel I have to explicitly add 'debug-tweaks' back
into our bitbake config. I've not dug into who made the decision, and
which layer of the build process enforced it.
>
>> Intel will prefer the existing behavior remain.
> It seems to me that the current behavior is broken for typical cases using
> currently upstreamed functionality and so that's why I'm suggesting that
> meta-phosphor be "fixed". It'd be pretty easy to IMAGE_FEATURE:remove this
> for meta-intel-bmc, right?
>
--
Johnathan Mantey
Senior Software Engineer
*azad te**chnology partners*
Contributing to Technology Innovation since 1992
Phone: (503) 712-6764
Email: johnathanx.mantey@intel.com
[-- Attachment #1.1.2: Type: text/html, Size: 3389 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-04 19:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-30 13:52 meta-phosphor: enable `allow-root-login`? Patrick Williams
2022-01-04 15:32 ` Johnathan Mantey
2022-01-04 18:26 ` Patrick Williams
2022-01-04 19:24 ` Johnathan Mantey
2022-01-04 18:32 ` Ed Tanous
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.