diff options
author | Joseph Reynolds <joseph-reynolds@charter.net> | 2021-02-25 02:20:01 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-05-13 15:17:14 +0300 |
commit | 68e567f9e76d4e54a70a84dbc43050d4cf214562 (patch) | |
tree | 7f0b2303f18125cffbff28fca850bfcd20023e1e /meta-ibm/recipes-extended | |
parent | 01439a98f9b7b599ac02da3d90bc1954aee86cd8 (diff) | |
download | openbmc-68e567f9e76d4e54a70a84dbc43050d4cf214562.tar.xz |
IBM DISTRO_FEATURE ibm-service-account-policy
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Diffstat (limited to 'meta-ibm/recipes-extended')
-rw-r--r-- | meta-ibm/recipes-extended/sudo/sudo_%.bbappend | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/meta-ibm/recipes-extended/sudo/sudo_%.bbappend b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..f4254e7ba --- /dev/null +++ b/meta-ibm/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,8 @@ +# Allow passwordless use of sudo + +PACKAGECONFIG += "pam-wheel" + +do_install_append () { + # Allow members of the 'wheel' group to use passwordless sudo + sed -i 's/# \(%wheel ALL=(ALL) NOPASSWD: ALL\)/\1/' ${D}${sysconfdir}/sudoers +} |