[Mfg-mode]: Configure root user with null passwd

Configure special user with null password when entering manufacturing mode and special user password is in disabled state. Note: This feature is under VALIDATION_UNSECURE flag, and hence will be available for reference only image. Tested: 1. Built the image without debug-tweaks and flashed the same 2. Confirmed that root user is not enabled during regular boot 3. Pressed power button for 15 seconds during AC Cycle, and entered manufacturing mode 4. Able to login to root user with no password and updated the password to new one, due to enforcement 5. Verified upon rebooting, the newly configured password can be used to login to the serial console. 6. Entered Manufacturing mode again, to make sure root user password is not set to null again as it is already configured. Change-Id: I6aab8713a7c4d7d75b63b1b58ee063b09d9db990 Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
author: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> 2020-02-05 18:26:53 +0300
committer: Thomaiyar, Richard Marian <richard.marian.thomaiyar@intel.com> 2020-02-08 05:12:38 +0300
commit: dd00e1aa35fce669ad6665904dc096f1f792a96b (patch)
tree: 8482dbdc9403a82c8dc6a845658c6d093033c78d
parent: fdb1caccf85564a28b8a11b6d9c1daa70886eaca (diff)
download: provingground-dd00e1aa35fce669ad6665904dc096f1f792a96b.tar.xz
3 files changed, 7 insertions, 142 deletions
diff --git a/special-mode-mgr/CMakeLists.txt b/special-mode-mgr/CMakeLists.txt
index 6fe7f86..fa69da8 100644
--- a/special-mode-mgr/CMakeLists.txt
+++ b/special-mode-mgr/CMakeLists.txt
@@ -1,6 +1,5 @@
 cmake_minimum_required(VERSION 3.5 FATAL_ERROR)
 project(specialmodemgr CXX)
-set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-rtti")
@@ -39,15 +38,12 @@ link_directories(${DBUSINTERFACE_LIBRARY_DIRS})
 find_package(PkgConfig REQUIRED)
 pkg_check_modules(LOGGING phosphor-logging REQUIRED)
 
-find_package(PAM REQUIRED)
-
 add_executable(${PROJECT_NAME} ${SRC_FILES})
 target_link_libraries(${PROJECT_NAME} systemd)
 target_link_libraries(${PROJECT_NAME} ${SDBUSPLUSPLUS_LIBRARIES})
 target_link_libraries(${PROJECT_NAME} ${DBUSINTERFACE_LIBRARIES})
 target_link_libraries(${PROJECT_NAME} ${Boost_LIBRARIES})
 target_link_libraries(${PROJECT_NAME} phosphor_logging)
-target_link_libraries(${PROJECT_NAME} pam)
 
 link_directories(${EXTERNAL_INSTALL_LOCATION}/lib)
 
diff --git a/special-mode-mgr/cmake/FindPAM.cmake b/special-mode-mgr/cmake/FindPAM.cmake
deleted file mode 100644
index 25307bd..0000000
--- a/special-mode-mgr/cmake/FindPAM.cmake
+++ /dev/null
@@ -1,71 +0,0 @@
-# - Try to find the PAM libraries
-# Once done this will define
-#
-#  PAM_FOUND - system has pam
-#  PAM_INCLUDE_DIR - the pam include directory
-#  PAM_LIBRARIES - libpam library
-
-if (PAM_INCLUDE_DIR AND PAM_LIBRARY)
-	# Already in cache, be silent
-	set(PAM_FIND_QUIETLY TRUE)
-endif (PAM_INCLUDE_DIR AND PAM_LIBRARY)
-
-find_path(PAM_INCLUDE_DIR NAMES security/pam_appl.h pam/pam_appl.h)
-find_library(PAM_LIBRARY pam)
-find_library(DL_LIBRARY dl)
-
-if (PAM_INCLUDE_DIR AND PAM_LIBRARY)
-	set(PAM_FOUND TRUE)
-	if (DL_LIBRARY)
-		set(PAM_LIBRARIES ${PAM_LIBRARY} ${DL_LIBRARY})
-	else (DL_LIBRARY)
-		set(PAM_LIBRARIES ${PAM_LIBRARY})
-	endif (DL_LIBRARY)
-
-	if (EXISTS ${PAM_INCLUDE_DIR}/pam/pam_appl.h)
-		# darwin claims to be something special
-		set(HAVE_PAM_PAM_APPL_H 1)
-	endif (EXISTS ${PAM_INCLUDE_DIR}/pam/pam_appl.h)
-
-	if (NOT DEFINED PAM_MESSAGE_CONST)
-		include(CheckCXXSourceCompiles)
-		# XXX does this work with plain c?
-		check_cxx_source_compiles("
-#if ${HAVE_PAM_PAM_APPL_H}+0
-# include <pam/pam_appl.h>
-#else
-# include <security/pam_appl.h>
-#endif
-static int PAM_conv(
-	int num_msg,
-	const struct pam_message **msg, /* this is the culprit */
-	struct pam_response **resp,
-	void *ctx)
-{
-	return 0;
-}
-int main(void)
-{
-	struct pam_conv PAM_conversation = {
-		&PAM_conv, /* this bombs out if the above does not match */
-		0
-	};
-	return 0;
-}
-" PAM_MESSAGE_CONST)
-	endif (NOT DEFINED PAM_MESSAGE_CONST)
-	set(PAM_MESSAGE_CONST ${PAM_MESSAGE_CONST} CACHE BOOL "PAM expects a conversation function with const pam_message")
-
-endif (PAM_INCLUDE_DIR AND PAM_LIBRARY)
-
-if (PAM_FOUND)
-	if (NOT PAM_FIND_QUIETLY)
-		message(STATUS "Found PAM: ${PAM_LIBRARIES}")
-	endif (NOT PAM_FIND_QUIETLY)
-else (PAM_FOUND)
-	if (PAM_FIND_REQUIRED)
-		message(FATAL_ERROR "PAM was not found")
-	endif(PAM_FIND_REQUIRED)
-endif (PAM_FOUND)
-
-mark_as_advanced(PAM_INCLUDE_DIR PAM_LIBRARY DL_LIBRARY PAM_MESSAGE_CONST)
diff --git a/special-mode-mgr/src/specialmodemgr.cpp b/special-mode-mgr/src/specialmodemgr.cpp
index 61c1d8a..6e7361f 100644
--- a/special-mode-mgr/src/specialmodemgr.cpp
+++ b/special-mode-mgr/src/specialmodemgr.cpp
@@ -17,7 +17,6 @@
 #include "specialmodemgr.hpp"
 #include "file.hpp"
 
-#include <security/pam_appl.h>
 #include <sys/sysinfo.h>
 
 #include <pwd.h>
@@ -52,62 +51,12 @@ namespace secCtrl = sdbusplus::xyz::openbmc_project::Control::Security::server;
 
 #ifdef BMC_VALIDATION_UNSECURE_FEATURE
 
-static int pamFunctionConversation(int numMsg, const struct pam_message** msg,
-                                   struct pam_response** resp, void* appdataPtr)
-{
-    if (appdataPtr == nullptr)
-    {
-        return PAM_AUTH_ERR;
-    }
-    size_t passSize = std::strlen(reinterpret_cast<char*>(appdataPtr)) + 1;
-    char* pass = reinterpret_cast<char*>(malloc(passSize));
-    std::strncpy(pass, reinterpret_cast<char*>(appdataPtr), passSize);
-
-    *resp = reinterpret_cast<pam_response*>(
-        calloc(numMsg, sizeof(struct pam_response)));
-
-    for (int i = 0; i < numMsg; ++i)
-    {
-        if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
-        {
-            continue;
-        }
-        resp[i]->resp = pass;
-    }
-    return PAM_SUCCESS;
-}
-
-int pamUpdatePasswd(const char* username, const char* password)
-{
-    const struct pam_conv localConversation = {pamFunctionConversation,
-                                               const_cast<char*>(password)};
-    pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start
-
-    int retval =
-        pam_start("passwd", username, &localConversation, &localAuthHandle);
-
-    if (retval != PAM_SUCCESS)
-    {
-        return retval;
-    }
-
-    retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
-    if (retval != PAM_SUCCESS)
-    {
-        pam_end(localAuthHandle, retval);
-        return retval;
-    }
-
-    return pam_end(localAuthHandle, PAM_SUCCESS);
-}
-
 static void checkAndConfigureSpecialUser()
 {
     std::array<char, 4096> sbuffer{};
     struct spwd spwd;
     struct spwd* resultPtr = nullptr;
     constexpr const char* specialUser = "root";
-    constexpr const char* specialUserDefPasswd = "0penBmc1";
 
     // Query shadow entry for special user.
     int status = getspnam_r(specialUser, &spwd, sbuffer.data(),
@@ -117,22 +66,10 @@ static void checkAndConfigureSpecialUser()
         phosphor::logging::log<phosphor::logging::level::ERR>(
             "Error in querying shadow entry for special user");
     }
-    // Encrypted Password may be NULL or single character '!' if user is
-    // disabled
-    if (resultPtr->sp_pwdp[0] == 0 || resultPtr->sp_pwdp[1] == 0)
+    // Password will be single character '!' or '*' for disabled login
+    if ((resultPtr->sp_pwdp[0] == '!' || resultPtr->sp_pwdp[0] == '*') &&
+        resultPtr->sp_pwdp[1] == 0)
     {
-        pamUpdatePasswd(specialUser, specialUserDefPasswd);
-        // requery the special user shadow entry as there is password
-        // update.
-        resultPtr = nullptr;
-        status = getspnam_r(specialUser, &spwd, sbuffer.data(),
-                            sbuffer.max_size(), &resultPtr);
-        if (status || (&spwd != resultPtr))
-        {
-            phosphor::logging::log<phosphor::logging::level::ERR>(
-                "Error in querying shadow entry for special user");
-        }
-        // Mark the password as expired to force update the password
         File passwdFd("/etc/shadow", "r+");
         if ((passwdFd)() == nullptr)
         {
@@ -140,8 +77,11 @@ static void checkAndConfigureSpecialUser()
                 "Error in opening shadow file");
             return;
         }
+        // Mark the special user password as null, to allow
+        // nullok login.
+        resultPtr->sp_pwdp[0] = 0;
         // Mark the special user password as expired. This will
-        // force the user to set new password on first login.
+        // force user to update new password on first login.
         resultPtr->sp_lstchg = 0;
         putspent(resultPtr, (passwdFd)());
         phosphor::logging::log<phosphor::logging::level::INFO>(
author	Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>	2020-02-05 18:26:53 +0300
committer	Thomaiyar, Richard Marian <richard.marian.thomaiyar@intel.com>	2020-02-08 05:12:38 +0300
commit	dd00e1aa35fce669ad6665904dc096f1f792a96b (patch)
tree	8482dbdc9403a82c8dc6a845658c6d093033c78d
parent	fdb1caccf85564a28b8a11b6d9c1daa70886eaca (diff)
download	provingground-dd00e1aa35fce669ad6665904dc096f1f792a96b.tar.xz