diff options
| author | Ninad Palsule <ninadpalsule@us.ibm.com> | 2023-03-09 19:20:38 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2023-04-21 16:55:15 +0300 |
| commit | 34d21443ea6ac906308b17bad9606896fff3aa98 (patch) | |
| tree | 1aff2c723199dd304de32875384afdc843f406b4 | |
| parent | a512e6ec0aa59a5efa87e63d371b7e988ef44ab5 (diff) | |
| download | openbmc-34d21443ea6ac906308b17bad9606896fff3aa98.tar.xz | |
Changes for new pre-defined usergroup hostconsole
The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group.
This is a fixed is the github issue:
https://github.com/openbmc/phosphor-user-manager/issues/15
In commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835 ssh was
mapped to both ManagerConsole and HostConsole. The split is discussed
in the commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835?tab=comments
Note: The changes are spread across multiple repositories listed under
"Related commits:"
The openbmc changes are as follows:
- Removed a dependency on dropbear.default file. Added a new environment
file dropbear.env for obmc-console. If we want to add port specific
configuration then we can add dropbear.%i.env file.
- The DROPBEAR_EXTRA_ARGS variable updated to include "-G hostconsole"
flag.
- New update script added to add new hostconsole group and also add all
users part of the priv-admin group to this new group.
- Similarly changes are made to add new group during install time and
add root user in this group.
Tested:
Loaded on system and qemu eumulator. Made sure that the only user
can ssh to host console are member of hostconsole group.
Related commits:
docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580
Change-Id: Icced48da188fb76828bf4ff5c705d6f1300ae3e7
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
6 files changed, 56 insertions, 1 deletions
diff --git a/meta-phosphor/recipes-phosphor/console/obmc-console/dropbear.env b/meta-phosphor/recipes-phosphor/console/obmc-console/dropbear.env new file mode 100644 index 0000000000..d499b4f314 --- /dev/null +++ b/meta-phosphor/recipes-phosphor/console/obmc-console/dropbear.env @@ -0,0 +1,2 @@ +DROPBEAR_EXTRA_ARGS=" -B -G hostconsole" +DROPBEAR_RSAKEY_DIR=/etc/dropbear diff --git a/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb b/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb index 12b1f55355..c4f4ee05e6 100644 --- a/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb +++ b/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb @@ -17,6 +17,7 @@ PR = "r1" SRC_URI = "git://github.com/openbmc/obmc-console;branch=master;protocol=https" SRC_URI += "file://${BPN}.conf" +SRC_URI += "file://dropbear.env" S = "${WORKDIR}/git" SYSTEMD_SERVICE:${PN} += "obmc-console-ssh@.service \ @@ -31,6 +32,9 @@ inherit systemd do_install:append() { # Install the server configuration install -m 0755 -d ${D}${sysconfdir}/${BPN} + + install -m 0644 ${WORKDIR}/dropbear.env ${D}${sysconfdir}/${BPN}/ + # If the OBMC_CONSOLE_TTYS variable is used without the default OBMC_CONSOLE_HOST_TTY # the port specific config file should be provided. If it is just OBMC_CONSOLE_HOST_TTY, # use the old style which supports both port specific or obmc-console.conf method. diff --git a/meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb b/meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb index 897bf27542..c89d38b83b 100644 --- a/meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb +++ b/meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb @@ -48,5 +48,5 @@ USERADD_PACKAGES = "${PN}" # add a user called httpd for the server to assume USERADD_PARAM:${PN} = "-r -s /sbin/nologin bmcweb" -GROUPADD_PARAM:${PN} = "web; redfish" +GROUPADD_PARAM:${PN} = "web; redfish; hostconsole" FULL_OPTIMIZATION:append = " -Os" diff --git a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/upgrade_hostconsole_group.sh b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/upgrade_hostconsole_group.sh new file mode 100644 index 0000000000..bd8651fd03 --- /dev/null +++ b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/upgrade_hostconsole_group.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# Purpose: Upgrade pre-release BMCs with items needed for hostconsole group +# This can be removed when there is no longer a direct upgrade path for BMCs +# which were installed with pre-release images. + +# Create groups if not already present +if grep -wq hostconsole /etc/group; then + echo "hostconsole group already exists" +else + echo "hostconsole group does not exist, add it" + groupadd -f hostconsole +fi + +# Add the root user to the groups +if id -nG root | grep -wq hostconsole; then + echo "root already in hostconsole" +else + echo "root not in group hostconsole, add it" + usermod -a -G hostconsole root +fi + +# Add all users in the priv-admin group to the +# hostconsole group so that it will not break +# exiting setup for any user. +for usr in $(grep '^'priv-admin':.*$' /etc/group | cut -d: -f4 | tr ',' ' ') +do + # Add the usr to the hostconsole group + if id -nG "$usr" | grep -wq hostconsole; then + echo "$usr already in hostconsole" + else + echo "$usr not in group hostconsole, add it" + usermod -a -G hostconsole "$usr" + fi +done diff --git a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/xyz.openbmc_project.User.Manager.service b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/xyz.openbmc_project.User.Manager.service index 67d8b8bbc7..3852b28bac 100644 --- a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/xyz.openbmc_project.User.Manager.service +++ b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager/xyz.openbmc_project.User.Manager.service @@ -2,6 +2,7 @@ Description=Phosphor User Manager [Service] +ExecStartPre=-/usr/libexec/upgrade_hostconsole_group.sh ExecStart=/usr/bin/env phosphor-user-manager SyslogIdentifier=phosphor-user-manager Restart=always diff --git a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb index f869c5b6c0..ef09a60b1f 100644 --- a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb +++ b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb @@ -14,6 +14,7 @@ PV = "1.0+git${SRCPV}" PR = "r1" SRC_URI = "git://github.com/openbmc/phosphor-user-manager;branch=master;protocol=https" +SRC_URI += "file://upgrade_hostconsole_group.sh" S = "${WORKDIR}/git" @@ -23,6 +24,11 @@ inherit useradd EXTRA_OEMESON = "-Dtests=disabled" +do_install:append() { + install -d ${D}${libexecdir} + install -m 0755 ${WORKDIR}/upgrade_hostconsole_group.sh ${D}${libexecdir}/upgrade_hostconsole_group.sh +} + FILES:phosphor-ldap += " \ ${bindir}/phosphor-ldap-conf \ " @@ -43,3 +49,11 @@ DBUS_SERVICE:${PN} += "xyz.openbmc_project.User.Manager.service" DBUS_SERVICE:phosphor-ldap = " \ xyz.openbmc_project.Ldap.Config.service \ " + +EXTRA_USERS_PARAMS += " \ + groupadd hostconsole; \ + " + +EXTRA_USERS_PARAMS += " \ + usermod --append --groups hostconsole root; \ + " |