mbox series

[RFC,00/13] User support and client permissions

Message ID 20180628064151.13370-1-sam@mendozajonas.com
Headers show
Series User support and client permissions | expand

Message

samjonas June 28, 2018, 6:41 a.m. UTC
There has been interest in having methods to "lock down" Petitboot for a
while now (existing changes like restricting access to the shell,
requested features such as adding a big "Password" screen before being
able to do anything), and this makes a big jump in that direction as
part of the overall journey to trusted/secure boot.

Rather than rely on implementing a bunch of password checks in ncurses
and keeping the user from getting shell access this instead leans on
having Linux do it for us for the most part by running all user facing
parts of Petitboot as an unprivileged user, with only pb-discover and
its utilities running with root permissions. Assuming the environment
has been set up correctly this means that when a user drops to the shell
they are completely unprivileged unless they know the root password.

Since non-root users can't init, mount, or kexec anything all normal
actions must be done via pb-discover. Unless the user authorises with
pb-discover (handled by a new nc-auth subscreen) they are restricted to
a subset of actions that don't affect the configuration or default boot
option of the system.
For platform-powerpc clients are restricted by default if we find a
"petitboot,password" value in NVRAM which is a hash of the password to
be used as the root password. Users can also set a password which will
be hashed and stored in NVRAM. In the future this could be something we
do with a TPM but as a first step this should be sufficient as NVRAM is
only accessible by root anyway.

Along the way we also pick up some fixes that make using the shell a
little nicer such as actual job control finally.
Thoughts, comments, and criticisms welcome, I'm sure I've stared at this
for too long and forgotten something. Note also that this depends on
proper user accounts being configured by Buildroot for example.

Samuel Mendoza-Jonas (13):
  utils/pb-console: Support agetty's autologin option
  utils/pb-sos: Don't create files in root by default
  utils/pb-console: Set up controlling terminal
  utils/pb-console: Ignore SIGINT
  lib/crypt: Add helpers for operating on /etc/shadow
  lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATE
  discover/discover-server: Restrict clients based on uid
  discover/device-handler: Prevent normal users changing boot target
  discover/platform-powerpc: Read and write password hash from NVRAM
  ui/ncurses: Simplify starting shell
  ui/common: Client authentication helpers
  ui/ncurses: Add nc-auth and authenticate when required.
  ui/ncurses: Keep track of the default boot option

 configure.ac                  |  22 +++
 discover/device-handler.c     |  17 +-
 discover/device-handler.h     |   2 +-
 discover/discover-server.c    | 233 +++++++++++++++++++++++++-
 discover/discover-server.h    |   3 +
 discover/pb-discover.c        |   3 +
 discover/platform-powerpc.c   |  33 ++++
 discover/platform.c           |  13 ++
 discover/platform.h           |   4 +
 discover/user-event.c         |   7 +-
 lib/Makefile.am               |  11 +-
 lib/crypt/crypt.c             | 113 +++++++++++++
 lib/crypt/crypt.h             |  50 ++++++
 lib/pb-protocol/pb-protocol.c |  94 +++++++++++
 lib/pb-protocol/pb-protocol.h |  25 +++
 lib/types/types.h             |   1 +
 ui/common/discover-client.c   |  81 +++++++++
 ui/common/discover-client.h   |  12 ++
 ui/ncurses/Makefile.am        |   4 +-
 ui/ncurses/nc-add-url.c       |  63 ++++---
 ui/ncurses/nc-auth.c          | 299 ++++++++++++++++++++++++++++++++++
 ui/ncurses/nc-auth.h          |  33 ++++
 ui/ncurses/nc-config.c        |  62 +++++--
 ui/ncurses/nc-cui.c           | 204 ++++++++++++++++++++---
 ui/ncurses/nc-cui.h           |   6 +
 ui/ncurses/nc-lang.c          | 124 +++++++++-----
 ui/ncurses/nc-plugin.c        |  44 ++---
 ui/ncurses/nc-plugin.h        |   2 -
 ui/ncurses/nc-scr.h           |   1 +
 ui/ncurses/nc-widgets.h       |   1 +
 utils/pb-console              |  18 +-
 utils/pb-sos                  |  13 +-
 32 files changed, 1463 insertions(+), 135 deletions(-)
 create mode 100644 lib/crypt/crypt.c
 create mode 100644 lib/crypt/crypt.h
 create mode 100644 ui/ncurses/nc-auth.c
 create mode 100644 ui/ncurses/nc-auth.h