Message ID | 20181128042012.25916-1-sam@mendozajonas.com |
---|---|
Headers | show |
Series | User support and client permissions | expand |
On Wed, 2018-11-28 at 15:19 +1100, Samuel Mendoza-Jonas wrote: > There has been interest in having methods to "lock down" Petitboot for a > while now (existing changes like restricting access to the shell, > requested features such as adding a big "Password" screen before being > able to do anything), and this makes a big jump in that direction as > part of the overall journey to trusted/secure boot. > > Rather than rely on implementing a bunch of password checks in ncurses > and keeping the user from getting shell access this instead leans on > having Linux do it for us for the most part by running all user facing > parts of Petitboot as an unprivileged user, with only pb-discover and > its utilities running with root permissions. Assuming the environment > has been set up correctly this means that when a user drops to the shell > they are completely unprivileged unless they know the root password. > > Since non-root users can't init, mount, or kexec anything all normal > actions must be done via pb-discover. Unless the user authorises with > pb-discover (handled by a new nc-auth subscreen) they are restricted to > a subset of actions that don't affect the configuration or default boot > option of the system. > For platform-powerpc clients are restricted by default if we find a > "petitboot,password" value in NVRAM which is a hash of the password to > be used as the root password. Users can also set a password which will > be hashed and stored in NVRAM. In the future this could be something we > do with a TPM but as a first step this should be sufficient as NVRAM is > only accessible by root anyway. > > Along the way we also pick up some fixes that make using the shell a > little nicer such as actual job control finally. > Thoughts, comments, and criticisms welcome, I'm sure I've stared at this > for too long and forgotten something. Note also that this depends on > proper user accounts being configured by Buildroot for example. > > Changes in v2: > lib/crypt: Don't set hashes for blank passwords, don't overwrite /etc/shadow > discover/discover-server: Cleanup auth_waiter on expiry and client exit > ui/ncurses/nc-auth: Hide password field input This has been solid under testing, so let's go ahead and merge it as 87017f0 > > Samuel Mendoza-Jonas (13): > utils/pb-console: Support agetty's autologin option > utils/pb-sos: Don't create files in root by default > utils/pb-console: Set up controlling terminal > utils/pb-console: Ignore SIGINT > lib/crypt: Add helpers for operating on /etc/shadow > lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATE > discover/discover-server: Restrict clients based on uid > discover/device-handler: Prevent normal users changing boot target > discover/platform-powerpc: Read and write password hash from NVRAM > ui/ncurses: Simplify starting shell > ui/common: Client authentication helpers > ui/ncurses: Add nc-auth and authenticate when required. > ui/ncurses: Keep track of the default boot option > > configure.ac | 22 +++ > discover/device-handler.c | 18 +- > discover/device-handler.h | 2 +- > discover/discover-server.c | 247 +++++++++++++++++++++++++++- > discover/discover-server.h | 3 + > discover/pb-discover.c | 3 + > discover/platform-powerpc.c | 29 ++++ > discover/platform.c | 13 ++ > discover/platform.h | 4 + > discover/user-event.c | 7 +- > lib/Makefile.am | 9 + > lib/crypt/crypt.c | 217 ++++++++++++++++++++++++ > lib/crypt/crypt.h | 49 ++++++ > lib/param_list/param_list.c | 1 + > lib/pb-protocol/pb-protocol.c | 94 +++++++++++ > lib/pb-protocol/pb-protocol.h | 26 +++ > lib/types/types.h | 1 + > ui/common/discover-client.c | 81 +++++++++ > ui/common/discover-client.h | 12 ++ > ui/ncurses/Makefile.am | 4 +- > ui/ncurses/nc-add-url.c | 63 ++++--- > ui/ncurses/nc-auth.c | 299 ++++++++++++++++++++++++++++++++++ > ui/ncurses/nc-auth.h | 33 ++++ > ui/ncurses/nc-config.c | 64 ++++++-- > ui/ncurses/nc-cui.c | 204 ++++++++++++++++++++--- > ui/ncurses/nc-cui.h | 6 + > ui/ncurses/nc-lang.c | 127 ++++++++++----- > ui/ncurses/nc-plugin.c | 44 ++--- > ui/ncurses/nc-plugin.h | 2 - > ui/ncurses/nc-scr.h | 1 + > ui/ncurses/nc-widgets.c | 12 +- > ui/ncurses/nc-widgets.h | 3 + > utils/pb-console | 18 +- > utils/pb-sos | 13 +- > 34 files changed, 1593 insertions(+), 138 deletions(-) > create mode 100644 lib/crypt/crypt.c > create mode 100644 lib/crypt/crypt.h > create mode 100644 ui/ncurses/nc-auth.c > create mode 100644 ui/ncurses/nc-auth.h >