petitboot: Enable user separation
Turn on support for unprivileged user accounts in the Petitboot
environment, including setting up a basic non-root user and group.
The implementation also requires using the agetty package rather than
the busybox getty utility, calling the initial pb-console helper on
login rather than directly, and moving some shell init logic from
Petitboot and into a .shrc script.
If no root password is configured in NVRAM or at runtime then this has
no effect aside from some nicer shell behaviour. Once a password is
configured then most actions in Petitboot will require this password and
the shell runs as a normal user.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
diff --git a/openpower/package/petitboot/S15pb-discover b/openpower/package/petitboot/S15pb-discover
index 8f9638c..9d9ec57 100755
--- a/openpower/package/petitboot/S15pb-discover
+++ b/openpower/package/petitboot/S15pb-discover
@@ -15,7 +15,12 @@
case "$1" in
start)
ulimit -c unlimited
- mkdir -p $(dirname $LOGFILE)
+ mkdir -p -m 0775 $(dirname $LOGFILE)
+ mkdir -p -m 0775 /var/petitboot
+ # Set permissions for normal users
+ chown -R root:petitgroup $(dirname $LOGFILE)
+ chown -R root:petitgroup /var/petitboot
+
export $(cat /etc/locale)
pb-discover -l $LOGFILE $verbose &
echo $! > $PIDFILE
diff --git a/openpower/package/petitboot/petitboot-console-ui.rules b/openpower/package/petitboot/petitboot-console-ui.rules
index 8e117e5..d99df36 100644
--- a/openpower/package/petitboot/petitboot-console-ui.rules
+++ b/openpower/package/petitboot/petitboot-console-ui.rules
@@ -1,5 +1,5 @@
# spawn a petitboot UI on common user-visible interface devices
-SUBSYSTEM=="tty", KERNEL=="hvc*", RUN+="/usr/libexec/petitboot/pb-console --getty --detach -- -n -i 0 $name linux"
-SUBSYSTEM=="tty", KERNEL=="tty0", RUN+="/usr/libexec/petitboot/pb-console --getty --detach -- -n -i 0 $name linux"
-SUBSYSTEM=="tty", KERNEL=="ttyS*", RUN+="/usr/libexec/petitboot/pb-console --getty --detach -- -n -i 0 $name linux"
+SUBSYSTEM=="tty", KERNEL=="hvc*", RUN+="/usr/libexec/petitboot/pb-console --getty=/sbin/agetty --detach -- -a petituser -n -i $name linux"
+SUBSYSTEM=="tty", KERNEL=="tty0", RUN+="/usr/libexec/petitboot/pb-console --getty=/sbin/agetty --detach -- -a petituser -n -i $name linux"
+SUBSYSTEM=="tty", KERNEL=="ttyS*", RUN+="/usr/libexec/petitboot/pb-console --getty=/sbin/agetty --detach -- -a petituser -n -i $name linux"
diff --git a/openpower/package/petitboot/petitboot.mk b/openpower/package/petitboot/petitboot.mk
index 7e5de91..ac0a298 100644
--- a/openpower/package/petitboot/petitboot.mk
+++ b/openpower/package/petitboot/petitboot.mk
@@ -13,6 +13,7 @@
PETITBOOT_CONF_OPTS += --with-ncurses --without-twin-x11 --without-twin-fbdev \
--localstatedir=/var \
+ --enable-crypt \
HOST_PROG_KEXEC=/usr/sbin/kexec \
HOST_PROG_SHUTDOWN=/usr/libexec/petitboot/bb-kexec-reboot \
$(if $(BR2_PACKAGE_BUSYBOX),--with-tftp=busybox --enable-busybox)
@@ -61,7 +62,11 @@
ln -sf /usr/sbin/pb-udhcpc \
$(TARGET_DIR)/usr/share/udhcpc/default.script.d/
- mkdir -p $(TARGET_DIR)/var/log/petitboot
+ mkdir -p $(TARGET_DIR)/home/petituser
+ $(INSTALL) -D -m 0755 $(BR2_EXTERNAL_OP_BUILD_PATH)/package/petitboot/shell_profile \
+ $(TARGET_DIR)/home/petituser/.profile
+ $(INSTALL) -D -m 0755 $(BR2_EXTERNAL_OP_BUILD_PATH)/package/petitboot/shell_config \
+ $(TARGET_DIR)/home/petituser/.shrc
$(MAKE) -C $(@D)/po DESTDIR=$(TARGET_DIR) install
endef
diff --git a/openpower/package/petitboot/shell_config b/openpower/package/petitboot/shell_config
new file mode 100644
index 0000000..ef2c55a
--- /dev/null
+++ b/openpower/package/petitboot/shell_config
@@ -0,0 +1,15 @@
+#!bin/sh
+
+reset
+
+echo "Exiting petitboot. Type 'exit' to return."
+echo "You may run 'pb-sos' to gather diagnostic data"
+
+if [[ "$(id -u)" != "0" ]]; then
+ echo "" | sudo -S /bin/true 2&>1 >> /dev/null
+ if [[ $? = 0 ]]; then
+ echo "No password set, elevating shell"
+ sudo -i
+ exit
+ fi
+fi
diff --git a/openpower/package/petitboot/shell_profile b/openpower/package/petitboot/shell_profile
new file mode 100755
index 0000000..40062b4
--- /dev/null
+++ b/openpower/package/petitboot/shell_profile
@@ -0,0 +1,2 @@
+export ENV="/home/petituser/.shrc"
+/usr/libexec/petitboot/pb-console