How to prevent non-root users from using su command?

TammyTsai — Tue, 25 Jun 2024 10:30:31 GMT

Hi NXP team,

I try to create a custom layer to change su permission.

The folder structure as shown below.

meta-custom/

├── conf

│ └── layer.conf

├── recipes-core

│ └── change-su-permissions

│ ├── change-su-permissions.bb

│ └── files

The content of change-su-permissions.bb is as follows.

SUMMARY = "Change permissions for su command" LICENSE = "CLOSED" PR = "r0" do_install() { install -d ${D}${bindir} install -m 4750 ${WORKDIR}/rootfs/bin/su.shadow ${D}/bin/su.shadow } FILES_${PN} = "${bindir}/su"

The content of layer.conf is as follows.

# We have a conf and classes directory, add to BBPATH BBPATH := "${BBPATH}:${LAYERDIR}" # We have recipes-* directories, add to BBFILES BBFILES := "${BBFILES} ${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "change-su-permissions" BBFILE_PATTERN_change-su-permissions := "^${LAYERDIR}/" BBFILE_PRIORITY_change-su-permissions = "6"

The custom layer is also included in build/conf/bblayers.conf file.

LCONF_VERSION = "7" BBPATH = "${TOPDIR}" BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}" BBFILES ?= "" BBLAYERS = " \ ${BSPDIR}/sources/poky/meta \ ${BSPDIR}/sources/poky/meta-poky \ \ ${BSPDIR}/sources/meta-openembedded/meta-oe \ ${BSPDIR}/sources/meta-openembedded/meta-multimedia \ \ ${BSPDIR}/sources/meta-freescale \ ${BSPDIR}/sources/meta-freescale-3rdparty \ ${BSPDIR}/sources/meta-freescale-distro \ ${BSPDIR}/sources/meta-example \ ${BSPDIR}/sources/meta-adduser \ ${BSPDIR}/sources/meta-custom \ " # i.MX Yocto Project Release layers BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-bsp " BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-sdk " BBLAYERS += " ${BSPDIR}/sources/meta-browser " BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-gnome " BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-networking " BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-python " BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-filesystems " BBLAYERS += " ${BSPDIR}/sources/meta-qt5 "

Update build/conf/local.conf.

IMAGE_INSTALL_append = ' change-su-permissions'

Some errors occured while performing "bitbake core-image-base" to create image .

Please see the attached file "core-image-base_error_log.txt" for more details.

The log shows the path of su.shadow is not correct.

| DEBUG: Executing shell function do_install
| install: cannot stat '/home/west/yocto/build/tmp/work/cortexa7hf-neon-poky-linux-gnueabi/change-su-permissions/1.0-r0/rootfs/bin/su.shadow': No such file or directory

My su.shadow is in the directory "/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0/rootfs/bin".

I run the following command and find out the ${WORKDIR} variable.

$ bitbake -e core-image-base > build-env.txt
$ grep "^WORKDIR=" build-env.txt
WORKDIR="/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0"

Why the path in the error message is not match ${WORKDIR}/rootfs/bin/su.shadow in the change-su-permissions.bb?

How to solve this problem?

If the way of creating a custom layer can't change su permission, please help me how to achieve this requirement.

Thanks.

Re: How to prevent non-root users from using su command?

Manuel_Salas — Tue, 25 Jun 2024 18:48:30 GMT

Hello,

You can look this post, there is explained how to add users and manage the privileges in a Yocto environment using layers.

Best regards,

--... ...--

Salas.

Re: How to prevent non-root users from using su command?

TammyTsai — Wed, 26 Jun 2024 06:39:08 GMT

Hello @Manuel_Salas ,

Thanks for your reply.

There is no /etc/sudoers file in my i.MX6UL project.

I can't use sudo but only su.

How to set the permission of su?

Best regards,

Tammy

Re: How to prevent non-root users from using su command?

TammyTsai — Wed, 26 Jun 2024 08:48:43 GMT

I can try the below commands to deny normal user su to root.

root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 21 18:47 /bin/su -> /bin/su.shadow
-rwsr-xr-x 1 root root 43628 May 6 2020 /bin/su.shadow
root@imx6ulevk:~# chmod 0750 /bin/su
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 20 15:43 su -> /bin/su.shadow
-rwxr-x--- 1 root root 43628 May 6 2020 su.shadow
root@imx6ulevk:~# su ap
ap@imx6ulevk:/bin$ su
-sh: su: Permission denied

I want to set the permission of su in the same way under core-image-base image instead of console mode.

Re: How to prevent non-root users from using su command?

TammyTsai — Wed, 03 Jul 2024 08:35:26 GMT

I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.

chmod 4750 ${D}${bindir}/su

No normal user can use “su” after the above modification.

topic Re: How to prevent non-root users from using su command? in i.MX Processors

How to prevent non-root users from using su command?

Re: How to prevent non-root users from using su command?

Re: How to prevent non-root users from using su command?

Re: How to prevent non-root users from using su command?

Re: How to prevent non-root users from using su command?