- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: How to prevent non-root users from using su command?
How to prevent non-root users from using su command?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NXP team,
I try to create a custom layer to change su permission.
The folder structure as shown below.
meta-custom/
├── conf
│ └── layer.conf
├── recipes-core
│ └── change-su-permissions
│ ├── change-su-permissions.bb
│ └── files
The content of change-su-permissions.bb is as follows.
SUMMARY = "Change permissions for su command"
LICENSE = "CLOSED"
PR = "r0"
do_install() {
install -d ${D}${bindir}
install -m 4750 ${WORKDIR}/rootfs/bin/su.shadow ${D}/bin/su.shadow
}
FILES_${PN} = "${bindir}/su"
The content of layer.conf is as follows.
# We have a conf and classes directory, add to BBPATH
BBPATH := "${BBPATH}:${LAYERDIR}"
# We have recipes-* directories, add to BBFILES
BBFILES := "${BBFILES} ${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
BBFILE_COLLECTIONS += "change-su-permissions"
BBFILE_PATTERN_change-su-permissions := "^${LAYERDIR}/"
BBFILE_PRIORITY_change-su-permissions = "6"
The custom layer is also included in build/conf/bblayers.conf file.
LCONF_VERSION = "7"
BBPATH = "${TOPDIR}"
BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}"
BBFILES ?= ""
BBLAYERS = " \
${BSPDIR}/sources/poky/meta \
${BSPDIR}/sources/poky/meta-poky \
\
${BSPDIR}/sources/meta-openembedded/meta-oe \
${BSPDIR}/sources/meta-openembedded/meta-multimedia \
\
${BSPDIR}/sources/meta-freescale \
${BSPDIR}/sources/meta-freescale-3rdparty \
${BSPDIR}/sources/meta-freescale-distro \
${BSPDIR}/sources/meta-example \
${BSPDIR}/sources/meta-adduser \
${BSPDIR}/sources/meta-custom \
"
# i.MX Yocto Project Release layers
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-bsp "
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-sdk "
BBLAYERS += " ${BSPDIR}/sources/meta-browser "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-gnome "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-networking "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-python "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-filesystems "
BBLAYERS += " ${BSPDIR}/sources/meta-qt5 "
Update build/conf/local.conf.
IMAGE_INSTALL_append = ' change-su-permissions'
Some errors occured while performing "bitbake core-image-base" to create image .
Please see the attached file "core-image-base_error_log.txt" for more details.
The log shows the path of su.shadow is not correct.
| DEBUG: Executing shell function do_install
| install: cannot stat '/home/west/yocto/build/tmp/work/cortexa7hf-neon-poky-linux-gnueabi/change-su-permissions/1.0-r0/rootfs/bin/su.shadow': No such file or directory
My su.shadow is in the directory "/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0/rootfs/bin".
I run the following command and find out the ${WORKDIR} variable.
$ bitbake -e core-image-base > build-env.txt
$ grep "^WORKDIR=" build-env.txt
WORKDIR="/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0"
Why the path in the error message is not match ${WORKDIR}/rootfs/bin/su.shadow in the change-su-permissions.bb?
How to solve this problem?
If the way of creating a custom layer can't change su permission, please help me how to achieve this requirement.
Thanks.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.
chmod 4750 ${D}${bindir}/su
No normal user can use “su” after the above modification.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.
chmod 4750 ${D}${bindir}/su
No normal user can use “su” after the above modification.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can try the below commands to deny normal user su to root.
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 21 18:47 /bin/su -> /bin/su.shadow
-rwsr-xr-x 1 root root 43628 May 6 2020 /bin/su.shadowroot@imx6ulevk:~# chmod 0750 /bin/su
root@imx6ulevk:~# ls -l /bin/su*
lrwxrwxrwx 1 root root 14 Jun 20 15:43 su -> /bin/su.shadow
-rwxr-x--- 1 root root 43628 May 6 2020 su.shadowroot@imx6ulevk:~# su ap
ap@imx6ulevk:/bin$ su
-sh: su: Permission denied
I want to set the permission of su in the same way under core-image-base image instead of console mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Alejandro_Salas ,
Thanks for your reply.
There is no /etc/sudoers file in my i.MX6UL project.
I can't use sudo but only su.
How to set the permission of su?
Best regards,
Tammy
Alejandro_Salas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can look this post, there is explained how to add users and manage the privileges in a Yocto environment using layers.
Best regards,
--... ...--
Salas.
