How to prevent non-root users from using su command?

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

How to prevent non-root users from using su command?

ソリューションへジャンプ
1,081件の閲覧回数
TammyTsai
Contributor III

Hi NXP team,

I try to create a custom layer to change su permission.

The folder structure as shown below.

meta-custom/

├── conf

│      └── layer.conf

├── recipes-core

│      └── change-su-permissions

│              ├── change-su-permissions.bb

│              └── files

The content of change-su-permissions.bb is as follows.

 

 

 

SUMMARY = "Change permissions for su command"
LICENSE = "CLOSED"
PR = "r0"

do_install() {
    install -d ${D}${bindir}
    install -m 4750 ${WORKDIR}/rootfs/bin/su.shadow ${D}/bin/su.shadow
}

FILES_${PN} = "${bindir}/su"

 

The content of layer.conf is as follows.

 

# We have a conf and classes directory, add to BBPATH
BBPATH := "${BBPATH}:${LAYERDIR}"

# We have recipes-* directories, add to BBFILES
BBFILES := "${BBFILES} ${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"

BBFILE_COLLECTIONS += "change-su-permissions"
BBFILE_PATTERN_change-su-permissions := "^${LAYERDIR}/"
BBFILE_PRIORITY_change-su-permissions = "6"

 

The custom layer is also included in build/conf/bblayers.conf file.

 

LCONF_VERSION = "7"

BBPATH = "${TOPDIR}"
BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}"

BBFILES ?= ""
BBLAYERS = " \
  ${BSPDIR}/sources/poky/meta \
  ${BSPDIR}/sources/poky/meta-poky \
  \
  ${BSPDIR}/sources/meta-openembedded/meta-oe \
  ${BSPDIR}/sources/meta-openembedded/meta-multimedia \
  \
  ${BSPDIR}/sources/meta-freescale \
  ${BSPDIR}/sources/meta-freescale-3rdparty \
  ${BSPDIR}/sources/meta-freescale-distro \
  ${BSPDIR}/sources/meta-example \
  ${BSPDIR}/sources/meta-adduser \
  ${BSPDIR}/sources/meta-custom \
"

# i.MX Yocto Project Release layers
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-bsp "
BBLAYERS += " ${BSPDIR}/sources/meta-fsl-bsp-release/imx/meta-sdk "

BBLAYERS += " ${BSPDIR}/sources/meta-browser "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-gnome "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-networking "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-python "
BBLAYERS += " ${BSPDIR}/sources/meta-openembedded/meta-filesystems "
BBLAYERS += " ${BSPDIR}/sources/meta-qt5 "

 

Update build/conf/local.conf.

 

IMAGE_INSTALL_append = ' change-su-permissions'

 

Some errors occured while performing "bitbake core-image-base" to create image .

Please see the attached file "core-image-base_error_log.txt" for more details.

The log shows the path of su.shadow is not correct.

| DEBUG: Executing shell function do_install
| install: cannot stat '/home/west/yocto/build/tmp/work/cortexa7hf-neon-poky-linux-gnueabi/change-su-permissions/1.0-r0/rootfs/bin/su.shadow': No such file or directory

My su.shadow is in the directory "/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0/rootfs/bin".

I run the following command and find out the ${WORKDIR} variable.

$ bitbake -e core-image-base > build-env.txt

$ grep "^WORKDIR=" build-env.txt

WORKDIR="/home/west/yocto/build/tmp/work/imx6ulevk-poky-linux-gnueabi/core-image-base/1.0-r0"

Why the path in the error message is not match ${WORKDIR}/rootfs/bin/su.shadow in the change-su-permissions.bb?

How to solve this problem?

If the way of creating a custom layer can't change su permission, please help me how to achieve this requirement.

Thanks.

ラベル(3)
0 件の賞賛
返信
1 解決策
841件の閲覧回数
TammyTsai
Contributor III

I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.

chmod 4750 ${D}${bindir}/su

No normal user can use “su” after the above modification.

元の投稿で解決策を見る

4 返答(返信)
842件の閲覧回数
TammyTsai
Contributor III

I add the below snippet of code to do_install() in the path /source/poky/meta/recipes-extended/shadow/shadow.inc.

chmod 4750 ${D}${bindir}/su

No normal user can use “su” after the above modification.

950件の閲覧回数
TammyTsai
Contributor III

I can try the below commands to deny normal user su to root.

root@imx6ulevk:~# ls -l /bin/su*

lrwxrwxrwx 1 root root 14 Jun 21 18:47 /bin/su -> /bin/su.shadow
-rwsr-xr-x 1 root root 43628 May 6 2020 /bin/su.shadow

root@imx6ulevk:~# chmod 0750 /bin/su

root@imx6ulevk:~# ls -l /bin/su*

lrwxrwxrwx 1 root root 14 Jun 20 15:43 su -> /bin/su.shadow
-rwxr-x--- 1 root root 43628 May 6 2020 su.shadow

root@imx6ulevk:~#  su ap

ap@imx6ulevk:/bin$ su

-sh: su: Permission denied

I want to set the permission of su in the same way under core-image-base image instead of console mode.

 

0 件の賞賛
返信
994件の閲覧回数
TammyTsai
Contributor III

Hello @Alejandro_Salas ,

Thanks for your reply.

There is no /etc/sudoers file in my i.MX6UL project.

I can't use sudo but only su.

How to set the permission of su?

 

Best regards,

Tammy

 

0 件の賞賛
返信
1,052件の閲覧回数
Alejandro_Salas
NXP TechSupport
NXP TechSupport

Hello, 

You can look this post, there is explained how to add users and manage the privileges in a Yocto environment using layers.

 

Best regards,

--... ...--

Salas.

0 件の賞賛
返信