Building a rootfs using buildroot. My rootfs creates the "admin" user using this users-tables.txt:
# cat ./board/corp/main/users-table.txt
# <username> <uid> <group> <gid> <password> <home> <shell> <groups> <comment>
admin -1 admin -1 =1234 /home/admin /bin/sh - Restricted admin user
User admin connects to rootfs using ssh connection.
ssh [email protected]
This is the output of the id command:
$ id
uid=1002(admin) gid=1006(admin) groups=1006(admin)
The problem is, user admin can scale to root executing "su" command easily:
$ su
$ id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
Trying to avoid that using the PAM library. But I am unable to setup my rootfs to work as expected. The rootfs has been created with this buildroot option enabled:
BR2_PACKAGE_LINUX_PAM=y
This is the content of some relevant files. If some other files can help debugging this issue, please let me know.
# cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:65534:65534:nobody:/home:/bin/false
dbus:x:1000:81:DBus messagebus user:/var/run/dbus:/bin/false
sshd:x:1001:1004:SSH drop priv user:/var/empty:/bin/false
admin:x:1002:1006:Restricted admin user:/home/admin:/bin/sh
# cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
kmem:x:9:
wheel:x:10:root
cdrom:x:11:
dialout:x:18:
floppy:x:19:
video:x:28:
audio:x:29:
tape:x:32:
www-data:x:33:
utmp:x:43:
plugdev:x:46:
staff:x:50:
lock:x:54:
haldaemon:x:68:
netdev:x:82:
ftp:x:83
nobody:x:99:
nogroup:x:99:
users:x:100:
default:x:1000:
input:x:1001:
render:x:1002:
kvm:x:1003:
sshd:x:1004:
sudo:x:1005:
admin:x:1006:
dbus:x:81:dbus
# cat /etc/sudoers
root ALL=(ALL) ALL
admin ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
PAM with all deployed files is installed. I can check my running rootfs is using PAM library:
# ldd /bin/login | grep pam
libpam.so.0 => /lib/libpam.so.0 (0xb6f3a000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0xb6f27000)
I found some documents like this http://blog.serverbuddies.com/how-do-i-restrict-the-use-of-su-command/, explaining about the PAM configuration file for the shadow `su' service. I tested with this:
$ cat /etc/pam.d/su
auth required /lib/security/pam_wheel.so use_uid
As far as I understand, this line forces any user to be a member of group "wheel" in order to be able to run "su" command. As you can see in the previously listed files, admin user doesn't belong to "wheel" group. So, it shouldn't be able to execute the "su" command.
However, user "admin" executes "su" command, and it scales to root.
What am I doing wrong? Any help would be very appreciated.
Thanks a lot in advance!!
Just for reference to someone interested in this issue, the problem has been fixed. It was related with the "su" command, deployed by buildroot as a busybox applet. This applet doesn't work as expected despite CONFIG_PAM=y is enabled in busybox config file (vers 1.31.1).
This are the steps we followed to fix this:
# CONFIG_SU is not set
BR2_PACKAGE_UTIL_LINUX_SU=y
#auth required pam_wheel.so use_uid