[OpenWrt-Devel] pre-Xmas bonus security patch
openwrt at daniel.thecshore.com
openwrt at daniel.thecshore.com
Thu Dec 24 01:31:26 EST 2015
Hi all,
The following patch is a much better implementation of the previous
patch for requiring login even on hardware console.
As per discussion on list, this patch would become the default
behaviour for all images, but does have an opt-out which can be
set at image generation time or in the overlayfs.
This version of patch doesn't use getty because I realized using
getty for login is not needed on openwrt because of askfirst/askconsole
which setup the console for the login command (on standard distros
getty is required because the terminal(s) are not active unless getty
activates them; this is not an issue for openwrt).
So askfirst or askconsole (depending on platform) are used to setup
the console. Once the user presses enter /sbin/login_wrapper is
invoked which checks for the presence of /lib/preinit/zz_passwordless_console.
If that file exists /bin/ash --login (current behavior) is exec'd and
you get passwordless root access. If the file does not exist (or is not
readable) then /bin/login is exec'd and the user is prompted for a
password.
With a default install of openwrt with no previous configuration
you can enter user root and the use an empty password (just ENTER)
as default for stock openwrt has no password for root. If the
image creator embedded a default password for root, then that password
would be required at this point.
In any event, unless passwordless console has been flagged, once a
root password has been set it will be required to login to the
hardware/serial console.
This behaviour also applies to failsafe mode as previous work,
probably for the dropbear failsafe access, has enabled pulling
in current configuration for failsafe mode.
If it is considered undesirable to have the runtime option of
disabling the requirement for password, then the check for
/lib/preinit/zz_passwordless_console could be modified to
check for the existence of /rom (which indicates a squashfs)
and check for /rom/lib/preinit/zz_passwordless_console when
it exists, instead of allowing for a writable setting (/rom
is the readonly squashfs that is embedded in the flash).
Enjoy!
Daniel
[PATCH] base-files image: Require login even on console (including
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list