Linux is a multi-user operating system where:
-
root is the administrator who can perform privileged operations such as configuring the system, accessing to all interfaces, installing or removing software, etc.
-
all other users are unprivileged and cannot do administrator-level operations.
Digi recommends you set a secure root password and create regular users for your applications.
Create users and groups
Digi recommends you create regular users to help protect the security of your system.
Digi Embedded Yocto creates the following specific groups:
-
digiapix: Digi APIX group to grant access to the interfaces managed by the APIs.
-
ggc_group: AWS Greengrass group (only applicable if Greengrass Core is installed in the root file system).
Manage accounts in a running system
Create a new user
-
Open your device shell and log in as root. Create a new user with default options and his own group with
useradd
.# useradd <user_name>
For example, to add user called digi, execute:
# useradd digi
-
Add a password to the new user with
passwd
.# passwd <user_name>
For example, to set the password for a user called digi, issue
passwd digi
and type the password when prompted:# passwd digi Changing password for digi Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: passwd: password changed.
-
Once the new password is set, log out or reboot to log in as the new user.
Create a new group
Use the groupadd
command to create a new group
# groupadd <group_name>
Add a user to a group
Issue usermod
command to modify an existing user account and add it to an existing group.
# usermod -a -G <group_name> <user_name>
Where <user_name> is the user login name to add to the group specified in <group_name>.
Use groups
to print group memberships for a specific user name.
# groups <user_name>
For example, to add user digi to the digiapix group:
# usermod -a -G digiapix digi
# groups digi
digiapix digi
Remove existing users and groups
You can remove an existing user with userdel
.
# userdel -r <user_name>
For example, to remove digi user:
# userdel -r digi
Use groupdel
to remove existing groups.
# groupdel <group_name>
Create users and groups at build time
The standard way for a recipe to add or modify system users or groups is with the useradd
class:
inherit useradd
This class uses the following variables:
-
USERADD_PACKAGES
specifies the output packages which include custom users/groups. For the main package, use the following:USERADD_PACKAGES = "${PN}"
-
USERADD_PARAM
specifies the command line arguments for the Linuxuseradd
command, to add new users to the system. You can create multiple users by separating the commands with a semicolon. -
GROUPADD_PARAM
defines the command line arguments for the Linuxgroupadd
command, to add new groups to the system. You can create multiple groups by separating the commands with a semicolon. -
GROUPMEMS_PARAM
contains the arguments for the Linuxgroupmems
command, which administers members of the user’s primary group.
The recipe useradd-example.bb is an example of using features from useradd
class.
inherit useradd
PASSWORD ?= "miDBHDo2hJSAA"
USERADD_PACKAGES = "${PN}"
USERADD_PARAM_${PN} = "--system --create-home \
--groups tty,digiapix \
--password ${PASSWORD} \
--user-group ${PN}"
You can generate the password on your host machine using the mkpasswd
Linux command-line utility.
Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC, where <password> is a password of your choice, and copy the output:
$ echo -n <password> | mkpasswd -5 -s | sed -e 's,\$,\\$,g'
For Debian-like distributions such as Ubuntu, the mkpasswd
command is part of the whois package.
$ sudo apt-get install whois
Change root password
You can establish the root user password in one of two ways:
Set the root password on a running system
In pre-built Digi images, root user does not require a password to login to any image built with debug-tweaks .
To build images with root password, see Set the root password at build time.
|
To create a new password for the running user:
-
Execute the
passwd
command in your device shell and enter a new password.Device# passwd Changing password for root Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password:
-
Once the new password is set, log out or reboot the system. The next time you login to the system, you must enter the username and established password.
This configuration will be persistent after reboots or power cycles.
Set the root password at build time
To establish the root user password at build time, follow these steps:
-
Generate the new password hash.
Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC and copy the output:
Development PC$ echo -n <password> | mkpasswd -5 -s | sed -e 's,\$,\\$,g'
For Debian-like distributions such as Ubuntu, the
mkpasswd
command is part of the whois package.Development PC$ sudo apt-get install whois
-
Edit the
local.conf
file of your project to add the following lines:local.conf# Change the root password: (specify its MD5) MD5_ROOT_PASSWD = "<password_hash_output>"
-
Remove the
debug-tweaks
feature in yourlocal.conf
by commenting the following line:local.conf# We default to enabling the debugging tweaks. #EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
-
Rebuild your project and upload the new root file system to the target.
-
The next time you log in to the system, you must enter the username and established root password.
Managing network privileges
Managing network connections is typically something only a user with administrator privileges can do. However, you can also enable a regular user or group to manage network connections:
NetworkManager privileges
Most network interfaces are handled by the NetworkManager daemon. NetworkManager uses polkit, a toolkit for defining and handling authorizations, to manage how users and groups access the network interfaces. Polkit uses a set of rules to determine who has access to different resources and actions.
For example, the meta-openembedded layer contains a recipe polkit-group-rule-network.bb
that:
-
Creates a group called network.
-
Adds a polkit rules file to give users of this group the permission to modify NetworkManager settings.
50-org.freedesktop.NetworkManager.rules/* give group 'network' rights to change settings */ /* taken from https://wiki.archlinux.org/index.php/NetworkManager#Set_up_PolicyKit_permissions */ polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) { return polkit.Result.YES; } });
You can add this recipe to your root file system or define your specific users, groups, and privileges using a similar approach. See the polkit documentation for additional information on this tool.
Bluetooth privileges
Bluetooth security policies are handled via the configuration file /etc/dbus-1/system.d/bluetooth.conf
.
For example, to allow users of a group called bluetooth to do certain actions on the Bluetooth, add the following to the configuration file:
<policy group="bluetooth">
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.bluez.LEAdvertisement1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
This is just an example. See BlueZ documentation for additional BlueZ D-Bus API interfaces.