Linux is a multi-user operating system where:
rootis the administrator who can perform privileged operations such as configuring the system, accessing to all interfaces, installing or removing software, etc.
allother usersare unprivileged and cannot do administrator-level operations.
Digi recommends you set a secure root password and create regular users for your applications.
Create users and groups
Digi recommends you create regular users to help protect the security of your system.
Digi Embedded Yocto creates the following specific groups:
digiapix: Digi APIX group to grant access to the interfaces managed by the APIs.
ggc_group: AWS Greengrass group (only applicable if Greengrass Core is installed in the root file system).
Manage accounts in a running system
Create a new user
Open your device shell and log in as root. Create a new user with default options and his own group with
useradd
.#< user_name > useradd
For example, to add user called digi, execute:
#useradd digi
Add a password to the new user with
passwd
.#passwd
For example, to set the password for a user calleddigi, issue
passwd digi
and type the password when prompted:#passwd digi Changing password for digi Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: passwd: password changed.
Once the new password is set, log out or reboot to log in as the new user.
Create a new group
Use thegroupadd
command to create a new group
#groupadd
Add a user to a group
Issueusermod
command to modify an existing user account and add it to an existing group.
#usermod -a -G
Where
Usegroups
to print group memberships for a specific user name.
#groups
For example, to add userdigito the digiapix group:
#usermod -a -G digiapix digi#groups digi digiapix digi
Remove existing users and groups
You can remove an existing user withuserdel
.
#userdel -r
For example, to removedigiuser:
#userdel -r digi
Usegroupdel
to remove existing groups.
#groupdel
Create users and groups at build time
The standard way for a recipe to add or modify system users or groups is with theuseradd
class:
inherit useradd
This class uses the following variables:
USERADD_PACKAGES
specifies the output packages which include custom users/groups. For the main package, use the following:USERADD_PACKAGES="${PN}"
USERADD_PARAM
specifies the command line arguments for the Linuxuseradd
command, to add new users to the system. You can create multiple users by separating the commands with a semicolon.GROUPADD_PARAM
defines the command line arguments for the Linuxgroupadd
command, to add new groups to the system. You can create multiple groups by separating the commands with a semicolon.GROUPMEMS_PARAM
contains the arguments for the Linuxgroupmems
command, which administers members of the user’s primary group.
The recipeuseradd-example.bbis an example of using features fromuseradd
class.
inherit useradd PASSWORD ?="miDBHDo2hJSAA"USERADD_PACKAGES="${PN}"USERADD_PARAM_${PN}="--system --create-home \--groups tty,digiapix \--password${PASSWORD}\--user-group${PN}"
You can generate the password on your host machine using themkpasswd
Linux command-line utility.
Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC, where
$echo -n | mkpasswd -5 -s | sed -e 's,\$,\\$,g'
For Debian-like distributions such as Ubuntu, themkpasswd
command is part of thewhoispackage.
$sudo apt-get install whois
Change root password
You can establish the root user password in one of two ways:
Set the root password on a running system
In pre-built Digi images, root user does not require a password to login to any image built withdebug-tweaks . To build images with root password, seeSet the root password at build time. |
To create a new password for the running user:
Execute the
passwd
command in your device shell and enter a new password.Device#passwd Changing password for root Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password:
Once the new password is set, log out or reboot the system. The next time you login to the system, you must enter the username and established password.
This configuration will be persistent after reboots or power cycles.
Set the root password at build time
To establish the root user password at build time, follow these steps:
Generate the new password hash.
Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC and copy the output:
Development PC$echo - n <密码> | mkpasswd 5 s | sed - e ' s \ $,\\$,g'
For Debian-like distributions such as Ubuntu, the
mkpasswd
command is part of thewhoispackage.Development PC$sudo apt-get install whois
Edit the
local.conf
file of your project to add the following lines:local.conf# Change the root password: (specify its MD5)MD5_ROOT_PASSWD="
" Remove the
debug-tweaks
feature in yourlocal.conf
by commenting the following line:local.conf# We default to enabling the debugging tweaks.#EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
Rebuild your project and upload the new root file system to the target.
The next time you log in to the system, you must enter the username and established root password.
Managing network privileges
Managing network connections is typically something only a user with administrator privileges can do. However, you can also enable a regular user or group to manage network connections:
NetworkManager privileges
Most network interfaces are handled by the NetworkManager daemon. NetworkManager usespolkit, a toolkit for defining and handling authorizations, to manage how users and groups access the network interfaces. Polkit uses a set of rules to determine who has access to different resources and actions.
For example, themeta-openembeddedlayer contains a recipepolkit-group-rule-network.bb
that:
Creates a group callednetwork.
Adds a polkit rules file to give users of this group the permission to modify NetworkManager settings.
50-org.freedesktop.NetworkManager.rules/* give group'network'rights to change settings */ /* taken from https://wiki.archlinux.org/index.php/NetworkManager#Set_up_PolicyKit_permissions */ polkit.addRule(function(action, subject) {if(action.id.indexOf("org.freedesktop.NetworkManager.") ==0&& subject.isInGroup("network")) {returnpolkit.Result.YES; } });
You can add this recipe to your root file system or define your specific users, groups, and privileges using a similar approach. See thepolkit documentationfor additional information on this tool.
Bluetooth privileges
Bluetooth security policies are handled by systemd via the configuration file/etc/dbus-1/system.d/bluetooth.conf
.
For example, to allow users of a group calledbluetoothto do certain actions on the Bluetooth, add the following to the configuration file:
group="bluetooth">own="org.bluez"/>send_destination="org.bluez"/>send_interface="org.bluez.GattCharacteristic1"/>send_interface="org.bluez.GattDescriptor1"/>send_interface="org.bluez.LEAdvertisement1"/>send_interface="org.freedesktop.DBus.ObjectManager"/>send_interface="org.freedesktop.DBus.Properties"/>
This is just an example. SeeBlueZ documentationfor additional BlueZ D-Bus API interfaces.