Linux is a multi-user operating system where:

  • rootis the administrator who can perform privileged operations such as configuring the system, accessing to all interfaces, installing or removing software, etc.

  • allother usersare unprivileged and cannot do administrator-level operations.

Digi recommends you set a secure root password and create regular users for your applications.

Create users and groups

Digi recommends you create regular users to help protect the security of your system.

Digi Embedded Yocto creates the following specific groups:

  • digiapix: Digi APIX group to grant access to the interfaces managed by the APIs.

  • ggc_group: AWS Greengrass group (only applicable if Greengrass Core is installed in the root file system).

Manage accounts in a running system

Create a new user

  1. Open your device shell and log in as root. Create a new user with default options and his own group withuseradd.

    #< user_name > useradd

    For example, to add user called digi, execute:

    #useradd digi

  2. Add a password to the new user withpasswd.

    #passwd

    For example, to set the password for a user calleddigi, issuepasswd digiand type the password when prompted:

    #passwd digi Changing password for digi Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: passwd: password changed.

  3. Once the new password is set, log out or reboot to log in as the new user.

Create a new group

Use thegroupaddcommand to create a new group

#groupadd

Add a user to a group

Issueusermodcommand to modify an existing user account and add it to an existing group.

#usermod -a -G

Whereis the user login name to add to the group specified in.

Usegroupsto print group memberships for a specific user name.

#groups

For example, to add userdigito the digiapix group:

#usermod -a -G digiapix digi#groups digi digiapix digi

Remove existing users and groups

You can remove an existing user withuserdel.

#userdel -r

For example, to removedigiuser:

#userdel -r digi

Usegroupdelto remove existing groups.

#groupdel

Create users and groups at build time

The standard way for a recipe to add or modify system users or groups is with theuseraddclass:

inherit useradd

This class uses the following variables:

  • USERADD_PACKAGESspecifies the output packages which include custom users/groups. For the main package, use the following:

    USERADD_PACKAGES="${PN}"

  • USERADD_PARAMspecifies the command line arguments for the Linuxuseraddcommand, to add new users to the system. You can create multiple users by separating the commands with a semicolon.

  • GROUPADD_PARAMdefines the command line arguments for the Linuxgroupaddcommand, to add new groups to the system. You can create multiple groups by separating the commands with a semicolon.

  • GROUPMEMS_PARAMcontains the arguments for the Linuxgroupmemscommand, which administers members of the user’s primary group.

The recipeuseradd-example.bbis an example of using features fromuseraddclass.

Example snippet of a recipe using the useradd class
inherit useradd PASSWORD ?="miDBHDo2hJSAA"USERADD_PACKAGES="${PN}"USERADD_PARAM_${PN}="--system --create-home \--groups tty,digiapix \--password${PASSWORD}\--user-group${PN}"

You can generate the password on your host machine using themkpasswdLinux command-line utility.

Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC, whereis a password of your choice, and copy the output:

Development PC
$echo -n| mkpasswd -5 -s | sed -e 's,\$,\\$,g'

For Debian-like distributions such as Ubuntu, themkpasswdcommand is part of thewhoispackage.

Development PC
$sudo apt-get install whois

Change root password

You can establish the root user password in one of two ways:

Set the root password on a running system

In pre-built Digi images, root user does not require a password to login to any image built withdebug-tweaks. To build images with root password, seeSet the root password at build time.

To create a new password for the running user:

  1. Execute thepasswdcommand in your device shell and enter a new password.

    Device
    #passwd Changing password for root Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password:

  2. Once the new password is set, log out or reboot the system. The next time you login to the system, you must enter the username and established password.

    This configuration will be persistent after reboots or power cycles.

Set the root password at build time

To establish the root user password at build time, follow these steps:

  1. Generate the new password hash.

    Storing a password hash instead of plain text protects critical information in case of unauthorized system access. To generate the hash of your desired password, execute the following command in your development PC and copy the output:

    Development PC
    $echo - n <密码> | mkpasswd 5 s | sed - e ' s \ $,\\$,g'

    For Debian-like distributions such as Ubuntu, themkpasswdcommand is part of thewhoispackage.

    Development PC
    $sudo apt-get install whois

  2. Edit thelocal.conffile of your project to add the following lines:

    local.conf
    # Change the root password: (specify its MD5)MD5_ROOT_PASSWD=""

  3. Remove thedebug-tweaksfeature in yourlocal.confby commenting the following line:

    local.conf
    # We default to enabling the debugging tweaks.#EXTRA_IMAGE_FEATURES ?= "debug-tweaks"

  4. Rebuild your project and upload the new root file system to the target.

  5. The next time you log in to the system, you must enter the username and established root password.

Managing network privileges

Managing network connections is typically something only a user with administrator privileges can do. However, you can also enable a regular user or group to manage network connections:

NetworkManager privileges

Most network interfaces are handled by the NetworkManager daemon. NetworkManager usespolkit, a toolkit for defining and handling authorizations, to manage how users and groups access the network interfaces. Polkit uses a set of rules to determine who has access to different resources and actions.

For example, themeta-openembeddedlayer contains a recipepolkit-group-rule-network.bbthat:

  1. Creates a group callednetwork.

  2. Adds a polkit rules file to give users of this group the permission to modify NetworkManager settings.

    50-org.freedesktop.NetworkManager.rules
    /* give group'network'rights to change settings */ /* taken from https://wiki.archlinux.org/index.php/NetworkManager#Set_up_PolicyKit_permissions */ polkit.addRule(function(action, subject) {if(action.id.indexOf("org.freedesktop.NetworkManager.") ==0&& subject.isInGroup("network")) {returnpolkit.Result.YES; } });

You can add this recipe to your root file system or define your specific users, groups, and privileges using a similar approach. See thepolkit documentationfor additional information on this tool.

Bluetooth privileges

Bluetooth security policies are handled by systemd via the configuration file/etc/dbus-1/system.d/bluetooth.conf.

For example, to allow users of a group calledbluetoothto do certain actions on the Bluetooth, add the following to the configuration file:

/etc/dbus-1/system.d/bluetooth.conf
group="bluetooth">own="org.bluez"/>send_destination="org.bluez"/>send_interface="org.bluez.GattCharacteristic1"/>send_interface="org.bluez.GattDescriptor1"/>send_interface="org.bluez.LEAdvertisement1"/>send_interface="org.freedesktop.DBus.ObjectManager"/>send_interface="org.freedesktop.DBus.Properties"/>

This is just an example. SeeBlueZ documentationfor additional BlueZ D-Bus API interfaces.