On my 22.03 installation, the luci login screen allows to type in a username other than 'root' (I remember that wasn't the case back in the days of openwrt 18). However, it seems it is not possible to actually sign in as a different user even if the user does exist, has their password set and is added to the wheel[/adm/sudo] group.
I tried searching for stuff like 'luci multi user' but all results seem to be years old and usually require manual alteration of your local luci installation's source code which is a terrible approach anyway. Is there any official solution, like some luci plugin, or at least anything that is maintainable, maintained, known to work and can be installed with something like curl xxxx | opkg do-stuff?
Create a local non-root account. This one can have sudo grants if needed.
When you are sure, that ssh is working properly, edit the file /etc/config/rpcd with sudo or as root user. Add a section for the newly created non-root user:
config rpcd
option socket /var/run/ubus/ubus.sock
option timeout 30
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
config login
option username 'matthias.account'
option password '$p$matthias.account'
list read '*'
list write '*'
The password matches with the SSH login. If you delete the line „list write ‘*‘“, then the user is limited to reading access.
Thanks, but it's still not clear what to do with that. Is there a complete list of these... categories you can enable read/write access for? ubus list yields different results for root and non-root users. Besides, adding a list write record for every sudo ubus list entry has zero effect anyway - I'm getting 403 forbidden when trying to access luci.
config login
option username 'user'
option password '$p$user'
list write 'dhcp'
list write 'dnsmasq'
list write 'hostapd'
list write 'hostapd.*'
list write 'luci'
list write 'luci-rpc'
list write 'network'
list write 'wpa_supplicant'
list write 'uci'
#list read '*'
If I uncomment the last line, that would enable the luci access, however everything inside luci becomes read-only which is not what I want.
For my non-root user I want full access to everything you can do with a typical consumer router running vendor firmware (routing, port forwarding, setting ssid, setting wpa key, etc) and zero access to sudo stuff (like package management and crontab). Any ideas how to do that?
Sorry, I don‘t know which specific write grants are available.
I am mainly aiming for a non-root access to improve security and reduce the possibility to „guess“ the username/password combination.
Enabling read access as minimal setting seems logic to me to allow login.