Hello,
Is there a way to add users and groups from UCI? I really like the idea to easily replicate my setup to another router/LEDE build, so UCI is my savior, but what about users and groups? In particular, I want to add a new user to restrict accesses to my backup directory, which will be populated with restic.
Thank you 
Users (and user groups) are not kept in UCI, and thus cannot be modified through uci commands. You can directly edit /etc/passwd (and /etc/groups and /etc/shadow if you have to), or use the more convenient/safe shadow-useradd/groupadd/usermod packages. See https://wiki.openwrt.org/doc/howto/secure.access#create_a_non-privileged_user_in_openwrt for a starting pointer.
LEDE/OpenWrt is a single user OS, with the only reason to add users/groups being network user shares that I can think of. There's very little a non-root user can do if using SSH due to it being a single user mode OS.
OK, thanks for the clarification. But then could I copypaste those files to another build with no compatibility issues?
I don't see why not, there are no system/installation-specific arguments in /etc/passwd (keeping users), /etc/groups (keeping groups), and /etc/shadow (keeping passwords). (OpenWrt does not have /etc/gshadow AFAIK.) If you want to be really safe, you can also just edit those files and copypaste in the lines you added.
I'd encourage the use of google to understand what a single user mode OS is... LEDE/OpenWrt is a single user mode OS.
You have a fundamental misunderstanding of what a single user mode OS is
Yes, but again, what exactly are you utilizing users and groups for? Is the aforementioned backup directory a network share, as LEDE/OpenWrt has extremely limited functionality for utilizing CLI as anyone but root.
/etc/shadow to another build, it will have the exact same root password as the build you're copying from. If you want a different root password on the new build, replace root's entry with:
root:*:17390:0:99999:7:::passwd -a sha256Same difference for this conversation.
The creation of accounts should work. You will have to make sure you work on all file permissions for things like file servers (please note that that changing such settings like permissions of files that were flashed with the firmware will slightly reduce available space because of changes being noted on the overlay FS).
Also, those accounts cannot be configured to boot up the LEDE device and run it, without a major re-write of the OS, as (I won't use the S.U.O.S. phrase) the OS is designed only to run as ONE user - 'root'.
I just want my "users" to be able to r/w only in specific areas of the FS, via SFTP, with no root permissions. it's just a matter of creating security confinements. These areas would be /mnt/path1, /mnt/path2 etc. Groups, instead, would be useful with Samba, for the same reason (If possible. I don't know SMB very well and I don't know if I can use groups, but that's another story).
See this article on setting up users and groups using Samba...
Were you able to figure out a way to build a rootfs with certain files and folders installed as non root ?
Example :
dnsmasq runs with non root uid in openwrt. Restrict ownership of /etc/dnsmasq folder to uid "dnsmasq" so that either only processes with uid "root" or "dnsmasq" can only have access to /etc/dnsmasq/
This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.