Topic: Non-root login

I try to implement users other than root logging in to the web config GUI, but can't really succeed. Just get to a white page...

I have searched the web and this issue has been raised by others too, but I haven't found any solutions described - especially not for Backfire.

Does anyone know, if not a solution then at least a hint where to start?

I don't mind if the extra users are in the root group or even have full root rights - as long as they have a non-root name.

Re: Non-root login

T B wrote:

I try to implement users other than root logging in to the web config GUI, but can't really succeed. Just get to a white page...

I have searched the web and this issue has been raised by others too, but I haven't found any solutions described - especially not for Backfire.

Does anyone know, if not a solution then at least a hint where to start?

I don't mind if the extra users are in the root group or even have full root rights - as long as they have a non-root name.

why you want to make a mutiuser router system?

3 (edited by zzz2002 2012-03-31 02:21:39)

Re: Non-root login

Security! Non-root user can look but not touch. Root user can do both.
Better, user can look but not touch! admin can look and touch some things. root has free run of the place.

Remember, in today’s world you are NOT the customer. You are the product being sold!

Re: Non-root login

http://wiki.openwrt.org/doc/howto/secure.access
http://wiki.openwrt.org/inbox/howto/dropbear-security

I think the problem to achieve this is  busybox.

5 (edited by T B 2012-04-03 15:30:42)

Re: Non-root login

I managed to solve it by myself. Here it is for anyone else needing it:

I added user "test" to /etc/passwd:
test::100:0:testing:/tmp:/bin/ash

Then logged in as root on telnet and sat test's password using command "passwd test".

Then changed row 28 of /usr/lib/lua/luci/controller/admin/index.lua, from:
page.sysauth = "root"
to
page.sysauth = {"root","test"}

Badabing! That's the magic! Now both users "root" and "test" can log in to the web GUI.

Some minor issues still remain, some file access rights might need to be changed, but basicly that's it.

Don't fool yourself when testing, and make the mistake I maid:
Don't log in as two different users on two tabs of the same webbrowser. As the browser uses the same cookie for both tabs you will be asked to log in each time you change tabs and it seems like a bug.
But it is only because OpenWrt stores the sysauth in the cookie and it is different for each session.

However if you log in from two different PC-s (or say Chrome and Explorer on the same PC) it will work fine.

Re: Non-root login

It works like a charm, in my case the "other user" is in the root group (by giving it user id 0 and group id 0 in /etc/passwd), I don't have the file access rights problems.

Re: Non-root login

thank you very much,which give me a big help.

T B wrote:

I managed to solve it by myself. Here it is for anyone else needing it:

I added user "test" to /etc/passwd:
test::100:0:testing:/tmp:/bin/ash

Then logged in as root on telnet and sat test's password using command "passwd test".

Then changed row 28 of /usr/lib/lua/luci/controller/admin/index.lua, from:
page.sysauth = "root"
to
page.sysauth = {"root","test"}

Badabing! That's the magic! Now both users "root" and "test" can log in to the web GUI.

Some minor issues still remain, some file access rights might need to be changed, but basicly that's it.

Don't fool yourself when testing, and make the mistake I maid:
Don't log in as two different users on two tabs of the same webbrowser. As the browser uses the same cookie for both tabs you will be asked to log in each time you change tabs and it seems like a bug.
But it is only because OpenWrt stores the sysauth in the cookie and it is different for each session.

However if you log in from two different PC-s (or say Chrome and Explorer on the same PC) it will work fine.

Re: Non-root login

T B wrote:

I managed to solve it by myself. Here it is for anyone else needing it:

I added user "test" to /etc/passwd:
test::100:0:testing:/tmp:/bin/ash

Then logged in as root on telnet and sat test's password using command "passwd test".

Then changed row 28 of /usr/lib/lua/luci/controller/admin/index.lua, from:
page.sysauth = "root"
to
page.sysauth = {"root","test"}

Badabing! That's the magic! Now both users "root" and "test" can log in to the web GUI.

Some minor issues still remain, some file access rights might need to be changed, but basicly that's it.

Don't fool yourself when testing, and make the mistake I maid:
Don't log in as two different users on two tabs of the same webbrowser. As the browser uses the same cookie for both tabs you will be asked to log in each time you change tabs and it seems like a bug.
But it is only because OpenWrt stores the sysauth in the cookie and it is different for each session.

However if you log in from two different PC-s (or say Chrome and Explorer on the same PC) it will work fine.


It's a clever idea, the problem with this approach is as lua run as root, even when I enter as test user it's the same as if I were root.

Have you thought about it?

Re: Non-root login

T B wrote:

I managed to solve it by myself. Here it is for anyone else needing it:

I added user "test" to /etc/passwd:
test::100:0:testing:/tmp:/bin/ash

Then logged in as root on telnet and sat test's password using command "passwd test".

Then changed row 28 of /usr/lib/lua/luci/controller/admin/index.lua, from:
page.sysauth = "root"
to
page.sysauth = {"root","test"}

Badabing! That's the magic! Now both users "root" and "test" can log in to the web GUI.

Some minor issues still remain, some file access rights might need to be changed, but basicly that's it.

Don't fool yourself when testing, and make the mistake I maid:
Don't log in as two different users on two tabs of the same webbrowser. As the browser uses the same cookie for both tabs you will be asked to log in each time you change tabs and it seems like a bug.
But it is only because OpenWrt stores the sysauth in the cookie and it is different for each session.

However if you log in from two different PC-s (or say Chrome and Explorer on the same PC) it will work fine.

i obey what you did and found that if i use not-root user to login through luci,i can set configure successfully!But the configure can't be effective as soon as i set it,i must restart related process mannully.Root user don't need to do this.
So i also change  row 18 of /usr/lib/lua/luci/controller/admin/servicectl.lua, from:
sysauth = "root"
to
sysauth = {"root","test"}
OK,all the things have been done!Enjoy!

Re: Non-root login

futurezeng wrote:
T B wrote:

I managed to solve it by myself. Here it is for anyone else needing it:

I added user "test" to /etc/passwd:
test::100:0:testing:/tmp:/bin/ash

Then logged in as root on telnet and sat test's password using command "passwd test".

Then changed row 28 of /usr/lib/lua/luci/controller/admin/index.lua, from:
page.sysauth = "root"
to
page.sysauth = {"root","test"}

Badabing! That's the magic! Now both users "root" and "test" can log in to the web GUI.

Some minor issues still remain, some file access rights might need to be changed, but basicly that's it.

Don't fool yourself when testing, and make the mistake I maid:
Don't log in as two different users on two tabs of the same webbrowser. As the browser uses the same cookie for both tabs you will be asked to log in each time you change tabs and it seems like a bug.
But it is only because OpenWrt stores the sysauth in the cookie and it is different for each session.

However if you log in from two different PC-s (or say Chrome and Explorer on the same PC) it will work fine.

i obey what you did and found that if i use not-root user to login through luci,i can set configure successfully!But the configure can't be effective as soon as i set it,i must restart related process mannully.Root user don't need to do this.
So i also change  row 18 of /usr/lib/lua/luci/controller/admin/servicectl.lua, from:
sysauth = "root"
to
sysauth = {"root","test"}
OK,all the things have been done!Enjoy!

Really, I don't know what talking about smile

I've tried it and found that

1) It was not needed to create test user, edite lua pages do it
2) test user as you present here can do EVERYTHING

On What version are you testing.... ?

Re: Non-root login

Hello Everyone,

Here is a summary of the steps required for AA r34332

1. edit /etc/passwd and create an account. I used admin.  set shell /bin/false so users cant login either via ssh or the console using this account.
2. edit /etc/shadow and clone the root line and name it admin

here is my /etc/passwd
root:x:0:0:root:/tmp:/bin/ash
admin:x:100:100:admin:/root:/bin/false
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false

here is /etc/shadow
root:$1$dcjUpu/v$MGBl1uIAGSwTpV5Rwnmv50:15225:0:99999:7:::
admin:$1$q6rcQdCT$6Va8cqauOlDMAKvVX.HgH.:15225:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::

3. passwd admin and assign admin a new password
4. edit /usr/lib/lua/luci/controller/admin/index.lua and change line 28 to read
        page.sysauth = {"admin","root"}
5. edit /usr/lib/lua/luci/controller/admin/system.lua and change line 326 to read
       stat = luci.sys.user.setpasswd("admin", p1)
this is important or luci will change the root password instead of the admin password under system->administration
6. edit /usr/lib/lua/luci/controller/admin/servicectl.lua line 18 to read
      entry({"servicectl"}, alias("servicectl", "status")).sysauth = {"admin","root"}
this allows luci to save and activate changes.

once this is done you can login into luci as either root or admin.    Note that when logging in as root (or admin) changing the password in the gui only affects the password for admin.  The only way to change the root password is via the shell.  This is perfect for most since you want the user to access the gui and manage his account but you want to a service account that techs can use to do maintenance on the router no matter what the admin user has done in the gui.

now secure the console using this
https://forum.openwrt.org/viewtopic.php?id=16900

and once done root can login via ssh or the console but admin cant.

take care.

--luis

Re: Non-root login

Luis, I thank you for your explanation, but I've tested on AA 12.0.9-rc1 and doing that give all the power to admin user

I only want that admin user perform reboot. Nothing More. I don't want to perform any changes at all.

I don't understand the utility of it.... Or perhaps should I try it on trunk?

Thanks in advance!

Re: Non-root login

the above scheme is intended for the following
1. allow root to login via the console, ssh, or luci to admin the system no matter what the admin user does
2. allow the admin user to admin the system only via luci.  The admin user can not get to a shell either via the serial console or ssh
3. allow the admin user to change the admin password without affecting the root account

my understanding is that you want the admin user to login and only be able to reboot the system.   In that case you probably want to keep the admin out of luci altogether.     In that case i suggest you run virtual web hosting on your box.  move luci to a different port (say 8080) and install a very simple web server on port 80 which allows the admin to login and then execute reboot.

take care.

--luis

14 (edited by sebelk 2013-01-11 19:38:03)

Re: Non-root login

do you say set up a minimalistic  parallel Luci?
Can I hide all tabs except the  System>Reboot ? Or... is there a way to restrict Luci to only a few pages, let's say reboot, Realtime Graphics, etc. When I mean restrict also could be disable, at this moment what I'd want is that the ROOT user can do Everything  from console and admin user can only do a few things, for example: reboot the system, take a look at connections, etc.

Thanks in advance!

15 (edited by nachoparker 2014-02-17 12:55:20)

Re: Non-root login

Hello,

I would like to contribute to the discussion in case my work helps someone looking into this issue. I made a patch for OpenWrt Barrier Breaker r39579, running LuCI Trunk (svn-r9934).

The goals of this patch are:

- Disable 'root' login in the web interface, so that we make a distinction between system and web interface administration. SSH/telnet interface still functional for 'root' user, but not for 'webadmin' user.

- Allow a new user "webadmin" full control of the web interface

- Disable web interface access to any system user other than 'webadmin'. Currently, any system user is able to input user/password and get a blank page if that user is not 'root' (or whatever sysauth is set to).

Patch follows:

--- a/package/base-files/files/etc/passwd    2014-02-12 18:01:03.271400588 +0100
+++ b/package/base-files/files/etc/passwd    2014-02-12 18:00:30.028065798 +0100
@@ -1,4 +1,5 @@
 root:x:0:0:root:/root:/bin/ash
+webadmin:x:0:0:webadmin:/var:/bin/false
 daemon:*:1:1:daemon:/var:/bin/false
 ftp:*:55:55:ftp:/home/ftp:/bin/false
 network:*:101:101:network:/var:/bin/false
--- a/package/base-files/files/etc/shadow    2014-02-12 18:00:58.744733723 +0100
+++ b/package/base-files/files/etc/shadow    2014-02-12 18:00:30.031399131 +0100
@@ -1,4 +1,5 @@
 root:x:0:0:99999:7:::
+webadmin:x:0:0:99999:7:::
 daemon:*:0:0:99999:7:::
 ftp:*:0:0:99999:7:::
 network:*:0:0:99999:7:::
--- a/feeds/luci/libs/web/luasrc/dispatcher.lua    2014-02-12 17:09:51.351265931 +0100
+++ b/feeds/luci/libs/web/luasrc/dispatcher.lua    2014-02-12 17:42:01.374683866 +0100
@@ -369,6 +369,13 @@ function dispatch(request)
                 ctx.urltoken.stok = nil
                 local user, sess = authen(luci.sys.user.checkpasswd, accs, def)
                 if not user or not util.contains(accs, user) then
+                    if ( not user ) then return end  -- send non 'webadmin' system user back to a login page with a user/pass error
+
+                    require("luci.i18n")
+                    require("luci.template")
+                    context.path = {}
+
+                    luci.template.render("sysauth", {duser=default, fuser=user})
                     return
                 else
                     local sid = sess or luci.sys.uniqueid(16)
--- a/feeds/luci/modules/admin-full/luasrc/controller/admin/index.lua    2014-02-12 17:09:51.357932598 +0100
+++ b/feeds/luci/modules/admin-full/luasrc/controller/admin/index.lua    2014-02-12 17:43:10.988020251 +0100
@@ -25,7 +25,7 @@ function index()
     page.target  = firstchild()
     page.title   = _("Administration")
     page.order   = 10
-    page.sysauth = "root"
+    page.sysauth = "webadmin"
     page.sysauth_authenticator = "htmlauth"
     page.ucidata = true
     page.index = true
--- a/feeds/luci/modules/admin-core/luasrc/controller/admin/servicectl.lua    2014-02-13 13:51:16.181294149 +0100
+++ b/feeds/luci/modules/admin-core/luasrc/controller/admin/servicectl.lua    2014-02-13 13:49:46.877965041 +0100
@@ -15,7 +15,7 @@ $Id$
 module("luci.controller.admin.servicectl", package.seeall)
 
 function index()
-    entry({"servicectl"}, alias("servicectl", "status")).sysauth = "root"
+    entry({"servicectl"}, alias("servicectl", "status")).sysauth = luci.dispatcher.context.authuser
     entry({"servicectl", "status"}, call("action_status")).leaf = true
     entry({"servicectl", "restart"}, call("action_restart")).leaf = true
 end
--- a/feeds/luci/themes/openwrt/luasrc/view/themes/openwrt.org/header.htm    2014-02-13 13:42:58.524651039 +0100
+++ b/feeds/luci/themes/openwrt/luasrc/view/themes/openwrt.org/header.htm    2014-02-13 13:50:26.807963153 +0100
@@ -177,10 +177,10 @@ if tree.nodes[category] and tree.nodes[c
             </div>
         </noscript>
 
-        <%- if luci.sys.process.info("uid") == 0 and luci.sys.user.getuser("root") and not luci.sys.user.getpasswd("root") and category ~= "failsafe" then -%>
+        <%- if luci.sys.process.info("uid") == 0 and luci.sys.user.getuser("webadmin") and not luci.sys.user.getpasswd("webadmin") and category ~= "failsafe" then -%>
                 <div class="errorbox">
                      <strong><%:No password set!%></strong><br />
-                     <%:There is no password set on this router. Please configure a root password to protect the web interface and enable SSH.%><br />
+                     <%:There is no password set on this router. Please configure an admin password to protect the web interface.%><br />
                      <a href="<%=pcdata(luci.dispatcher.build_url("admin/system/admin"))%>"><%:Go to password configuration...%></a>
                 </div>
                 <%- end -%>

In order to set the 'root' password, connect via telnet for the first time and issue 'passwd'. Use SSH after that.

On first time login to the web interface, the usual 'warning, you need to set a password' message appears, changing the password in the web interface affects only webadmin user.

Any attempt to log in as any system user other than 'webadmin' results in the familiar 'wrong user/password' message, instead of a blank page.

Regards

Ignacio Núñez Hernanz

AOIFES Solutions
www.aoifes.com

Re: Non-root login

Hi friend ,

I tried steps given in your post still its giving blank page for me.

17 (edited by tacoal 2014-04-13 15:17:30)

Re: Non-root login

add a line in shadow
    openwrt:*:0:0:99999:7:::
add a line in passwd
    openwrt:x:100:100:openwrt:/home/openwrt:/bin/ash
add a line in group
    users:x:100:
add following to rc.local(if you have a way to keep /home/openwrt after update, skip this)
  if [ ! -d "/home/openwr" ]; then
    mkdir -p /home/openwrt
    chown openwrt /home/openwrt
    chgrp users /home/openwrt
  fi
issue a command to set the password for openwrt
    passwd openwrt

then you can login using user name openwrt after reboot. if you want to login without reboot, execute the command in rc.local