linuxpermissionsbuildrootpamsu

Avoid non-root user scaling to root using su command in a buildroot rootfs


Building a rootfs using buildroot. My rootfs creates the "admin" user using this users-tables.txt:

# cat ./board/corp/main/users-table.txt
# <username> <uid> <group> <gid> <password> <home>      <shell>  <groups> <comment>
admin        -1    admin   -1    =1234      /home/admin     /bin/sh  -    Restricted admin user

User admin connects to rootfs using ssh connection.

ssh admin@192.168.1.123

This is the output of the id command:

$ id
uid=1002(admin) gid=1006(admin) groups=1006(admin)

The problem is, user admin can scale to root executing "su" command easily:

$ su
$ id
uid=0(root) gid=0(root) groups=0(root),10(wheel)

Trying to avoid that using the PAM library. But I am unable to setup my rootfs to work as expected. The rootfs has been created with this buildroot option enabled:

BR2_PACKAGE_LINUX_PAM=y

This is the content of some relevant files. If some other files can help debugging this issue, please let me know.

# cat /etc/passwd 
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:65534:65534:nobody:/home:/bin/false
dbus:x:1000:81:DBus messagebus user:/var/run/dbus:/bin/false
sshd:x:1001:1004:SSH drop priv user:/var/empty:/bin/false
admin:x:1002:1006:Restricted admin user:/home/admin:/bin/sh
# cat /etc/group 
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
kmem:x:9:
wheel:x:10:root
cdrom:x:11:
dialout:x:18:
floppy:x:19:
video:x:28:
audio:x:29:
tape:x:32:
www-data:x:33:
utmp:x:43:
plugdev:x:46:
staff:x:50:
lock:x:54:
haldaemon:x:68:
netdev:x:82:
ftp:x:83
nobody:x:99:
nogroup:x:99:
users:x:100:
default:x:1000:
input:x:1001:
render:x:1002:
kvm:x:1003:
sshd:x:1004:
sudo:x:1005:
admin:x:1006:
dbus:x:81:dbus
# cat /etc/sudoers
root ALL=(ALL) ALL
admin ALL=(ALL) ALL
%wheel ALL=(ALL) ALL

PAM with all deployed files is installed. I can check my running rootfs is using PAM library:

# ldd /bin/login | grep pam
        libpam.so.0 => /lib/libpam.so.0 (0xb6f3a000)
        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0xb6f27000)

I found some documents like this http://blog.serverbuddies.com/how-do-i-restrict-the-use-of-su-command/, explaining about the PAM configuration file for the shadow `su' service. I tested with this:

$ cat /etc/pam.d/su
auth    required    /lib/security/pam_wheel.so    use_uid 

As far as I understand, this line forces any user to be a member of group "wheel" in order to be able to run "su" command. As you can see in the previously listed files, admin user doesn't belong to "wheel" group. So, it shouldn't be able to execute the "su" command.

However, user "admin" executes "su" command, and it scales to root.

What am I doing wrong? Any help would be very appreciated.

Thanks a lot in advance!!


Solution

  • Just for reference to someone interested in this issue, the problem has been fixed. It was related with the "su" command, deployed by buildroot as a busybox applet. This applet doesn't work as expected despite CONFIG_PAM=y is enabled in busybox config file (vers 1.31.1).

    This are the steps we followed to fix this:

    1. Remove "su" applet from busybox
        # CONFIG_SU is not set
    
    1. Add "su" native command in buildroot:
        BR2_PACKAGE_UTIL_LINUX_SU=y
    
    1. Comment this line in /etc/pam.d/sudo in order to be able to execute sudo with admin user:
        #auth        required     pam_wheel.so use_uid
    
    1. Rebuild and flash the image.