User root disabled - can login via serial console

[chemlud]

Hi again!

User root is disables in user management, but by chance I noticed that this user can login via serial console anyway.

Bug or feature?

[franco]

Hi there,

I think it's a safety-belt feature of sorts, the root account can't be completely locked.

I found something here: http://unix.stackexchange.com/questions/25619/is-it-possible-and-a-good-idea-to-do-pw-lock-root-on-freebsd

We have sudo and such, but not being able to do "sudo su" will lock you out of the console menu, although "su /usr/local/etc/rc.initial" will probably still work.

The best way to deal with root is to set a strong random password, but I will try to run my box in locked root mode for a bit to see if it makes a difference.

The other way to deal with this would be to prevent root from being able to set the account to locked in the GUI.

Thoughts? :D


Cheers,
Franco

[franco]

The relevant line to remove: https://github.com/opnsense/core/blob/master/src/etc/inc/auth.inc#L432

[franco]

And the result...

Code Select Expand

franco@sensey:~ % sudo su
su: Sorry
franco@sensey:~ % sudo -s csh
root@sensey:/home/franco # exit
exit
franco@sensey:~ % sudo -s /usr/local/etc/rc.initial

0) Logout                             7) Ping host
1) Assign Interfaces                  8) Shell
2) Set interface(s) IP address        9) pfTop
3) Reset the root password           10) Filter Logs
4) Reset to factory defaults         11) Restart web interface
5) Power off system                  12) Upgrade from console
6) Reboot system                     13) Restore a configuration

Enter an option: 0

franco@sensey:~ %

Doesn't look so bad, maybe we can remove the lock-restriction after all.

[chemlud]

Hi Franco!

I would love to have an additional checkbox "disable root login in serial console" or a comment at the "disable root" event telling the user that root, although disabled,  can still log in via serial. :-)

[franco]

Moin,

I went with the patch below, it seems to work fine. The system comes back up ok after reboot. I've added a validation to prevent the user from disabling herself, we had weird things happening earlier with deleting your current user so that makes a bit of sense...

The only thing I haven't tested is to switch on the console auto-login to see if that breaks or loops (not around a serial port ATM). Maybe you want to try:

# opnsense-patch d569a8e1


Cheers,
Franco

https://github.com/opnsense/core/commit/d569a8e1

[franco]

I tested the password-protect console menu option: if you disable this it will log you in as root since the shell is properly set. If disable it you cannot login as root because the password hash is "*" and that means no way to login.

On reboot, the behaviour is correct and flipping the option locks and unlocks the console, too.

But when you try to login as root when disabled, you cannot flip the console back to auto-login afterwards. It needs a reboot.

I guess this all "works as intended", auto-login for getty is relatively new in FreeBSD itself (not in 10.0 and maybe even 10.3 itself, but I don't know) and not a lot of people would think of disabling their root accounts.

I'm keeping it on devel for now, but will probably hit 16.7.x in a few weeks anyway. Thanks again. :)

[chemlud]

ooops, that was fast! Didn't have time to test yet, will try soon :-)

Many thanks!