root-login: Use local root account instead of NIAuth admin#1026
root-login: Use local root account instead of NIAuth admin#1026shubhanshumt26 wants to merge 7 commits into
Conversation
d075888 to
601703d
Compare
|
fyi: @doshirohan |
ni-auth is already pulled into BSI transitively via ni-auth-webservice, so listing it in NI_PROPRIETARY_COMMON_PACKAGES force-installs it a second time. Drop the explicit entry and let it come in through the normal dependency chain. Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
The NIAuth-backed 'admin' user shared its home (/home/admin) with root:
nilrt.conf overrode ROOT_HOME to /home/admin and niacctbase symlinked
/home/root -> /home/admin so both accounts landed in the same place.
With the move to a local root login this wiring is no longer wanted, so
let root use its own home directory.
* nilrt.conf: drop the ROOT_HOME = "/home/admin" override.
* niacctbase.bb: drop the /home/root -> /home/admin symlink from
useradd_preinst.
Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
In dist-next, ni-auth no longer ships its NSS and PAM modules, and BSI
only pulls ni-auth (not pam-plugin-niauth / libnss-niauth). The old
interactive login was the NIAuth-backed 'admin' user (empty password),
which only worked because login went through pam_niauth. With those
modules gone that login path no longer exists, so make the local root
account usable out of the box instead.
Add two image features to nilrt-image-base.inc:
* empty-root-password - keep root's /etc/shadow password field empty
(otherwise the rootfs postprocess zaps it
to '*').
* allow-empty-password - rewrite 'pam_unix.so nullok_secure' to plain
'nullok' in /etc/pam.d/* and set sshd
PermitEmptyPasswords. nullok_secure only
permits blank passwords from ttys in
/etc/securetty, which excludes SSH
(PAM_TTY=ssh), so without this an empty root
password could not log in over SSH.
The box ships open and is expected to be secured on first configuration
(see US 3111349).
Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
The niacctbase-sudo subpackage installed an /etc/sudoers.d drop-in that granted the NIAuth-backed 'admin' user passwordless sudo. With the move to a local root login that rule is obsolete: root (uid 0) is already the superuser and needs no sudoers entry. Remove the sudoers file and the niacctbase-sudo subpackage entirely. Note: the subpackage also RDEPENDED on sudo-lib (and the main package RRECOMMENDED it), so niacctbase no longer pulls sudo in. sudo is still installed on the runmode image via ni-tracefs-utils, which is part of packagegroup-ni-runmode. Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
601703d to
3a29b63
Compare
There was a problem hiding this comment.
Pull request overview
Updates NILRT dist-next images and supporting scripts to stop relying on the NIAuth-backed admin (UID 0) login path and instead make the local root account usable by default, while removing related legacy home-directory and packaging assumptions.
Changes:
- Enable empty-password root login via image features and drop the
ROOT_HOME=/home/adminoverride. - Remove NIAuth-era
admin-specific sudoers/symlink packaging and update scripts/tests that referenced/home/admin. - Adjust ownership/expected permissions in trace and filesystem-permissions tooling to align with
rootusage.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| recipes-ni/niacctbase/niacctbase/sudoers | Removes sudoers entry that allowed admin passwordless sudo. |
| recipes-ni/niacctbase/niacctbase.bb | Stops installing sudoers drop-in and removes /home/root -> /home/admin symlink logic. |
| recipes-ni/ni-tracefs-utils/files/traceextract | Updates extracted trace file ownership from admin to root. |
| recipes-ni/ni-test-boot-time/files/run-ptest | Switches InfluxDB info path from /home/admin to /home/root. |
| recipes-ni/ni-base-system-image-tests/files/test_fs_permissions_diff.sh | Switches MongoDB creds/args sourcing to /home/root. |
| recipes-ni/ni-base-system-image-tests/files/fs_permissions_known.py | Updates expected ownerships/paths from admin to root and /home/root expectations. |
| recipes-kernel/kernel-tests/kernel-tests-files/test_kernel_dmesg_diff.sh | Switches MongoDB creds/args sourcing to /home/root. |
| recipes-kernel/kernel-tests/kernel-containerized-performance-tests-files/test_kernel_cyclictest_iperf_containerized.sh | Updates container bind-mount from /home/admin to /home/root. |
| recipes-kernel/kernel-tests/kernel-containerized-performance-tests-files/test_kernel_cyclictest_hackbench_containerized.sh | Updates container bind-mount from /home/admin to /home/root. |
| recipes-kernel/kernel-tests/kernel-containerized-performance-tests-files/test_kernel_cyclictest_fio_containerized.sh | Updates container bind-mount from /home/admin to /home/root. |
| recipes-kernel/kernel-tests/files/run-docker-cyclictest | Updates docker run bind-mount from /home/admin to /home/root. |
| recipes-kernel/kernel-tests/files/run-cyclictest | Switches InfluxDB info path from /home/admin to /home/root. |
| recipes-kernel/kernel-tests/files/iperf-load | Switches iperf config path and help text from /home/admin to /home/root. |
| recipes-core/images/includes/nilrt-proprietary.inc | Removes forced ni-auth install from common proprietary package set. |
| recipes-core/images/includes/nilrt-image-base.inc | Enables empty-password root login features at the base-image level. |
| conf/distro/nilrt.conf | Removes NIAuth-era ROOT_HOME=/home/admin override. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| NI_PROPRIETARY_COMMON_PACKAGES = "\ | ||
| libnitargetcfg \ | ||
| ni-auth \ |
There was a problem hiding this comment.
How are we coordinating these changes with ni-auth's pam being removed? Let's follow up on offline
There was a problem hiding this comment.
We have already posted an announcement regarding breaking the dependencies of ni-auth. However, in the context of removing PAM from dist-next BSI, since it's only required by ni-auth, I believe we only need to be aware of this change. Is that correct?
f0cea04 to
5530509
Compare
5530509 to
87e36a1
Compare
87e36a1 to
c6efe8f
Compare
The system login is moving off the NIAuth-backed "admin" user (uid 0, group "administrators", home /home/admin) to the local "root" user (uid 0, group "root", home /root), since ni-auth no longer ships the NSS/PAM modules that resolved those names. Update the remaining in-tree references accordingly: - Test scripts: /home/admin -> /root (including the fs_permissions diff creds/args path and the test_exe_cap_support.c comment). - traceextract: chown admin:administrators -> chown root:root. With NIAuth gone those names no longer resolve, so under "set -e" the chown (and thus the script) would otherwise fail. The fs_permissions known-permissions baseline is updated in a separate commit. The NISystemWebServer "Require group administrators" directives are left as-is: they are NIAuth web-server authorization handled by ni-auth-webservice, not system /etc/group, and are unaffected by the system-login migration. Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
Part of the dist-next effort to modernize authentication in NILRT
(remove NIAuth integration, transition from 'admin' to 'root').
NIAuth previously shared root's home with the 'admin' user: nilrt.conf
overrode ROOT_HOME to /home/admin and niacctbase symlinked
/home/root -> /home/admin. With NIAuth removed there is no 'admin' user,
but LabVIEW and other components still carry many hardcoded references to
/home/admin, so that path must keep resolving to the superuser's home.
* nilrt.conf: set ROOT_HOME = "/root" (was /home/admin). /root matches
the systemd/UAPI file-system-hierarchy convention and the planned
systemd move, rather than the OE-core default /home/root.
* niacctbase.bb: symlink /home/admin -> /root in useradd_preinst
(reverse of the previous /home/root -> /home/admin link) so existing
/home/admin references keep working.
Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
…root With the login moved off NIAuth "admin" to local "root" and root's home relocated to /root (niacctbase now symlinks /home/admin -> /root), update the known-permissions baseline used by the fs_permissions ptest to match the resulting rootfs: - system files/dirs: owner admin -> root, group administrators -> root. - grub metadata: grubenv/grubenv.bak owner admin -> root (group ni unchanged); grub-ni-version/recoverytool-ni-version admin:administrators -> root:root. - /home tree: expect /home/admin as a 0777 root:root symlink to /root and drop the stale /home/root entry, which no longer exists. Signed-off-by: Shubhanshu Mani Tripathi <shubhanshu.mani.tripathi@emerson.com>
c6efe8f to
a7df11a
Compare
Summary of Changes
In dist-next,
ni-authno longer ships its NSS and PAM modules, and BSI only pullsni-auth(notpam-plugin-niauth/libnss-niauth/ni-auth-networkcontroller). The old interactive login was the NIAuth-backed'admin'user (empty password), which only worked because those modules were pulled in transitively. With them gone, that login path no longer exists, so make the localrootaccount usable out of the box instead.nilrt-image-base.inc: add the'empty-root-password'and'allow-empty-password'image features so root keeps an empty/etc/shadowfield and pam_unix/sshd accept it (the rootfs postprocess would otherwise zap it and nullok_secure would reject empty passwords over SSH).nilrt.conf: drop the NIAuth-eraROOT_HOME = "/home/admin"and create new overrideROOT_HOME = /rootto follow systemd convention and latest FHS suggestion (FYI).niacctbase.bb: drop the/home/root -> /home/adminsymlink from useradd_preinst and create new symlink from/home/admin/->/rootto support backward combability for LabVIEW VIs (FYI).nilrt-proprietary.inc: removeni-authfromNI_PROPRIETARY_COMMON_PACKAGES; it is pulled in via BSI dependencies and should not be force-installed here.Update all refs of
admin->rootas admin user won't exist in dist-next BSI.Justification
AB#3650235
Posted Announcement over Teams in multiple channels so that client teams are aware of this major change in Dist-Next.
Note: Don't merge immediately. We have dependency on this PR.
Testing
bitbake packagefeed-ni-core)bitbake nilrt-safemode-rootfs)bitbake nilrt-base-system-image)CRIO-9030target.snac-configureis working as expected.Note: I have built the images using the custom packages (niauth & other split packages) produced by this PR. Then created a custom feed so they are installed in BSI by default while building.
Snippets
Safemode
Runmode
Hardware Manager:

Safemode
Runmode

Note: In Hardware Manager we can't add a fresh target with root user (Dist-next case) directly we need to add it first from terminal using ssh. Filed Bug.
Password Synchronization
Procedure