IntroductionDevelopers often need shell access to their Chromium OS device in order to sanely debug things in the system. Think opening crosh and typing "shell", and then logging in as root with "sudo". Or logging into a VT console when the UI is broken. Or logging in remotely via ssh. However, this system is at odds with providing a simple system that is as secure as possible, so we need to analyze the trade offs. Goals
SummaryTODO(vapier) BuildtimeTODO(vapier) RuntimeDeveloper Mode DisabledVT SwitchingWhen X is launched by the session manager, it is passed the -maxvt flag set to 0. This way X itself ignores the key combos.
Sysrq Magic KeyThe hotkey-access.conf script will turn off all sysrq requests except for the "x" key by updating Crosh ShellThe crosh script is still available, but it does not allow access to the "shell" command (among others). SSHThe ssh sever is not included in the base image, so it will never autostart. If it was started somehow, then the sections below apply (which is to say, it still wouldn't allow logins). sudo/suThese cannot be run directly (as no shell is available), but even then, access is denied via pam. pamA custom pam stack ("chromeos-auth") is installed that handles authentication for the "login" and "sudo" services. When developer mode is disabled, this stack will skip itself and continue to the normal system stacks. For more details on pam, see The Linux-PAM System Administrators' Guide. groupsThe chronos account is not part of the admin groups that would implicitly grant access (e.g. passwordsThe system password database (/etc/shaddow) is in the read-only rootfs and cannot be modified. The default images will list accounts with passwords set to "*" (so that password authentication will fail). The user custom dev mode password is not checked at all (see the pam section above). Developer Mode EnabledVT SwitchingWhen X is launched by the session manager, it is passed the -maxvt flag set to 2. This allows access to the VT2 console. Access is controlled by pam.
Sysrq Magic KeyThe hotkey-access.conf script will enable all sysrq requests. Crosh ShellThe crosh script allows access to the "shell" command (among others). SSHIf it is launched by hand, or using a test image that autolaunches it, access is controlled by the sections below. sudo/suAccess is controlled by pam. pamA custom pam stack ("chromeos-auth") is installed that handles authentication for the "login" and "sudo" services. When developer mode is enabled, this stack will:
Note that this only applies to this particular stack. Other pam stacks may allow/deny independently. For more details on pam, see The Linux-PAM System Administrators' Guide. groupsThe chronos account is not part of the admin groups that would implicitly grant access (e.g. passwordsThe system password database (/etc/shaddow) is in the read-only rootfs and cannot be modified. The default images will list accounts with passwords set to "*" (so that password authentication will fail). The user may set a custom password at runtime with the References
|
Chromium OS > Design Documents >