如何配置 yocto 以使任何人都不能在 yocto 映像中以 root 身份登录

Question

I am building a yocto image and I do not want anyone being able to login as root in it. I do not wish to remove the account but here is what I want to accomplish. I want to disable root account access from terminal as well as ssh or create a password that will never validate. I want to make all files root owner and set them to 700 permissions.

Answer 1

Add these lines to your image recipe.

inherit extrausers

EXTRA_USERS_PARAMS = "usermod -L -e 1 root; "

This locks the password and expires the account. Make sure you don't have debug-tweaks or empty-root-password in your IMAGE_FEATURES.

$ man usermod
   ...
   -e, --expiredate EXPIRE_DATE
       The date on which the user account will be disabled. The date is
       specified in the format YYYY-MM-DD.

       An empty EXPIRE_DATE argument will disable the expiration of the
       account.

       This option requires a /etc/shadow file. A /etc/shadow entry will
       be created if there were none.
   ...
   -L, --lock
       Lock a user's password. This puts a '!' in front of the encrypted
       password, effectively disabling the password. You can't use this
       option with -p or -U.

       Note: if you wish to lock the account (not only access with a
       password), you should also set the EXPIRE_DATE to 1.

Checked:

• Login with ssh is not possible, even though PermitRootLogin yes is set in /etc/ssh/sshd_config
• $ su - root is not possible, even though the login shell in /etc/passwd still points to /bin/bash instead of /sbin/nologin
• Login to ftp server via root is not possible

Not Checked:

• I did not check what happens if we add systemd.unit=rescue.target or systemd.unit=emergency.target to the kernel commandline.
• ... ?