breadcrumbs:
Developers often need shell access to their Chromium OS device in order to sanely debug things in the system. Think opening crosh and typing “shell”, and then logging in as root with “sudo”. Or logging into a VT console when the UI is broken. Or logging in remotely via ssh.
However, this system is at odds with providing a simple system that is as secure as possible, so we need to analyze the trade offs.
TODO(vapier)
TODO(vapier)
When X is launched by the session manager, it is passed the -maxvt flag set to 0. This way X itself ignores the key combos.
The hotkey-access.conf script will turn off all sysrq requests except for the “x” key by updating /proc/sys/kernel/sysrq
.
The crosh script is still available, but it does not allow access to the “shell” command (among others).
The ssh sever is not included in the base image, so it will never autostart. If it was started somehow, then the sections below apply (which is to say, it still wouldn't allow logins).
These cannot be run directly (as no shell is available), but even then, access is denied via pam.
A custom pam stack (“chromeos-auth”) is installed that handles authentication for the “login” and “sudo” services. When developer mode is disabled, this stack will skip itself and continue to the normal system stacks.
For more details on pam, see The Linux-PAM System Administrators' Guide.
The chronos account is not part of the admin groups that would implicitly grant access (e.g. wheel
).
The system password database (/etc/shaddow) is in the read-only rootfs and cannot be modified. The default images will list accounts with passwords set to “*” (so that password authentication will fail).
The user custom dev mode password is not checked at all (see the pam section above).
When X is launched by the session manager, it is passed the -maxvt flag set to 2. This allows access to the VT2 console. Access is controlled by pam.
The hotkey-access.conf script will enable all sysrq requests.
The crosh script allows access to the “shell” command (among others).
If it is launched by hand, or using a test image that autolaunches it, access is controlled by the sections below.
Access is controlled by pam.
A custom pam stack (“chromeos-auth”) is installed that handles authentication for the “login” and “sudo” services. When developer mode is enabled, this stack will:
Note that this only applies to this particular stack. Other pam stacks may allow/deny independently.
For more details on pam, see The Linux-PAM System Administrators' Guide.
The chronos account is not part of the admin groups that would implicitly grant access (e.g. wheel
).
The system password database (/etc/shaddow) is in the read-only rootfs and cannot be modified. The default images will list accounts with passwords set to “*” (so that password authentication will fail).
The user may set a custom password at runtime with the chromeos-setdevpasswd
script which is checked by pam.