From 32e5dc46b325c5e41774f8f37e2eb1c2c7356057 Mon Sep 17 00:00:00 2001 From: Suvendhu Hansa Date: Thu, 16 Oct 2025 15:23:34 +0530 Subject: [PATCH] usermngr: Vendor extension for Security Hardening parameters --- usermngr/Config.in | 13 +++++ usermngr/Makefile | 19 ++++++- usermngr/files/etc/config/users | 14 ------ usermngr/files/etc/init.d/users | 49 ++++++++++++------- .../etc/uci-defaults/91-disabled-security | 16 ++++++ .../etc/uci-defaults/91-security-hardening | 21 +++++--- .../files/etc/uci-defaults/91-unset-ssh-pam | 8 +++ 7 files changed, 98 insertions(+), 42 deletions(-) create mode 100644 usermngr/files/etc/uci-defaults/91-disabled-security create mode 100644 usermngr/files/etc/uci-defaults/91-unset-ssh-pam diff --git a/usermngr/Config.in b/usermngr/Config.in index 4fada3b54..895615dff 100644 --- a/usermngr/Config.in +++ b/usermngr/Config.in @@ -5,4 +5,17 @@ config USERMNGR_SECURITY_HARDENING default y help Enable this option to use PAM based faillock, passwdqc, faildelay for security hardening. + +config USERMNGR_ENABLE_AUTH_VENDOR_EXT + depends on USERMNGR_SECURITY_HARDENING + bool "Exposes vendor datamodel extensions for AuthenticationPolicy" + default y + help + Enable this option to expose TR181 vendor extensions for AuthenticationPolicy. + +config USERMNGR_VENDOR_PREFIX + depends on USERMNGR_ENABLE_AUTH_VENDOR_EXT + string "Package specific datamodel Vendor Prefix for TR181 extensions" + default "" + endif diff --git a/usermngr/Makefile b/usermngr/Makefile index ed337f233..31afbf249 100644 --- a/usermngr/Makefile +++ b/usermngr/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=usermngr -PKG_VERSION:=1.4.3 +PKG_VERSION:=1.4.4 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/usermngr.git -PKG_SOURCE_VERSION:=ca6a6d03dd7c7e3b6ff0b2810ef63762d93c2bd1 +PKG_SOURCE_VERSION:=6e1a8d6ef9691f616a6f0d629f3db4ae359e0dcf PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip endif @@ -57,6 +57,18 @@ ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y) MAKE_FLAGS += USERMNGR_SECURITY_HARDENING=y endif +ifeq ($(CONFIG_USERMNGR_ENABLE_AUTH_VENDOR_EXT),y) +MAKE_FLAGS += USERMNGR_ENABLE_AUTH_VENDOR_EXT=y +endif + +ifeq ($(CONFIG_USERMNGR_VENDOR_PREFIX),"") +VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX) +else +VENDOR_PREFIX = $(CONFIG_USERMNGR_VENDOR_PREFIX) +endif + +TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(VENDOR_PREFIX)\\\" + define Package/usermngr/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/config @@ -68,6 +80,9 @@ define Package/usermngr/install ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y) $(INSTALL_BIN) ./files/etc/uci-defaults/91-security-hardening $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/91-set-ssh-pam $(1)/etc/uci-defaults/ +else + $(INSTALL_BIN) ./files/etc/uci-defaults/91-disabled-security $(1)/etc/uci-defaults/ + $(INSTALL_BIN) ./files/etc/uci-defaults/91-unset-ssh-pam $(1)/etc/uci-defaults/ endif $(INSTALL_BIN) ./files/etc/init.d/users $(1)/etc/init.d/users $(INSTALL_BIN) ./files/etc/config/users $(1)/etc/config/users diff --git a/usermngr/files/etc/config/users b/usermngr/files/etc/config/users index dc92cc3ca..591716e6c 100644 --- a/usermngr/files/etc/config/users +++ b/usermngr/files/etc/config/users @@ -1,17 +1,3 @@ -config security_policy 'security_policy' - option enabled '1' - option fail_delay '3' - option faillock_attempts '6' - option faillock_lockout_time '300' - -config passwdqc 'passwdqc' - option enabled '1' - option min 'disabled,disabled,disabled,8,8' - option max '20' - option passphrase '0' - option retry '3' - option enforce 'everyone' - config users 'users' option enabled '1' option loglevel '3' diff --git a/usermngr/files/etc/init.d/users b/usermngr/files/etc/init.d/users index 4a9bafd04..35e0da542 100755 --- a/usermngr/files/etc/init.d/users +++ b/usermngr/files/etc/init.d/users @@ -51,17 +51,31 @@ update_auth() { tmp_file="/tmp/common-auth" pam_file="/etc/pam.d/common-auth" + local auth_enabled="${1}" + local enabled="${2}" + + local faildelay="$(uci -q get users.authentication_policy.fail_delay)" + local faillock_lockout_time="$(uci -q get users.authentication_policy.faillock_lockout_time)" + local faillock_attempts="$(uci -q get users.authentication_policy.faillock_attempts)" + + [ -n "$faildelay" ] || faildelay=3 + [ -n "$faillock_attempts" ] || faillock_attempts=6 + [ -n "$faillock_lockout_time" ] || faillock_lockout_time=300 + + # Convert seconds to microseconds for pam_faildelay + local faildelay_usec=$((faildelay * 1000000)) + rm -f "$tmp_file" touch "$tmp_file" - if [ "$enabled" != "0" ]; then + if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then write_line "$tmp_file" "auth optional pam_faildelay.so delay=$faildelay_usec" write_line "$tmp_file" "auth required pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time" fi write_line "$tmp_file" "auth sufficient pam_unix.so nullok_secure" - if [ "$enabled" != "0" ]; then + if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then write_line "$tmp_file" "auth [default=die] pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time" write_line "$tmp_file" "" fi @@ -103,7 +117,8 @@ update_password() { local tmp_file pam_file enabled line tmp_file="/tmp/common-password" pam_file="/etc/pam.d/common-password" - enabled=1 + + local auth_enabled="${1}" rm -f "$tmp_file" touch "$tmp_file" @@ -112,7 +127,7 @@ update_password() { if uci -q get users.passwdqc >/dev/null 2>&1; then # if enabled is not present it is assumed to be 0 enabled=$(uci -q get users.passwdqc.enabled || echo "0") - if [ "$enabled" != "0" ]; then + if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then line="$(build_pam_passwdqc_line)" write_line "$tmp_file" "$line" fi @@ -132,10 +147,13 @@ update_account() { tmp_file="/tmp/common-account" pam_file="/etc/pam.d/common-account" + local auth_enabled="${1}" + local enabled="${2}" + rm -f "$tmp_file" touch "$tmp_file" - if [ "$enabled" != "0" ]; then + if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then write_line "$tmp_file" "account required pam_faillock.so" fi @@ -148,28 +166,20 @@ update_account() { } handle_security_policy() { - local enabled faildelay faillock_lockout_time faillock_attempts faildelay_usec + local auth_enabled enabled # Read UCI values - enabled="$(uci -q get users.security_policy.enabled)" - faildelay="$(uci -q get users.security_policy.fail_delay)" - faillock_lockout_time="$(uci -q get users.security_policy.faillock_lockout_time)" - faillock_attempts="$(uci -q get users.security_policy.faillock_attempts)" + auth_enabled="$(uci -q get users.users.auth_policy_enable || echo 0)" + enabled="$(uci -q get users.authentication_policy.enabled || echo 0)" # if any .so files are missing, then we cannot setup security if ! check_required_modules; then return fi - [ -n "$faildelay" ] || faildelay=3 - [ -n "$faillock_attempts" ] || faillock_attempts=6 - [ -n "$faillock_lockout_time" ] || faillock_lockout_time=300 - # Convert seconds to microseconds for pam_faildelay - faildelay_usec=$((faildelay * 1000000)) - - update_auth - update_account - update_password + update_auth "${auth_enabled}" "${enabled}" + update_account "${auth_enabled}" "${enabled}" + update_password "${auth_enabled}" } start_service() { @@ -196,6 +206,7 @@ reload_service() { stop start else + handle_security_policy ubus send usermngr.reload fi diff --git a/usermngr/files/etc/uci-defaults/91-disabled-security b/usermngr/files/etc/uci-defaults/91-disabled-security new file mode 100644 index 000000000..3a9821e2c --- /dev/null +++ b/usermngr/files/etc/uci-defaults/91-disabled-security @@ -0,0 +1,16 @@ +#!/bin/sh + +# Remove auth_policy_enable from global +if uci -q get users.users; then + uci -q set users.users.auth_policy_enable='' +else + uci -q set users.users='users' +fi + +# Remove authentication_policy section +uci -q del users.authentication_policy + +# Remove passwdqc section +uci -q del users.passwdqc + +exit 0 diff --git a/usermngr/files/etc/uci-defaults/91-security-hardening b/usermngr/files/etc/uci-defaults/91-security-hardening index cd19f09d0..a96e3efe1 100644 --- a/usermngr/files/etc/uci-defaults/91-security-hardening +++ b/usermngr/files/etc/uci-defaults/91-security-hardening @@ -1,12 +1,19 @@ #!/bin/sh -# Create default security_policy section if missing -if ! uci -q get users.security_policy; then - uci -q set users.security_policy='security_policy' - uci -q set users.security_policy.enabled='1' - uci -q set users.security_policy.fail_delay='3' - uci -q set users.security_policy.faillock_attempts='6' - uci -q set users.security_policy.faillock_lockout_time='300' +# Create global section +if ! uci -q get users.users; then + uci -q set users.users='users' +fi + +uci -q set users.users.auth_policy_enable='1' + +# Create default authentication_policy section if missing +if ! uci -q get users.authentication_policy; then + uci -q set users.authentication_policy='authentication_policy' + uci -q set users.authentication_policy.enabled='1' + uci -q set users.authentication_policy.fail_delay='3' + uci -q set users.authentication_policy.faillock_attempts='6' + uci -q set users.authentication_policy.faillock_lockout_time='300' fi # Create default passwdqc section if missing diff --git a/usermngr/files/etc/uci-defaults/91-unset-ssh-pam b/usermngr/files/etc/uci-defaults/91-unset-ssh-pam new file mode 100644 index 000000000..072ec857b --- /dev/null +++ b/usermngr/files/etc/uci-defaults/91-unset-ssh-pam @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ -f /etc/config/sshd ]; then + uci -q set sshd.@sshd[0].UsePAM=0 +fi + +exit 0 +