ubuntu-phone team mailing list archive

[Paul Larson <paul.larson@xxxxxxxxxxxxx>]

I have a WIP patch [1] for the CI scripts to enable NOPASSWD sudo for the
phablet user, and I'm trying to pick off all the adb shell calls and ensure
we always sudo to the proper user.  This mostly works for provisioning
right now, even with a mocked up image to include the new adbd. Where I run
into problems at the moment is with the other phablet-tools which have adb
calls. Specifically, phablet-network is the main offender during the
provisioning process.


[1]
https://code.launchpad.net/~pwlars/ubuntu-test-cases/user-adb-support/+merge/225893


On Mon, Jul 7, 2014 at 5:43 AM, Oliver Grawert <ogra@xxxxxxxxxx> wrote:

> hi,
>
> with RTM approaching quickly we are working on the developer mode to
> make it act in a more secure manner. the following changes were
> discussed with the security team and will be implemented soon ... this
> will require a bunch of changes in out external tools that use adb
> access for tests or development (smoke testing, SDK access etc) as well
> as for the general developer:
>
> 1) adb will be disabled by default. you will have to hand over the
> --developer-mode option while flashing to override this behavior (see
> sergios mail from the 23rd)
>
> 2) adb will not allow root and only let you in as phablet user (you will
> have to use sudo like on any other ubuntu installation when doing
> administrative tasks)
>
> 3) on request of the security team it should not be possible to enable
> adb access if there is no password or the default password set for the
> phablet user so that there is no predictable sudo password that is
> identical on all devices. there are still a few blockers that prevent us
> from finishing this bit (more on that below).
>
> 4) you will be able to switch developer mode on/off in the
> system-settings in a sub page of the "about this device" section [1].
>
> the first bit (1) is already implemented but will need some extension to
> actually set a specific password (i.e. ubuntu-device-flash
> --developer-mode --password="mynewpw")
>
> the implementation of point 2 is also done already but i can not land it
> without having all the third party tools of the QA, SDK and CI teams
> adjusted for this first. this mail is a request to these teams to help
> adjusting and testing for the new mode, i built an adbd package with the
> changes you can pull from [2]. the following runes might help you if
> your tool requires root access:
>
> -- snip --
> ogra@anubis:~$ adb shell 'echo "phablet" | sudo -S restart ssh
> 2>/dev/null'
> ssh start/running, process 17632
> -- snap --
>
> (note this will indeed only work with the valid password which will once
> point (3) is implemented not be "phablet" anymore. the redirect of
> stderr ("2>/dev/null") is needed if you dont want to see sudos password
> prompt, the -S option to sudo allows to echo the password in a scripted
> manner to sudo. note that i have found no way to cheat "tee" with that
> so if your script creates "here documents" you might have to do this on
> the host machine and use adb push to copy them over )
>
> please, if you work with any tool that requires adb access, help
> adjusting your bits to work with the new android-tools-adbd package.
>
> to make the phablet user password changeable in our readonly rootfs
> (and /etc/password) world for the above point (3), we will have to use
> libnss-extrausers. for this we are waiting on a fix of bug [3] from the
> foundations team that will enable us to use the default user management
> tools of ubuntu (and indeed ubuntu-device-flash will have to grow a
> --developer-password option or something
> similar)
>
> after implementing the dbus service to en/diable adb (as i wrote in
> another mail) last week i will work on the UI bits in (4) now, but
> please if you use any third party script that makes use of adb access
> and requires changes, let me know about this (or if you have, even send
> me patches) so that we can have everything together by end of this week.
>
> if you got down here, thanks a lot for your attention and for taking the
> time to read this lenghty mail :)
>
> ciao
>         oli
>
> [1] https://wiki.ubuntu.com/AboutThisDevice#developer-mode
> [2]http://people.canonical.com/~ogra/android-tools-adbd_4.2.2
> +git20130218-3ubuntu24_armhf.deb
> [3] https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1323732
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp
>
>