BeagleBone® Blue - debug as root

• Problem
• Making user as root
  • make a new root user
  • enable ssh for root user
• Resources

Depending on the app’s functionality and our needs, u may faced with a situation, when u need root permission to do certain things on the PC - open some port for network connection or use memory binding or some other stuff.

During developing an app for Beaglebone® Blue I faced the same issue. In this article, I would like to cover how to configure the root user for the u’r ssh connection needed for remote debugging.

Related articles:

• BeagleBone® Blue - initial config via serial port
• Beaglebone® Blue - environment setup
• BeagleBone® Blue - remote debug
• BeagleBone® Blue - debug remote app with root
• BeagleBone® Blue - duplicate & distribute

Problem

We already have configured an environment for remote debugging BBB with Eclipse, but the app requires an additional level of access to be able to execute some commands.

In my case - I need to open port 80 while deploying a small server for further communication.

This port is in privileged group:

The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing and not a fake that some hacker has put up for you.

There are a few workarounds proposed by the community for this - like next:

• authbind
• trafic redirect

  iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
  

• using the sudo command as a prefix for an app that will be executed
• config CAP_NET_BIND_SERVICE with sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary
• sysctl method :

• sysctl net.ipv4.ip_unprivileged_port_start=80
  sysctl -w net.ipv4.ip_unprivileged_port_start=80 // persistent version
  

  with blocking other ports

iptables -I INPUT -p tcp --dport 444:1024 -j DROP
iptables -I INPUT -p udp --dport 444:1024 -j DROP

The best as for me way to handle this is to use sysctl -w net.ipv4.ip_unprivileged_port_start=80 command, but, we also have other parts of the app, that require root access - in my case, initialization of librobotcontrol functionality related to the motor control require some memory binding, that require root.

ERROR: in rc_pru_shared_mem_ptr could not open /dev/mem: Permission denied
Need to be root to access PRU shared memory
ERROR in rc_servo_init, failed to map shared memory pointer

when call rc_servo_init() from the lib.

So looking workaround for each case is not an option.

Off cause, making something with root access is used only for development, and for prod, we can register some service that can run root routines. In general, this is a bad idea to use root access for the app.

I found this post very interesting - exactly my problem.

And as suggested by danielt, we have 3 ways how to handle this with Eclipse:

The good way to go for me - is option #3: “Configure eclipse to connect as the root user (e.g. set up SSH to make it possible to ssh root@linaro-alip and change the username eclipse uses to connect with).”

So our next task consists of 2 parts:

• make the current user that is used for debugging a root user
• enable ssh for root user (by design is forbidden due to privacy)

Making user as root

Switching users to root is not a problem - there are plenty of ways to do this. Our goal - is to not only allow user to run root commands with sudo without password (using sudoers for example) but eliminate the sudo prefix - because for Eclipse there is no option to add sudo before program executing with gdbserver.

make a new root user

There are a lot of ways to do this, I just modify /etc/passwd by setting group and access level to the user for 0:0 - making the user a root one:

To do so run sudo su and then nano /etc/passwd, modify, Ctrl+X, Y, enter. Note: create one more backup connection to the board via SSH, because if u close the active one with some changes u may lose access to the board.

enable ssh for root user

To enable ssh for root we need to modify sshd_config file:

sudo su
nano /etc/ssh/sshd_config

search for PermitRootLogin, uncomment, and set to yes, but u also want to modify the root user for which u allow this action by adding AllowUsers <username1>, <usernanem2>.

Note - u should add this near PermitRootLogin pref because in another case u can put this line near some Match that will hold value for own purposes. Also, make sure that u uncomment value and not adding a new one.

If u not enabled an SSH account before u may need to set the root password by executing sudo passwd

Restart SSH service:

service ssh restart

Alternative way:

root@debian:~$ grep PermitRootLogin /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin without-password".
root@debian:~$
root@debian:~$ man sshd_config | grep -C 1 prohibit-password
     PermitRootLogin
             Specifies whether the root can log in using ssh(1).  The argument must be yes, prohibit-password, forced-commands-only, or no.  The default
             is prohibit-password.

             If this option is set to prohibit-password (or it's deprecated alias, without-password), password and keyboard-interactive authentication
             are disabled for root.
root@debian:~$
root@debian:~$ sudo systemctl restart ssh
root@debian:~$

Now u can connect via SSH to u’r root user and Eclipse is happy because u run all commands as root in debug.

Resources

• Beaglebone® Blue
• Eclipse
• authbind
• sysctl method
• privileged ports
• librobotcontrol
• sudo
• sudoers
• Sudo privilege issue SO
• Remote debug GDB as Root
• kali root