Changes for new pre-defined usergroup hostconsole

The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group.

This is a fixed is the github issue:
openbmc/phosphor-user-manager#15

In commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835 ssh was
mapped to both ManagerConsole and HostConsole. The split is discussed
in the commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835?tab=comments

Note: The changes are spread across multiple repositories listed under
"Related commits:"

The openbmc changes are as follows:
- Removed a dependency on dropbear.default file. Added a new environment
  file dropbear.env for obmc-console. If we want to add port specific
  configuration then we can add dropbear.%i.env file.
- The DROPBEAR_EXTRA_ARGS variable updated to include "-G hostconsole"
  flag.
- New update script added to add new hostconsole group and also add all
  users part of the priv-admin group to this new group.
- Similarly changes are made to add new group during install time and
  add root user in this group.

Tested:
  Loaded on system and qemu eumulator. Made sure that the only user
  can ssh to host console are member of hostconsole group.

Related commits:
  docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
  phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
  openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
  obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
  bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580

Change-Id: Icced48da188fb76828bf4ff5c705d6f1300ae3e7
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>

meta-phosphor/recipes-phosphor/console/obmc-console/dropbear.env

@@ -0,0 +1,2 @@
+DROPBEAR_EXTRA_ARGS=" -B -G hostconsole"
+DROPBEAR_RSAKEY_DIR=/etc/dropbear

meta-phosphor/recipes-phosphor/console/obmc-console_git.bb

@@ -17,6 +17,7 @@ PR = "r1"
 
 SRC_URI = "git://github.com/openbmc/obmc-console;branch=master;protocol=https"
 SRC_URI += "file://${BPN}.conf"
+SRC_URI += "file://dropbear.env"
 
 S = "${WORKDIR}/git"
 SYSTEMD_SERVICE:${PN} += "obmc-console-ssh@.service \
@@ -31,6 +32,9 @@ inherit systemd
 do_install:append() {
         # Install the server configuration
         install -m 0755 -d ${D}${sysconfdir}/${BPN}
+
+        install -m 0644 ${WORKDIR}/dropbear.env ${D}${sysconfdir}/${BPN}/
+
         # If the OBMC_CONSOLE_TTYS variable is used without the default OBMC_CONSOLE_HOST_TTY
         # the port specific config file should be provided. If it is just OBMC_CONSOLE_HOST_TTY,
         # use the old style which supports both port specific or obmc-console.conf method.

meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb

@@ -48,5 +48,5 @@ USERADD_PACKAGES = "${PN}"
 # add a user called httpd for the server to assume
 USERADD_PARAM:${PN} = "-r -s /sbin/nologin bmcweb"
 
-GROUPADD_PARAM:${PN} = "web; redfish"
+GROUPADD_PARAM:${PN} = "web; redfish; hostconsole"
 FULL_OPTIMIZATION:append = " -Os"

meta-phosphor/recipes-phosphor/users/phosphor-user-manager/upgrade_hostconsole_group.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+# Purpose: Upgrade pre-release BMCs with items needed for hostconsole group
+# This can be removed when there is no longer a direct upgrade path for BMCs
+# which were installed with pre-release images.
+
+# Create groups if not already present
+if grep -wq hostconsole /etc/group; then
+    echo "hostconsole group already exists"
+else
+    echo "hostconsole group does not exist, add it"
+    groupadd -f hostconsole
+fi
+
+# Add the root user to the groups
+if id -nG root | grep -wq hostconsole; then
+    echo "root already in hostconsole"
+else
+    echo "root not in group hostconsole, add it"
+    usermod -a -G hostconsole root
+fi
+
+# Add all users in the priv-admin group to the
+# hostconsole group so that it will not break
+# exiting setup for any user.
+for usr in $(grep '^'priv-admin':.*$' /etc/group | cut -d: -f4 | tr ',' ' ')
+do
+    # Add the usr to the hostconsole group
+    if id -nG "$usr" | grep -wq hostconsole; then
+        echo "$usr already in hostconsole"
+    else
+        echo "$usr not in group hostconsole, add it"
+        usermod -a -G hostconsole "$usr"
+    fi
+done

meta-phosphor/recipes-phosphor/users/phosphor-user-manager/xyz.openbmc_project.User.Manager.service

@@ -2,6 +2,7 @@
 Description=Phosphor User Manager
 
 [Service]
+ExecStartPre=-/usr/libexec/upgrade_hostconsole_group.sh
 ExecStart=/usr/bin/env phosphor-user-manager
 SyslogIdentifier=phosphor-user-manager
 Restart=always

meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb

@@ -14,6 +14,7 @@ PV = "1.0+git${SRCPV}"
 PR = "r1"
 
 SRC_URI = "git://github.com/openbmc/phosphor-user-manager;branch=master;protocol=https"
+SRC_URI += "file://upgrade_hostconsole_group.sh"
 
 S = "${WORKDIR}/git"
 
@@ -23,6 +24,11 @@ inherit useradd
 
 EXTRA_OEMESON = "-Dtests=disabled"
 
+do_install:append() {
+  install -d ${D}${libexecdir}
+  install -m 0755 ${WORKDIR}/upgrade_hostconsole_group.sh ${D}${libexecdir}/upgrade_hostconsole_group.sh
+}
+
 FILES:phosphor-ldap += " \
         ${bindir}/phosphor-ldap-conf \
 "
@@ -43,3 +49,11 @@ DBUS_SERVICE:${PN} += "xyz.openbmc_project.User.Manager.service"
 DBUS_SERVICE:phosphor-ldap = " \
         xyz.openbmc_project.Ldap.Config.service \
 "
+
+EXTRA_USERS_PARAMS += " \
+   groupadd hostconsole; \
+   "
+
+EXTRA_USERS_PARAMS += " \
+  usermod --append --groups hostconsole root; \
+  "