Question on installation permissions

I built a new nas box to replace my hc2 and immediately found out that despite some posts saying that omv can be moved to new hardware without issue that was not my case.

I cloned my hc2 sdcard to my new ssd and it refused to boot whether bios, efi, csm support etc. I cloned multiple times with multiple programs and none booted. Chalk it up to moving from a 32bit arm to a 64bit x86.

Anyways, I am now down the long path of manually installing everything. I installed buster 64 bit uefi already and did the usual hardening regarding the root account and locking down all avenues of root.

When I attempted to install omv it complained about root account not available (because I disabled it) and to check that the sbin/nologin is configured correctly. I am running all commands with sudo with no issues. The only way omv would install is if I enabled the root account in etc/passwd.

Now that omv is installed I disabled the root account again. Will future omv related commands or upgrades be affected by the root account being completely disabled? I do find it interesting that even with sudo the omv install process required dropping directly into the root account.

Zitat von gderf

I would expect endless problems with this. Can you explain your use case that requires disabling the root user account?

Since this is a more powerful hardware rig compared to the hc2 I have some plans for the box to include being a vpn server in docker. To vpn I would need to expose the rig itself to the outside world unlike the hc2 which was all local except for reaching out for updates. I am running it headless and accessed only through ssh so essentially just locking down debian itself.

Is it possible to add the omv account to the sudo group?

Zitat von gderf

What is this "omv account " you refer to?

You got me. I just thought when I used sudo to run commands it was based off my user account sudo permissions. Then when omv commands were being run that is was using some sort of "omv account" and why it couldn't run elevated privilege commands.

I installed a vanilla debian os. Then I locked down the root accounts after creating an account with sudo permissions. Then I proceeded to install omv onto buster and that's when it complained about the root account not being available.

So would there be any way to install and run omv without the explicit need for root but maybe by sudo permissions given to whatever userid the omv framework uses?

Zitat von gderf

Are there any reasons that you can not sufficiently protect the root account with a very strong password rather than disable it altogether?

My observations: With one strong unique password for root, and another strong unique password for the sudo user the omv install script still managed to drop into root level privilege (actual root account) and run the commands without prompting for the password. The omv install script couldn't have known the root password either so the fact that just having the root account enabled was enough for the script to gain that access seems to imply a security hole. But that's just my opinion.