Manage Users and Permissions in ECI Images

Intel® Edge Controls for Industrial (Intel® ECI or ECI) images (see Build ECI) provide the following users:

User Account	Password	Permissions	Description
root	root	Full read/write permissions to all files.	Administrative user account used for granting permissions to non-root users, monitoring activity, applying system-level configurations, general system maintenance, and so on.
eci-user	eci-user	Limited read permissions to non-system files.	Basic user account intended strictly for executing control applications without access to system-level configurations.

The following table lists the availability of user accounts in the various ECI images:

ECI Target	User Account
	root	eci-user
core-bookworm	Yes	Yes
core-noble	Yes	Yes

If any of the assumptions made in ECI regarding users and privileges do not fit the desired use case, use the standard Linux* user commands to add, delete, and modify users.

Add Superuser Capability

In most Linux distributions, you can add superuser capabilities for a non-root user. Do the following:

1. Using a root account, add the user to the sudo group. The example shows the user eci-user being added to the sudo group:

   $ usermod -aG sudo eci-user
   

2. Using a root account, edit the sudoers file using visudo:

   $ visudo /etc/sudoers
   

3. Add a line to grant superuser capability to all users in the sudo group:

   %sudo ALL=(ALL) ALL
   

4. Save and exit visudo.

5. Logout of all users to re-evaluate the user permissions.

Remove Superuser Capability

In most Linux distributions, you can remove superuser capabilities for a non-root user. Do the following:

1. Using a root account, remove the user from the sudo group. The example shows the user eci-user being removed from the sudo group:

   $ deluser eci-user sudo
   

2. Logout all users to re-evaluate the user permissions.

Change Users and Passwords in ECI Images

This section will explain how to add a new user with a new password and make it available in the ECI image.

1. Setup the Build System, if not done already.

2. Encrypt a password for the user using openssl. Replace password-to-encrypt with your desired password:

   $ openssl passwd "password-to-encrypt"
   

   The output of openssl will be the encrypted password combined with a random two-character hash. For example:

   $ openssl passwd "example"
   ECG22tQM0xo7Q
   

   In this example, the first two characters EC are the random salt added by openssl. If you want to recreate an encrypted password, you can specify the salt used:

   $ openssl passwd -salt "EC" "example"
   ECG22tQM0xo7Q
   

3. Identify the ECI image that you want to modify. Refer to Build ECI Targets for a list of available ECI images. In this section, core-bookworm will be modified. If you are modifying a different image, you will need to modify the example steps accordingly.

4. Locate the distribution configuration for the ECI image. The file will be located at eci-release/targets/layers/meta-tgr/meta-eci-<distro>/conf/distro/eci-<distro>.conf, where <distro> refers to the distribution of the ECI image. For this example, eci-release/targets/layers/meta-tgr/meta-eci-bookworm/conf/distro/eci-bookworm.conf will be modified.

5. Open the distribution configuration for the ECI image for editing. Add or modify a user by copying the following template, where <user-name> is the name of the desired user and <encrypted-password> is the output of the openssl command from previous steps:

   USERS += "<user-name>"
   # 'plain-text password for reference'
   USER_<user-name>[password] = "<encrypted-password>"
   USER_<user-name>[shell] = "/bin/bash"
   USER_<user-name>[flags] = "create-home"
   

   For this example, a user named new-user with password new-password (encrypted as UGfHnwhcFSNuk) was added:

   USERS += "root"
   # 'root'
   USER_root[password] = "oC3wEGl799tZU"
   
   USERS += "eci-user"
   # 'eci-user'
   USER_eci-user[password] = "yM6D73Odtj2kA"
   USER_eci-user[shell] = "/bin/bash"
   USER_eci-user[flags] = "create-home"
   
   USERS += "new-user"
   # 'new-password'
   USER_new-user[password] = "UGfHnwhcFSNuk"
   USER_new-user[shell] = "/bin/bash"
   USER_new-user[flags] = "create-home"
   

6. Save the distribution configuration and refer to Build ECI Targets for instructions on building the ECI image.