mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-02 19:11:20 +02:00
fix(coreos-base/coreos-base): Update users and groups.
Remove the following unused users/groups: - core-access - polkituser - pkcs11 - ipsec - tor - tcpdump - debugd - openvpn - input Add groups: - docker (new group, for things like access to docker socket) - systemd-journal (exists in sdk, not images. for journal log access) - dialout (exists in sdk, required by default udev rules) The core user has access to docker and systemd-journal.
This commit is contained in:
Michael Marineau
parent
37a7bb4932
commit
a19498b725
@ -159,8 +159,8 @@ pkg_postinst() {
|
||||
# Add a chronos-access group to provide non-chronos users,
|
||||
# mostly system daemons running as a non-chronos user, group permissions
|
||||
# to access files/directories owned by chronos.
|
||||
local system_access_user="core-access"
|
||||
local system_access_id="1001"
|
||||
# local system_access_user="core-access"
|
||||
# local system_access_id="1001"
|
||||
|
||||
local crypted_password='*'
|
||||
[ -r "${SHARED_USER_PASSWD_FILE}" ] &&
|
||||
@ -172,28 +172,28 @@ pkg_postinst() {
|
||||
add_shadow "${system_user}" "${crypted_password}"
|
||||
|
||||
copy_or_add_group "${system_user}" "${system_id}"
|
||||
copy_or_add_daemon_user "${system_access_user}" "${system_access_id}"
|
||||
# copy_or_add_daemon_user "${system_access_user}" "${system_access_id}"
|
||||
copy_or_add_daemon_user "messagebus" 201 # For dbus
|
||||
copy_or_add_daemon_user "syslog" 202 # For rsyslog
|
||||
copy_or_add_daemon_user "ntp" 203
|
||||
copy_or_add_daemon_user "sshd" 204
|
||||
copy_or_add_daemon_user "polkituser" 206 # For policykit
|
||||
# copy_or_add_daemon_user "polkituser" 206 # For policykit
|
||||
# copy_or_add_daemon_user "tss" 207 # For trousers (TSS/TPM)
|
||||
copy_or_add_daemon_user "pkcs11" 208 # For pkcs11 clients
|
||||
# copy_or_add_daemon_user "pkcs11" 208 # For pkcs11 clients
|
||||
# copy_or_add_daemon_user "qdlservice" 209 # for QDLService
|
||||
# copy_or_add_daemon_user "cromo" 210 # For cromo (modem manager)
|
||||
# copy_or_add_daemon_user "cashew" 211 # Deprecated, do not reuse
|
||||
copy_or_add_daemon_user "ipsec" 212 # For strongswan/ipsec VPN
|
||||
# copy_or_add_daemon_user "ipsec" 212 # For strongswan/ipsec VPN
|
||||
# copy_or_add_daemon_user "cros-disks" 213 # For cros-disks
|
||||
copy_or_add_daemon_user "tor" 214 # For tor (anonymity service)
|
||||
copy_or_add_daemon_user "tcpdump" 215 # For tcpdump --with-user
|
||||
copy_or_add_daemon_user "debugd" 216 # For debugd
|
||||
copy_or_add_daemon_user "openvpn" 217 # For openvpn
|
||||
# copy_or_add_daemon_user "tor" 214 # For tor (anonymity service)
|
||||
# copy_or_add_daemon_user "tcpdump" 215 # For tcpdump --with-user
|
||||
# copy_or_add_daemon_user "debugd" 216 # For debugd
|
||||
# copy_or_add_daemon_user "openvpn" 217 # For openvpn
|
||||
# copy_or_add_daemon_user "bluetooth" 218 # For bluez
|
||||
# copy_or_add_daemon_user "wpa" 219 # For wpa_supplicant
|
||||
# copy_or_add_daemon_user "cras" 220 # For cras (audio)
|
||||
# copy_or_add_daemon_user "gavd" 221 # For gavd (audio) (deprecated)
|
||||
copy_or_add_daemon_user "input" 222 # For /dev/input/event access
|
||||
# copy_or_add_daemon_user "input" 222 # For /dev/input/event access
|
||||
# copy_or_add_daemon_user "chaps" 223 # For chaps (pkcs11)
|
||||
copy_or_add_daemon_user "dhcp" 224 # For dhcpcd (DHCP client)
|
||||
# copy_or_add_daemon_user "tpmd" 225 # For tpmd
|
||||
@ -204,27 +204,17 @@ pkg_postinst() {
|
||||
# copy_or_add_daemon_user "devbroker" 230 # For permission_broker
|
||||
# copy_or_add_daemon_user "xorg" 231 # For Xorg
|
||||
copy_or_add_daemon_user "etcd" 232 # For etcd
|
||||
# Reserve some UIDs/GIDs between 300 and 349 for sandboxing FUSE-based
|
||||
# filesystem daemons.
|
||||
copy_or_add_daemon_user "docker" 233 # For docker
|
||||
copy_or_add_group "systemd-journal" 248 # For journalctl access
|
||||
copy_or_add_group "dialout" 249 # For udev rules
|
||||
# copy_or_add_daemon_user "ntfs-3g" 300 # For ntfs-3g prcoess
|
||||
# copy_or_add_daemon_user "avfs" 301 # For avfs process
|
||||
# copy_or_add_daemon_user "fuse-exfat" 302 # For exfat-fuse prcoess
|
||||
# copy_or_add_group "serial" 402
|
||||
|
||||
# Users which require access to PKCS #11 cryptographic services must be
|
||||
# in the pkcs11 group.
|
||||
remove_all_users_from_group pkcs11
|
||||
add_users_to_group pkcs11 root ipsec "${system_user}"
|
||||
|
||||
# All users accessing opencryptoki database files and all users for
|
||||
# sandboxing FUSE-based filesystem daemons need to be in the
|
||||
# ${system_access_user} group.
|
||||
remove_all_users_from_group "${system_access_user}"
|
||||
add_users_to_group "${system_access_user}" root ipsec "${system_user}" \
|
||||
|
||||
# Dedicated group for owning access to serial devices.
|
||||
copy_or_add_group "serial" 402
|
||||
add_users_to_group "serial" "${system_user}"
|
||||
add_users_to_group "serial" "uucp"
|
||||
# Give the core user access to some system tools
|
||||
add_users_to_group "docker" "${system_user}"
|
||||
add_users_to_group "systemd-journal" "${system_user}"
|
||||
|
||||
# Some default directories. These are created here rather than at
|
||||
# install because some of them may already exist and have mounts.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user