mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-03 11:32:02 +02:00
fix(coreos-base/coreos-base): Update users and groups.
Remove the following unused users/groups: - core-access - polkituser - pkcs11 - ipsec - tor - tcpdump - debugd - openvpn - input Add groups: - docker (new group, for things like access to docker socket) - systemd-journal (exists in sdk, not images. for journal log access) - dialout (exists in sdk, required by default udev rules) The core user has access to docker and systemd-journal.
This commit is contained in:
Michael Marineau
parent
37a7bb4932
commit
a19498b725
@ -159,8 +159,8 @@ pkg_postinst() {
|
|||||||
# Add a chronos-access group to provide non-chronos users,
|
# Add a chronos-access group to provide non-chronos users,
|
||||||
# mostly system daemons running as a non-chronos user, group permissions
|
# mostly system daemons running as a non-chronos user, group permissions
|
||||||
# to access files/directories owned by chronos.
|
# to access files/directories owned by chronos.
|
||||||
local system_access_user="core-access"
|
# local system_access_user="core-access"
|
||||||
local system_access_id="1001"
|
# local system_access_id="1001"
|
||||||
|
|
||||||
local crypted_password='*'
|
local crypted_password='*'
|
||||||
[ -r "${SHARED_USER_PASSWD_FILE}" ] &&
|
[ -r "${SHARED_USER_PASSWD_FILE}" ] &&
|
||||||
@ -172,28 +172,28 @@ pkg_postinst() {
|
|||||||
add_shadow "${system_user}" "${crypted_password}"
|
add_shadow "${system_user}" "${crypted_password}"
|
||||||
|
|
||||||
copy_or_add_group "${system_user}" "${system_id}"
|
copy_or_add_group "${system_user}" "${system_id}"
|
||||||
copy_or_add_daemon_user "${system_access_user}" "${system_access_id}"
|
# copy_or_add_daemon_user "${system_access_user}" "${system_access_id}"
|
||||||
copy_or_add_daemon_user "messagebus" 201 # For dbus
|
copy_or_add_daemon_user "messagebus" 201 # For dbus
|
||||||
copy_or_add_daemon_user "syslog" 202 # For rsyslog
|
copy_or_add_daemon_user "syslog" 202 # For rsyslog
|
||||||
copy_or_add_daemon_user "ntp" 203
|
copy_or_add_daemon_user "ntp" 203
|
||||||
copy_or_add_daemon_user "sshd" 204
|
copy_or_add_daemon_user "sshd" 204
|
||||||
copy_or_add_daemon_user "polkituser" 206 # For policykit
|
# copy_or_add_daemon_user "polkituser" 206 # For policykit
|
||||||
# copy_or_add_daemon_user "tss" 207 # For trousers (TSS/TPM)
|
# copy_or_add_daemon_user "tss" 207 # For trousers (TSS/TPM)
|
||||||
copy_or_add_daemon_user "pkcs11" 208 # For pkcs11 clients
|
# copy_or_add_daemon_user "pkcs11" 208 # For pkcs11 clients
|
||||||
# copy_or_add_daemon_user "qdlservice" 209 # for QDLService
|
# copy_or_add_daemon_user "qdlservice" 209 # for QDLService
|
||||||
# copy_or_add_daemon_user "cromo" 210 # For cromo (modem manager)
|
# copy_or_add_daemon_user "cromo" 210 # For cromo (modem manager)
|
||||||
# copy_or_add_daemon_user "cashew" 211 # Deprecated, do not reuse
|
# copy_or_add_daemon_user "cashew" 211 # Deprecated, do not reuse
|
||||||
copy_or_add_daemon_user "ipsec" 212 # For strongswan/ipsec VPN
|
# copy_or_add_daemon_user "ipsec" 212 # For strongswan/ipsec VPN
|
||||||
# copy_or_add_daemon_user "cros-disks" 213 # For cros-disks
|
# copy_or_add_daemon_user "cros-disks" 213 # For cros-disks
|
||||||
copy_or_add_daemon_user "tor" 214 # For tor (anonymity service)
|
# copy_or_add_daemon_user "tor" 214 # For tor (anonymity service)
|
||||||
copy_or_add_daemon_user "tcpdump" 215 # For tcpdump --with-user
|
# copy_or_add_daemon_user "tcpdump" 215 # For tcpdump --with-user
|
||||||
copy_or_add_daemon_user "debugd" 216 # For debugd
|
# copy_or_add_daemon_user "debugd" 216 # For debugd
|
||||||
copy_or_add_daemon_user "openvpn" 217 # For openvpn
|
# copy_or_add_daemon_user "openvpn" 217 # For openvpn
|
||||||
# copy_or_add_daemon_user "bluetooth" 218 # For bluez
|
# copy_or_add_daemon_user "bluetooth" 218 # For bluez
|
||||||
# copy_or_add_daemon_user "wpa" 219 # For wpa_supplicant
|
# copy_or_add_daemon_user "wpa" 219 # For wpa_supplicant
|
||||||
# copy_or_add_daemon_user "cras" 220 # For cras (audio)
|
# copy_or_add_daemon_user "cras" 220 # For cras (audio)
|
||||||
# copy_or_add_daemon_user "gavd" 221 # For gavd (audio) (deprecated)
|
# copy_or_add_daemon_user "gavd" 221 # For gavd (audio) (deprecated)
|
||||||
copy_or_add_daemon_user "input" 222 # For /dev/input/event access
|
# copy_or_add_daemon_user "input" 222 # For /dev/input/event access
|
||||||
# copy_or_add_daemon_user "chaps" 223 # For chaps (pkcs11)
|
# copy_or_add_daemon_user "chaps" 223 # For chaps (pkcs11)
|
||||||
copy_or_add_daemon_user "dhcp" 224 # For dhcpcd (DHCP client)
|
copy_or_add_daemon_user "dhcp" 224 # For dhcpcd (DHCP client)
|
||||||
# copy_or_add_daemon_user "tpmd" 225 # For tpmd
|
# copy_or_add_daemon_user "tpmd" 225 # For tpmd
|
||||||
@ -204,27 +204,17 @@ pkg_postinst() {
|
|||||||
# copy_or_add_daemon_user "devbroker" 230 # For permission_broker
|
# copy_or_add_daemon_user "devbroker" 230 # For permission_broker
|
||||||
# copy_or_add_daemon_user "xorg" 231 # For Xorg
|
# copy_or_add_daemon_user "xorg" 231 # For Xorg
|
||||||
copy_or_add_daemon_user "etcd" 232 # For etcd
|
copy_or_add_daemon_user "etcd" 232 # For etcd
|
||||||
# Reserve some UIDs/GIDs between 300 and 349 for sandboxing FUSE-based
|
copy_or_add_daemon_user "docker" 233 # For docker
|
||||||
# filesystem daemons.
|
copy_or_add_group "systemd-journal" 248 # For journalctl access
|
||||||
|
copy_or_add_group "dialout" 249 # For udev rules
|
||||||
# copy_or_add_daemon_user "ntfs-3g" 300 # For ntfs-3g prcoess
|
# copy_or_add_daemon_user "ntfs-3g" 300 # For ntfs-3g prcoess
|
||||||
# copy_or_add_daemon_user "avfs" 301 # For avfs process
|
# copy_or_add_daemon_user "avfs" 301 # For avfs process
|
||||||
# copy_or_add_daemon_user "fuse-exfat" 302 # For exfat-fuse prcoess
|
# copy_or_add_daemon_user "fuse-exfat" 302 # For exfat-fuse prcoess
|
||||||
|
# copy_or_add_group "serial" 402
|
||||||
|
|
||||||
# Users which require access to PKCS #11 cryptographic services must be
|
# Give the core user access to some system tools
|
||||||
# in the pkcs11 group.
|
add_users_to_group "docker" "${system_user}"
|
||||||
remove_all_users_from_group pkcs11
|
add_users_to_group "systemd-journal" "${system_user}"
|
||||||
add_users_to_group pkcs11 root ipsec "${system_user}"
|
|
||||||
|
|
||||||
# All users accessing opencryptoki database files and all users for
|
|
||||||
# sandboxing FUSE-based filesystem daemons need to be in the
|
|
||||||
# ${system_access_user} group.
|
|
||||||
remove_all_users_from_group "${system_access_user}"
|
|
||||||
add_users_to_group "${system_access_user}" root ipsec "${system_user}" \
|
|
||||||
|
|
||||||
# Dedicated group for owning access to serial devices.
|
|
||||||
copy_or_add_group "serial" 402
|
|
||||||
add_users_to_group "serial" "${system_user}"
|
|
||||||
add_users_to_group "serial" "uucp"
|
|
||||||
|
|
||||||
# Some default directories. These are created here rather than at
|
# Some default directories. These are created here rather than at
|
||||||
# install because some of them may already exist and have mounts.
|
# install because some of them may already exist and have mounts.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user