Packaging clean-up + SSL warning in http_check #778
Conversation
Fixes #770. Merge from master.
ghost
assigned 
|
@amitto this pertains to security tweaks to our agent per our conversation in Burlingame. |
|
Also fixes #771 |
| @@ -0,0 +1,48 @@ | |||
| # -*- mode: ruby -*- | |||
There was a problem hiding this comment.
Can you remove that file from your PR ?
There was a problem hiding this comment.
I can but bear in mind that this is caused by vagrant init.
| @@ -3,7 +3,7 @@ | |||
|
|
|||
| getent group dd-agent >/dev/null || groupadd -r dd-agent | |||
| getent passwd dd-agent >/dev/null || \ | |||
| useradd -r -M -g dd-agent -d /tmp -s /bin/sh \ | |||
| useradd -r -M -g dd-agent -d /tmp -s /bin/false \ | |||
There was a problem hiding this comment.
By the way,
Why are we creating a user with a home directory on centos/rhel and not on debian/ubuntu ?
Can't we use a system account instead without home directory ?
http://unix.stackexchange.com/questions/22275/how-to-create-an-unprivileged-user-in-centos
There was a problem hiding this comment.
To be clearer it would mean creating the user using:
useradd -r -M -g dd-agent -d /dev/null -s /bin/false \
There was a problem hiding this comment.
Makes sense. The least amount of changes we apply, the easier it is.
On Dec 31, 2013 10:48 AM, "Remi Hakim" notifications@github.com wrote:
In packaging/datadog-agent-rpm/preinst:
@@ -3,7 +3,7 @@
getent group dd-agent >/dev/null || groupadd -r dd-agent
getent passwd dd-agent >/dev/null || \
- useradd -r -M -g dd-agent -d /tmp -s /bin/sh \
- useradd -r -M -g dd-agent -d /tmp -s /bin/false \
To be clearer it would mean creating the user using:
useradd -r -M -g dd-agent -d /dev/null -s /bin/false \
—
Reply to this email directly or view it on GitHubhttps://github.com//pull/778/files#r8599675
.
There was a problem hiding this comment.
I'm not even sure we need -d /dev/null as according to the documentation
-r creates a system account with a UID less than 500 and without a home directory
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-users-add.html
There was a problem hiding this comment.
Turns out -r still populates the home directory field in /etc/passwd so we
can set it to /usr/share/datadog/agent.
On Tue, Dec 31, 2013 at 11:16 AM, Remi Hakim notifications@github.comwrote:
In packaging/datadog-agent-rpm/preinst:
@@ -3,7 +3,7 @@
getent group dd-agent >/dev/null || groupadd -r dd-agent
getent passwd dd-agent >/dev/null || \
- useradd -r -M -g dd-agent -d /tmp -s /bin/sh \
- useradd -r -M -g dd-agent -d /tmp -s /bin/false \
I'm not even sure we need -d /dev/null as according to the documentation
-r creates a system account with a UID less than 500 and without a home
directoryhttp://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-users-add.html
—
Reply to this email directly or view it on GitHubhttps://github.com//pull/778/files#r8599975
.
|
@remh should be good for final review now. |
| @@ -5,7 +5,8 @@ set -e | |||
| case "$1" in | |||
| configure) | |||
| update-rc.d datadog-agent defaults | |||
| adduser --system dd-agent --shell /bin/sh --no-create-home --quiet | |||
| adduser --system dd-agent --disabled-login --shell /bin/false --no-create-home --quiet | |||
| usermod -d /usr/share/datadog/agent dd-agent | |||
There was a problem hiding this comment.
Point to an existing directory, but disable logins.
|
@alq666 Looks fine to me. |
Packaging clean-up + SSL warning in http_check
Fixes #768, fixes #769 and fixes #770.
dd-agentuser does not need a shell anymore.dd-agentuser is deleted when the package is uninstalled.http_checkis left toFalse(in which case it issues a warning). It can be set toTruein `http_check; it acts as a control. The default is to keep certificate validation disabled to remain compatible with previous versions.Tested on Debian 7.1 and CentOS 6.5.