Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #33765 - Use a system user without a login shell #237

Merged
merged 1 commit into from
Oct 21, 2021
Merged

Fixes #33765 - Use a system user without a login shell #237

merged 1 commit into from
Oct 21, 2021

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Oct 21, 2021

The user pulp doesn't need to login so it's set to /sbin/nologin.

It should also be a system user. This doesn't affect exsting installations, but it ensures fresh installations are clean. From useradd's man page:

System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).

This typically means newly created pulp users will end up with a UID < 1000 while with the current code it's > 1000.

@ekohl ekohl added the Enhancement New feature or request label Oct 21, 2021
@ekohl
Fixes #33765 - Use a system user without a login shell
5a7991a 
The user pulp doesn't need to login so it's set to /sbin/nologin.

It should also be a system user. This doesn't affect exsting
installations, but it ensures fresh installations are clean. From
useradd's man page:

    System users will be created with no aging information in
    /etc/shadow, and their numeric identifiers are chosen in the
    SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead
    of UID_MIN-UID_MAX (and their GID counterparts for the creation of
    groups).

This typically means newly created pulp users will end up with a UID <
1000 while with the current code it's > 1000.
@ekohl ekohl force-pushed the 33765-set-nologin-shell branch from 88ca6fa to 5a7991a Compare October 21, 2021 17:02
@ehelms
Copy link
Member

ehelms commented Oct 21, 2021

Can you expand on why we want a system user? I feel like sometimes I hear users who have policies around UID needing to be above 1000.

@ekohl
Copy link
Member Author

ekohl commented Oct 21, 2021

System users are typically used for non-humans. pulp is also typically a system service: it doesn't log in and only needs to be there for proper file permissions and so services can run as that user. foreman and foreman-proxy are also system users. This just makes it consistent.

@ekohl ekohl merged commit 5a7991a into theforeman:master Oct 21, 2021
@ekohl ekohl deleted the 33765-set-nologin-shell branch October 21, 2021 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehelms ehelms ehelms approved these changes

Assignees
No one assigned
Labels
Enhancement New feature or request Needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ekohl @ehelms @theforeman-bot