Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consul user is created with login shell #293

Closed
madAndroid opened this issue Oct 27, 2016 · 6 comments
Closed

Consul user is created with login shell #293

madAndroid opened this issue Oct 27, 2016 · 6 comments

Comments

@madAndroid
Copy link
Contributor

Hi,

We're implementing CIS compliance based on the CIS benchmark, and when we're running our InSpec profiles on servers that have consul installed via this module, the system user created for consul has a login shell set (/bin/bash in this case) .. would you be open to explicitly setting the shell to /sbin/nologin?

I'll send a PR if this is something that you're likely to accept a change for.
@solarkennedy
Copy link
Contributor

Whoa. Yes please.

madAndroid added a commit to madAndroid/puppet-consul that referenced this issue Nov 14, 2016
@madAndroid
set login shell to nologin, to satisfy CIS compliance - addresses vox…
facbe7b 
…pupuli#293
@madAndroid madAndroid mentioned this issue Nov 14, 2016
Merged
madAndroid added a commit to madAndroid/puppet-consul that referenced this issue Nov 14, 2016
@madAndroid
add spec test for changed functionality for user creation voxpupuli#293
bed2b34
@solarkennedy
Copy link
Contributor

Thank you for addressing this.

@madAndroid
Copy link
Contributor Author

Thanks :)

@madAndroid
Copy link
Contributor Author

It turns out this might be problematic :(

hashicorp/consul#1358 (comment)

We're now seeing health checks fail .. might be better to revert this change until the issue with consul using a login shell is fixed ... sorry for the hassle, turns out this wasn't a wise change

@solarkennedy
Copy link
Contributor

Crap. Reverted :(

@madAndroid
Copy link
Contributor Author

Sorry about that! a bit annoying that consul's using a login shell instead
of just running golang's exec... I've had to add an exception for our CIS
benchmarks for that, for now

On Tue, Nov 15, 2016 at 5:30 PM, Kyle Anderson notifications@github.com
wrote:

Crap. Reverted :(


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#293 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABQp3SXfHndRLqWfSMdedmh-c_U0wySZks5q-dAagaJpZM4KiBTg
.

spuder pushed a commit to spuder/puppet-consul that referenced this issue Feb 25, 2020
@madAndroid
set login shell to nologin, to satisfy CIS compliance - addresses vox…
a32bef7 
…pupuli#293
spuder pushed a commit to spuder/puppet-consul that referenced this issue Feb 25, 2020
@madAndroid
add spec test for changed functionality for user creation voxpupuli#293
33af1aa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@solarkennedy @madAndroid