Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] use system user and group #131

Open
remichristiaan opened this issue Jul 29, 2020 · 4 comments
Open

[FEATURE] use system user and group #131

remichristiaan opened this issue Jul 29, 2020 · 4 comments

Comments

@remichristiaan
Copy link

Is your feature request related to a problem?

Not related to a problem, could be related to best practices.

Describe the solution you'd like

Currently the user and group are created as "normal" non-system. I would like to have them created as system-user and system-group with no home-dir or have the option to do so in the pillar ... only if there is a good reason not to do so.

general_config.sls

openvpn_group:
  group.present:
    - name: {{ map.group }}
    - system: true
    - require_in:
      - file: openvpn_config_dir
      - sls: openvpn.config
{%- endif %}
{%- if not (map.manage_user is sameas false or map.user == 'nobody') %}
openvpn_user:
  user.present:
    - name: {{ map.user }}
    - home: "/nonexistent"
    - createhome: false
    - system: true
    - gid: {{ map.group }}
{%-   if manage_group %}
    - require:
      - group: openvpn_group
{%-   endif %}
    - require_in:
      - file: openvpn_config_dir
      - sls: openvpn.config
{%- endif %}

Describe alternatives you've considered

I can make the changes in my own fork, but in general thats not realy handy.

Additional context

I currently do not have much time to create a pull-request myself unfortunately. But if no one picks this up, I'll see what I can do later.

@daks
Copy link
Member

daks commented Jul 30, 2020

Hello,

I'm not using this formula myself but from the code it seems that it uses user and group nobody (see https://github.com/saltstack-formulas/openvpn-formula/blob/master/openvpn/defaults.yaml#L20. Tests are configured to setup a openvpn user, see here https://github.com/saltstack-formulas/openvpn-formula/blob/master/test/salt/pillar/default.sls#L14

I'm not sure modifying the formula is absolutely necesary, you should be able to do it this way:

  • create your own user/group in a state
  • setup the formula to use this user/group with pillars openvpn:lookup:user and openvpn:lookup:group
  • order your states to run your state before the formula ones (or insert some require/require_in)

@remichristiaan
Copy link
Author

Perhaps there is a way to create the users yourself and feed them to the formula to use, but that goes besides the point that the user and group that are created by the formula are not "system" which should be the defacto case for deamons.

@daks
Copy link
Member

daks commented Jul 30, 2020

What happens (at least on Debian, I think most distributions do it that way too), is that the package manages it itself, creating the user when installing and removing it when uninstalling the package. If this user is not sufficiently secured, maybe bugs must be opened on distribution bugtrackers directly because security could/should be improved upstream :)

edit: in fact, when the formula creates the user itself (which is not the default though), its security could be improved, any PR would be appreciated :)

@remichristiaan
Copy link
Author

If I remember correctly the OpenVPN package on Debian/Ubuntu does not create users because in the examples they use nobody:nobody. In hardening OpenVPN it's sugested to create a specific user and group.

When I have time, I'll look into the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants