-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] use system user and group #131
Comments
Hello, I'm not using this formula myself but from the code it seems that it uses user and group I'm not sure modifying the formula is absolutely necesary, you should be able to do it this way:
|
Perhaps there is a way to create the users yourself and feed them to the formula to use, but that goes besides the point that the user and group that are created by the formula are not "system" which should be the defacto case for deamons. |
What happens (at least on Debian, I think most distributions do it that way too), is that the package manages it itself, creating the user when installing and removing it when uninstalling the package. If this user is not sufficiently secured, maybe bugs must be opened on distribution bugtrackers directly because security could/should be improved upstream :) edit: in fact, when the formula creates the user itself (which is not the default though), its security could be improved, any PR would be appreciated :) |
If I remember correctly the OpenVPN package on Debian/Ubuntu does not create users because in the examples they use nobody:nobody. In hardening OpenVPN it's sugested to create a specific user and group. When I have time, I'll look into the PR. |
Is your feature request related to a problem?
Not related to a problem, could be related to best practices.
Describe the solution you'd like
Currently the user and group are created as "normal" non-system. I would like to have them created as system-user and system-group with no home-dir or have the option to do so in the pillar ... only if there is a good reason not to do so.
general_config.sls
Describe alternatives you've considered
I can make the changes in my own fork, but in general thats not realy handy.
Additional context
I currently do not have much time to create a pull-request myself unfortunately. But if no one picks this up, I'll see what I can do later.
The text was updated successfully, but these errors were encountered: