From 698bb3df210c0d6e1e1d2d1d1aa2ff974450b18d Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 5 Nov 2021 18:06:55 +0000 Subject: [PATCH] Lower UID/GID range max to make way for containers In order to avoid unfortunate collisions with statically assigned container account UIDs and GIDs, cap normal users at 9999. That way we can set our containers to use IDs 10000 and above. Make sure adduser/addgroup's adduser.conf gets adjusted to match the values we set in the login.defs referenced by the lower-level useradd/groupadd tools too. We're not using non-Debian-derivative servers these days, so don't bother to try making this work on other distributions for the time being. Change-Id: I0068d5cea66e898c35b661cd559437dc4049e8f4 --- .../base/users/files/Debian/adduser.conf | 88 +++++++++++++++++++ .../roles/base/users/files/Debian/login.defs | 4 +- playbooks/roles/base/users/tasks/main.yaml | 8 ++ 3 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 playbooks/roles/base/users/files/Debian/adduser.conf diff --git a/playbooks/roles/base/users/files/Debian/adduser.conf b/playbooks/roles/base/users/files/Debian/adduser.conf new file mode 100644 index 0000000000..2ad61f0310 --- /dev/null +++ b/playbooks/roles/base/users/files/Debian/adduser.conf @@ -0,0 +1,88 @@ +# /etc/adduser.conf: `adduser' configuration. +# See adduser(8) and adduser.conf(5) for full documentation. + +# The DSHELL variable specifies the default login shell on your +# system. +DSHELL=/bin/bash + +# The DHOME variable specifies the directory containing users' home +# directories. +DHOME=/home + +# If GROUPHOMES is "yes", then the home directories will be created as +# /home/groupname/user. +GROUPHOMES=no + +# If LETTERHOMES is "yes", then the created home directories will have +# an extra directory - the first letter of the user name. For example: +# /home/u/user. +LETTERHOMES=no + +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +SKEL=/etc/skel + +# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs +# for dynamically allocated administrative and system accounts/groups. +# Please note that system software, such as the users allocated by the base-passwd +# package, may assume that UIDs less than 100 are unallocated. +FIRST_SYSTEM_UID=100 +LAST_SYSTEM_UID=999 + +FIRST_SYSTEM_GID=100 +LAST_SYSTEM_GID=999 + +# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically +# allocated user accounts/groups. +FIRST_UID=3000 +LAST_UID=9999 + +FIRST_GID=3000 +LAST_GID=9999 + +# The USERGROUPS variable can be either "yes" or "no". If "yes" each +# created user will be given their own group to use as a default. If +# "no", each created user will be placed in the group whose gid is +# USERS_GID (see below). +USERGROUPS=yes + +# If USERGROUPS is "no", then USERS_GID should be the GID of the group +# `users' (or the equivalent group) on your system. +USERS_GID=100 + +# If DIR_MODE is set, directories will be created with the specified +# mode. Otherwise the default mode 0755 will be used. +DIR_MODE=0755 + +# If SETGID_HOME is "yes" home directories for users with their own +# group the setgid bit will be set. This was the default for +# versions << 3.13 of adduser. Because it has some bad side effects we +# no longer do this per default. If you want it nevertheless you can +# still set it here. +SETGID_HOME=no + +# If QUOTAUSER is set, a default quota will be set from that user with +# `edquota -p QUOTAUSER newuser' +QUOTAUSER="" + +# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this +# regular expression when creating a new home directory +SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)" + +# Set this if you want the --add_extra_groups option to adduser to add +# new users to other groups. +# This is the list of groups that new non-system users will be added to +# Default: +#EXTRA_GROUPS="dialout cdrom floppy audio video plugdev users" + +# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS +# option above will be default behavior for adding new, non-system users +#ADD_EXTRA_GROUPS=1 + + +# check user and group names also against this regular expression. +#NAME_REGEX="^[a-z][-a-z0-9_]*\$" + +# use extrausers by default +#USE_EXTRAUSERS=1 diff --git a/playbooks/roles/base/users/files/Debian/login.defs b/playbooks/roles/base/users/files/Debian/login.defs index c7d5a15b4f..3b3248b9ef 100644 --- a/playbooks/roles/base/users/files/Debian/login.defs +++ b/playbooks/roles/base/users/files/Debian/login.defs @@ -166,7 +166,7 @@ PASS_WARN_AGE 7 # SYS_UID_MAX 999 UID_MIN 3000 -UID_MAX 60000 +UID_MAX 9999 # System accounts #SYS_UID_MIN 100 #SYS_UID_MAX 999 @@ -176,7 +176,7 @@ UID_MAX 60000 # SYS_GID_MAX 999 GID_MIN 3000 -GID_MAX 60000 +GID_MAX 9999 # System accounts #SYS_GID_MIN 100 #SYS_GID_MAX 999 diff --git a/playbooks/roles/base/users/tasks/main.yaml b/playbooks/roles/base/users/tasks/main.yaml index 6555b37db3..fa0b11cf02 100644 --- a/playbooks/roles/base/users/tasks/main.yaml +++ b/playbooks/roles/base/users/tasks/main.yaml @@ -15,6 +15,14 @@ group: root mode: 0440 +- name: Setup adduser.conf file + copy: + dest: /etc/adduser.conf + src: '{{ ansible_facts.os_family }}/adduser.conf' + owner: root + group: root + mode: 0644 + - name: Setup login.defs file copy: dest: /etc/login.defs