From 404063aa9136b13e67fce7983a4c97b2636c59ee Mon Sep 17 00:00:00 2001 From: Gavin Lewis Date: Thu, 3 Oct 2024 17:13:04 -0700 Subject: [PATCH] Don't modify user or group on TiberOS as these files are immutable (#563) --- .../usr/bin/mqtt-ensure-keys-generated | 46 ++++++++++++++----- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated index 8f08638dc..3063eb0de 100755 --- a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated +++ b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated @@ -1,6 +1,14 @@ #!/bin/bash set -euxo pipefail +# Retrieve OS Release ID +if [ -f /etc/os-release ]; then + . /etc/os-release +else + echo "/etc/os-release not found. Exiting." + exit 1 +fi + TC_PUBLIC="/etc/intel-manageability/public" TC_SECRET="/etc/intel-manageability/secret" DAYS_EXPIRY="2555" @@ -38,7 +46,11 @@ check_no_insecure_user() { true else echo "User $user_to_check already exists and has insecure shell $user_shell. Changing shell to /usr/sbin/nologin." - chsh -s /usr/sbin/nologin "$user_to_check" + if [ "$ID" != "tiber" ]; then + chsh -s /usr/sbin/nologin "$user_to_check" + else + echo "Skipping shell change for user $user_to_check on 'tiber' OS." + fi fi fi } @@ -46,16 +58,24 @@ check_no_insecure_user() { fix_permissions() { # Protect directories by group for dir in $(find "$TC_SECRET" -mindepth 1 -maxdepth 1 -type d) ; do - GROUP="$(basename $dir)" - USER="$GROUP" - if ! [ "$GROUP" == "lost+found" ] ; then + GROUP="$(basename "$dir")" + USER="$GROUP" + if [ "$GROUP" != "lost+found" ] ; then check_no_insecure_user "$USER" - getent group "$GROUP" || groupadd "$GROUP" - if id "$USER" >&/dev/null; then - : user already exists - else - useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist - fi + + if [ "$ID" != "tiber" ]; then + # Only add groups and users if not on 'tiber' + getent group "$GROUP" || groupadd "$GROUP" + if id "$USER" >&/dev/null; then + : # user already exists + else + useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist + fi + else + echo "Skipping group and user creation for $USER on 'tiber' OS." + fi + + # Perform chgrp/chmod regardless of OS chgrp -R "$GROUP" "$dir" # Ensure group does not have write, 'other' does not have read, write, or execute chmod -R g-w,o-rwx "$dir" @@ -80,7 +100,11 @@ fix_permissions() { find /var/cache/manageability -type d -exec chmod g+s {} \; # Make sure new files have correct group ownership # Make sure 'docker' group exists for diagnostic agent's .service file - getent group docker || groupadd docker + if [ "$ID" != "tiber" ]; then + getent group docker || groupadd docker + else + echo "Skipping 'docker' group creation on 'tiber' OS." + fi } # Ensure keys are provisioned