Skip to content

Commit

Permalink
Don't modify user or group on TiberOS as these files are immutable
Browse files Browse the repository at this point in the history
  • Loading branch information
gblewis1 committed Oct 3, 2024
1 parent b74eeda commit b472bd8
Showing 1 changed file with 45 additions and 15 deletions.
60 changes: 45 additions & 15 deletions inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
#!/bin/bash
set -euxo pipefail

# Retrieve OS Release ID
if [ -f /etc/os-release ]; then
. /etc/os-release
else
echo "/etc/os-release not found. Exiting."
exit 1
fi

TC_PUBLIC="/etc/intel-manageability/public"
TC_SECRET="/etc/intel-manageability/secret"
DAYS_EXPIRY="2555"
Expand Down Expand Up @@ -38,29 +46,47 @@ check_no_insecure_user() {
true
else
echo "User $user_to_check already exists and has insecure shell $user_shell. Changing shell to /usr/sbin/nologin."
chsh -s /usr/sbin/nologin "$user_to_check"
if [ "$ID" != "tiber" ]; then
chsh -s /usr/sbin/nologin "$user_to_check"
else
echo "Skipping shell change for user $user_to_check on 'tiber' OS."
fi
fi
fi
}

fix_permissions() {
# Protect directories by group
for dir in $(find "$TC_SECRET" -mindepth 1 -maxdepth 1 -type d) ; do
GROUP="$(basename $dir)"
USER="$GROUP"
if ! [ "$GROUP" == "lost+found" ] ; then
GROUP="$(basename "$dir")"
USER="$GROUP"
if [ "$GROUP" != "lost+found" ] ; then
check_no_insecure_user "$USER"
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi

if [ "$ID" != "tiber" ]; then
# Only add groups and users if not on 'tiber'
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: # user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi
else
echo "Skipping group and user creation for $USER on 'tiber' OS."
fi

# Perform chgrp regardless of OS
chgrp -R "$GROUP" "$dir"
# Ensure group does not have write, 'other' does not have read, write, or execute
chmod -R g-w,o-rwx "$dir"
# Ensure user has read/write and group has read
chmod -R u+rw,g+r "$dir"

if [ "$ID" != "tiber" ]; then
# Ensure group does not have write, 'other' does not have read, write, or execute
chmod -R g-w,o-rwx "$dir"
# Ensure user has read/write and group has read
chmod -R u+rw,g+r "$dir"
else
echo "Skipping chmod adjustments on 'tiber' OS for $dir."
# Optionally, perform minimal chmod if needed
fi
fi
done

Expand All @@ -80,7 +106,11 @@ fix_permissions() {
find /var/cache/manageability -type d -exec chmod g+s {} \; # Make sure new files have correct group ownership

# Make sure 'docker' group exists for diagnostic agent's .service file
getent group docker || groupadd docker
if [ "$ID" != "tiber" ]; then
getent group docker || groupadd docker
else
echo "Skipping 'docker' group creation on 'tiber' OS."
fi
}

# Ensure keys are provisioned
Expand Down

0 comments on commit b472bd8

Please sign in to comment.