Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't modify user or group on TiberOS as these files are immutable #563

Merged
merged 2 commits into from
Oct 4, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 35 additions & 11 deletions inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
#!/bin/bash
set -euxo pipefail

# Retrieve OS Release ID
if [ -f /etc/os-release ]; then
. /etc/os-release
else
echo "/etc/os-release not found. Exiting."
exit 1
fi

TC_PUBLIC="/etc/intel-manageability/public"
TC_SECRET="/etc/intel-manageability/secret"
DAYS_EXPIRY="2555"
Expand Down Expand Up @@ -38,24 +46,36 @@ check_no_insecure_user() {
true
else
echo "User $user_to_check already exists and has insecure shell $user_shell. Changing shell to /usr/sbin/nologin."
chsh -s /usr/sbin/nologin "$user_to_check"
if [ "$ID" != "tiber" ]; then
chsh -s /usr/sbin/nologin "$user_to_check"
else
echo "Skipping shell change for user $user_to_check on 'tiber' OS."
fi
fi
fi
}

fix_permissions() {
# Protect directories by group
for dir in $(find "$TC_SECRET" -mindepth 1 -maxdepth 1 -type d) ; do
GROUP="$(basename $dir)"
USER="$GROUP"
if ! [ "$GROUP" == "lost+found" ] ; then
GROUP="$(basename "$dir")"
USER="$GROUP"
if [ "$GROUP" != "lost+found" ] ; then
check_no_insecure_user "$USER"
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi

if [ "$ID" != "tiber" ]; then
# Only add groups and users if not on 'tiber'
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: # user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi
else
echo "Skipping group and user creation for $USER on 'tiber' OS."
fi

# Perform chgrp/chmod regardless of OS
chgrp -R "$GROUP" "$dir"
# Ensure group does not have write, 'other' does not have read, write, or execute
chmod -R g-w,o-rwx "$dir"
Expand All @@ -80,7 +100,11 @@ fix_permissions() {
find /var/cache/manageability -type d -exec chmod g+s {} \; # Make sure new files have correct group ownership

# Make sure 'docker' group exists for diagnostic agent's .service file
getent group docker || groupadd docker
if [ "$ID" != "tiber" ]; then
getent group docker || groupadd docker
else
echo "Skipping 'docker' group creation on 'tiber' OS."
fi
}

# Ensure keys are provisioned
Expand Down