[Kimchi-devel] [RFC] filter the users of host system
Royce Lv
lvroyce at linux.vnet.ibm.com
Wed Jul 16 08:40:03 UTC 2014
As we discussed to check if a user has passwd set maybe a choice,
I still prefer stop wiring up system user and kimchi user.
The reason I have elaborated in Christian's patch:
1. we want different admin just responsible for their own parts:
network admin manage network, storage admin manage storage, but
superuser/un-previledged user does not have such fine grained view.
2. we want multi-level of access of one tab:
take guest management as an example, we want
create/destroy--start/stop--access vnc, at least 3 levels of access.
superuser way cannot reflect multi-level control.
3. security reason
System user and virtualization user needs to be isolated, even
privileged virtualization user had better not know system details, such
as system users, groups and other informations.
On 2014?07?16? 15:38, Sheldon wrote:
> Now kimchi uses host system users to login.
> In fedora most of system users are not allowed to login. so we should
> filter them.
> but in ubuntu, it seems most system user still can login. but their
> pw_shell are /bin/sh it is softlink to */bin/bash
> *
> Now I'd like to just list the users who's pw_shell are /bin/bash
> Not sure all distribution can works well by this way.
> I have just checked fedora and ubuntu, seems it can works.
>
> so any one can help check if any exception on your distribution?
>
> *root:x:0:0:root:/root:/bin/bash*
> bin:x:1:1:bin:/bin:/sbin/nologin
> daemon:x:2:2:daemon:/sbin:/sbin/nologin
> adm:x:3:4:adm:/var/adm:/sbin/nologin
> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
> sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/halt
> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
> operator:x:11:0:operator:/root:/sbin/nologin
> games:x:12:100:games:/usr/games:/sbin/nologin
> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
> nobody:x:99:99:Nobody:/:/sbin/nologin
> avahi-autoipd:x:170:170:Avahi IPv4LL
> Stack:/var/lib/avahi-autoipd:/sbin/nologin
> dbus:x:81:81:System message bus:/:/sbin/nologin
> polkitd:x:999:999:User for polkitd:/:/sbin/nologin
> abrt:x:173:173::/etc/abrt:/sbin/nologin
> usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
> colord:x:998:998:User for colord:/var/lib/colord:/sbin/nologin
> rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
> geoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin
> chrony:x:996:995::/var/lib/chrony:/sbin/nologin
> tss:x:59:59:Account used by the trousers package to sandbox the tcsd
> daemon:/dev/null:/sbin/nologin
> unbound:x:995:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
> openvpn:x:994:993:OpenVPN:/etc/openvpn:/sbin/nologin
> avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
> pulse:x:993:991:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
> gdm:x:42:42::/var/lib/gdm:/sbin/nologin
> gnome-initial-setup:x:992:989::/run/gnome-initial-setup/:/sbin/nologin
> nm-openconnect:x:991:988:NetworkManager user for
> OpenConnect:/:/sbin/nologin
> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> *shhfeng:x:1000:1000:shhfeng:/home/shhfeng:/bin/bash*
> qemu:x:107:107:qemu user:/:/sbin/nologin
> rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
> radvd:x:75:75:radvd user:/:/sbin/nologin
> rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
> nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
> saslauth:x:990:76:"Saslauthd user":/run/saslauthd:/sbin/nologin
> *guest:x:1001:1001::/home/guest:/bin/bash*
> nginx:x:989:984:Nginx web server:/var/lib/nginx:/sbin/nologin
>
>
> but in ubuntu, it seems most system user still can login. but their
> pw_shell are /bin/sh it is softlink to */bin/bash*
>
> *root:x:0:0:root:/root:/bin/bash*
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bin/sh
> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> syslog:x:101:103::/home/syslog:/bin/false
> messagebus:x:102:105::/var/run/dbus:/bin/false
> usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
> dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
> avahi-autoipd:x:105:111:Avahi autoip
> daemon,,,:/var/lib/avahi-autoipd:/bin/false
> kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
> rtkit:x:107:113:RealtimeKit,,,:/proc:/bin/false
> whoopsie:x:108:114::/nonexistent:/bin/false
> speech-dispatcher:x:109:29:Speech
> Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
> avahi:x:110:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> lightdm:x:111:117:Light Display Manager:/var/lib/lightdm:/bin/false
> pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
> hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
> colord:x:114:122:colord colour management
> daemon,,,:/var/lib/colord:/bin/false
> saned:x:115:123::/home/saned:/bin/false
> *royce:x:1000:1000:royce,,,:/home/royce:/bin/bash*
> libvirt-qemu:x:116:126:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
> libvirt-dnsmasq:x:117:125:Libvirt
> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
> statd:x:118:65534::/var/lib/nfs:/bin/false
> sshd:x:119:65534::/var/run/sshd:/usr/sbin/nologi
> --
> Thanks and best regards!
>
> Sheldon Feng(???)<shaohef at linux.vnet.ibm.com>
> IBM Linux Technology Center
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20140716/4488c22e/attachment.html>
More information about the Kimchi-devel
mailing list