[Kimchi-devel] [RFC] filter the users of host system
Aline Manera
alinefm at linux.vnet.ibm.com
Wed Jul 16 12:59:23 UTC 2014
On 07/16/2014 05:40 AM, Royce Lv wrote:
> As we discussed to check if a user has passwd set maybe a choice,
> I still prefer stop wiring up system user and kimchi user.
> The reason I have elaborated in Christian's patch:
> 1. we want different admin just responsible for their own parts:
> network admin manage network, storage admin manage storage, but
> superuser/un-previledged user does not have such fine grained view.
This is for 1.3. But in future we will add more and more roles.
> 2. we want multi-level of access of one tab:
> take guest management as an example, we want
> create/destroy--start/stop--access vnc, at least 3 levels of access.
> superuser way cannot reflect multi-level control.
The roles will handle that.
> 3. security reason
> System user and virtualization user needs to be isolated, even
> privileged virtualization user had better not know system details, such
> as system users, groups and other informations.
>
The roles will hanble that.
> On 2014年07月16日 15:38, Sheldon wrote:
>> Now kimchi uses host system users to login.
>> In fedora most of system users are not allowed to login. so we should
>> filter them.
>> but in ubuntu, it seems most system user still can login. but their
>> pw_shell are /bin/sh it is softlink to */bin/bash
>> *
>> Now I'd like to just list the users who's pw_shell are /bin/bash
>> Not sure all distribution can works well by this way.
>> I have just checked fedora and ubuntu, seems it can works.
>>
>> so any one can help check if any exception on your distribution?
>>
>> *root:x:0:0:root:/root:/bin/bash*
>> bin:x:1:1:bin:/bin:/sbin/nologin
>> daemon:x:2:2:daemon:/sbin:/sbin/nologin
>> adm:x:3:4:adm:/var/adm:/sbin/nologin
>> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
>> sync:x:5:0:sync:/sbin:/bin/sync
>> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
>> halt:x:7:0:halt:/sbin:/sbin/halt
>> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
>> operator:x:11:0:operator:/root:/sbin/nologin
>> games:x:12:100:games:/usr/games:/sbin/nologin
>> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
>> nobody:x:99:99:Nobody:/:/sbin/nologin
>> avahi-autoipd:x:170:170:Avahi IPv4LL
>> Stack:/var/lib/avahi-autoipd:/sbin/nologin
>> dbus:x:81:81:System message bus:/:/sbin/nologin
>> polkitd:x:999:999:User for polkitd:/:/sbin/nologin
>> abrt:x:173:173::/etc/abrt:/sbin/nologin
>> usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
>> colord:x:998:998:User for colord:/var/lib/colord:/sbin/nologin
>> rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
>> geoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin
>> chrony:x:996:995::/var/lib/chrony:/sbin/nologin
>> tss:x:59:59:Account used by the trousers package to sandbox the tcsd
>> daemon:/dev/null:/sbin/nologin
>> unbound:x:995:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
>> openvpn:x:994:993:OpenVPN:/etc/openvpn:/sbin/nologin
>> avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
>> pulse:x:993:991:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
>> gdm:x:42:42::/var/lib/gdm:/sbin/nologin
>> gnome-initial-setup:x:992:989::/run/gnome-initial-setup/:/sbin/nologin
>> nm-openconnect:x:991:988:NetworkManager user for
>> OpenConnect:/:/sbin/nologin
>> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
>> *shhfeng:x:1000:1000:shhfeng:/home/shhfeng:/bin/bash*
>> qemu:x:107:107:qemu user:/:/sbin/nologin
>> rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
>> radvd:x:75:75:radvd user:/:/sbin/nologin
>> rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
>> nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
>> saslauth:x:990:76:"Saslauthd user":/run/saslauthd:/sbin/nologin
>> *guest:x:1001:1001::/home/guest:/bin/bash*
>> nginx:x:989:984:Nginx web server:/var/lib/nginx:/sbin/nologin
>>
>>
>> but in ubuntu, it seems most system user still can login. but their
>> pw_shell are /bin/sh it is softlink to */bin/bash*
>>
>> *root:x:0:0:root:/root:/bin/bash*
>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>> bin:x:2:2:bin:/bin:/bin/sh
>> sys:x:3:3:sys:/dev:/bin/sh
>> sync:x:4:65534:sync:/bin:/bin/sync
>> games:x:5:60:games:/usr/games:/bin/sh
>> man:x:6:12:man:/var/cache/man:/bin/sh
>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>> mail:x:8:8:mail:/var/mail:/bin/sh
>> news:x:9:9:news:/var/spool/news:/bin/sh
>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>> proxy:x:13:13:proxy:/bin:/bin/sh
>> www-data:x:33:33:www-data:/var/www:/bin/sh
>> backup:x:34:34:backup:/var/backups:/bin/sh
>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>> syslog:x:101:103::/home/syslog:/bin/false
>> messagebus:x:102:105::/var/run/dbus:/bin/false
>> usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
>> dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
>> avahi-autoipd:x:105:111:Avahi autoip
>> daemon,,,:/var/lib/avahi-autoipd:/bin/false
>> kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
>> rtkit:x:107:113:RealtimeKit,,,:/proc:/bin/false
>> whoopsie:x:108:114::/nonexistent:/bin/false
>> speech-dispatcher:x:109:29:Speech
>> Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
>> avahi:x:110:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>> lightdm:x:111:117:Light Display Manager:/var/lib/lightdm:/bin/false
>> pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
>> hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
>> colord:x:114:122:colord colour management
>> daemon,,,:/var/lib/colord:/bin/false
>> saned:x:115:123::/home/saned:/bin/false
>> *royce:x:1000:1000:royce,,,:/home/royce:/bin/bash*
>> libvirt-qemu:x:116:126:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>> libvirt-dnsmasq:x:117:125:Libvirt
>> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
>> statd:x:118:65534::/var/lib/nfs:/bin/false
>> sshd:x:119:65534::/var/run/sshd:/usr/sbin/nologi
>> --
>> Thanks and best regards!
>>
>> Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
>> IBM Linux Technology Center
>>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
More information about the Kimchi-devel
mailing list