Re: [Kimchi-devel] [RFC] filter the users of host system

As we discussed to check if a user has passwd set maybe a choice, I still prefer stop wiring up system user and kimchi user. The reason I have elaborated in Christian's patch: 1. we want different admin just responsible for their own parts: network admin manage network, storage admin manage storage, but superuser/un-previledged user does not have such fine grained view.

2. we want multi-level of access of one tab: take guest management as an example, we want create/destroy--start/stop--access vnc, at least 3 levels of access. superuser way cannot reflect multi-level control.

3. security reason System user and virtualization user needs to be isolated, even privileged virtualization user had better not know system details, such as system users, groups and other informations.

On 2014年07月16日 15:38, Sheldon wrote: > Now kimchi uses host system users to login. > In fedora most of system users are not allowed to login. so we should > filter them. > but in ubuntu, it seems most system user still can login. but their > pw_shell are /bin/sh it is softlink to */bin/bash > * > Now I'd like to just list the users who's pw_shell are /bin/bash > Not sure all distribution can works well by this way. > I have just checked fedora and ubuntu, seems it can works. > > so any one can help check if any exception on your distribution? > > *root:x:0:0:root:/root:/bin/bash* > bin:x:1:1:bin:/bin:/sbin/nologin > daemon:x:2:2:daemon:/sbin:/sbin/nologin > adm:x:3:4:adm:/var/adm:/sbin/nologin > lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin > sync:x:5:0:sync:/sbin:/bin/sync > shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown > halt:x:7:0:halt:/sbin:/sbin/halt > mail:x:8:12:mail:/var/spool/mail:/sbin/nologin > operator:x:11:0:operator:/root:/sbin/nologin > games:x:12:100:games:/usr/games:/sbin/nologin > ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin > nobody:x:99:99:Nobody:/:/sbin/nologin > avahi-autoipd:x:170:170:Avahi IPv4LL > Stack:/var/lib/avahi-autoipd:/sbin/nologin > dbus:x:81:81:System message bus:/:/sbin/nologin > polkitd:x:999:999:User for polkitd:/:/sbin/nologin > abrt:x:173:173::/etc/abrt:/sbin/nologin > usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin > colord:x:998:998:User for colord:/var/lib/colord:/sbin/nologin > rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin > geoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin > chrony:x:996:995::/var/lib/chrony:/sbin/nologin > tss:x:59:59:Account used by the trousers package to sandbox the tcsd > daemon:/dev/null:/sbin/nologin > unbound:x:995:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin > openvpn:x:994:993:OpenVPN:/etc/openvpn:/sbin/nologin > avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin > pulse:x:993:991:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin > gdm:x:42:42::/var/lib/gdm:/sbin/nologin > gnome-initial-setup:x:992:989::/run/gnome-initial-setup/:/sbin/nologin > nm-openconnect:x:991:988:NetworkManager user for > OpenConnect:/:/sbin/nologin > sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin > *shhfeng:x:1000:1000:shhfeng:/home/shhfeng:/bin/bash* > qemu:x:107:107:qemu user:/:/sbin/nologin > rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin > radvd:x:75:75:radvd user:/:/sbin/nologin > rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin > nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin > saslauth:x:990:76:"Saslauthd user":/run/saslauthd:/sbin/nologin > *guest:x:1001:1001::/home/guest:/bin/bash* > nginx:x:989:984:Nginx web server:/var/lib/nginx:/sbin/nologin > > > but in ubuntu, it seems most system user still can login. but their > pw_shell are /bin/sh it is softlink to */bin/bash* > > *root:x:0:0:root:/root:/bin/bash* > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > bin:x:2:2:bin:/bin:/bin/sh > sys:x:3:3:sys:/dev:/bin/sh > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/bin/sh > man:x:6:12:man:/var/cache/man:/bin/sh > lp:x:7:7:lp:/var/spool/lpd:/bin/sh > mail:x:8:8:mail:/var/mail:/bin/sh > news:x:9:9:news:/var/spool/news:/bin/sh > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh > proxy:x:13:13:proxy:/bin:/bin/sh > www-data:x:33:33:www-data:/var/www:/bin/sh > backup:x:34:34:backup:/var/backups:/bin/sh > list:x:38:38:Mailing List Manager:/var/list:/bin/sh > irc:x:39:39:ircd:/var/run/ircd:/bin/sh > gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > libuuid:x:100:101::/var/lib/libuuid:/bin/sh > syslog:x:101:103::/home/syslog:/bin/false > messagebus:x:102:105::/var/run/dbus:/bin/false > usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false > dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false > avahi-autoipd:x:105:111:Avahi autoip > daemon,,,:/var/lib/avahi-autoipd:/bin/false > kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false > rtkit:x:107:113:RealtimeKit,,,:/proc:/bin/false > whoopsie:x:108:114::/nonexistent:/bin/false > speech-dispatcher:x:109:29:Speech > Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh > avahi:x:110:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false > lightdm:x:111:117:Light Display Manager:/var/lib/lightdm:/bin/false > pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false > hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false > colord:x:114:122:colord colour management > daemon,,,:/var/lib/colord:/bin/false > saned:x:115:123::/home/saned:/bin/false > *royce:x:1000:1000:royce,,,:/home/royce:/bin/bash* > libvirt-qemu:x:116:126:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false > libvirt-dnsmasq:x:117:125:Libvirt > Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false > statd:x:118:65534::/var/lib/nfs:/bin/false > sshd:x:119:65534::/var/run/sshd:/usr/sbin/nologi > -- > Thanks and best regards! > > Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com> > IBM Linux Technology Center > > > _______________________________________________ > Kimchi-devel mailing list > Kimchi-devel(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/kimchi-devel _______________________________________________ Kimchi-devel mailing list Kimchi-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel