[Kimchi-devel] Authorization: allow root user specify users/groups to a VM

Aline Manera alinefm at linux.vnet.ibm.com
Tue Jul 8 17:15:08 UTC 2014 


On 07/08/2014 12:26 PM, Aline Manera wrote:
>
> Maybe we can filter users by the UID > 999
>
> User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero)
> is reserved for root and UIDs 1-99 are reserved for other predefined
> accounts. Further UID 100-999 are reserved by system for administrative
> and system accounts/groups.

Seems it is not true for all distributions:
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/uidrange.html

The spec only mentions the UID until 500

So add a filter to users/groups is not be a good idea.

>
> But I could not find any criteria we can use for groups
>
> Reference:
> http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
> http://www.cyberciti.biz/faq/understanding-etcgroup-file/
>
>
> On 07/08/2014 07:09 AM, Yu Xin Huo wrote:
>> I tried below:
>>
>>
>>
>> On my linux workstation, I only created 2 users: 'root' and 'tify'.
>>
>> Most of users and groups below look like system users and groups target
>> for quite specific purpose.
>> Can we do some filtering to only get users and groups that truly related
>> to VM assignment?
>>
>> curl -k -u root:pass -H "Content-Type: applicaion/json" -H "Accept:
>> application/json" https://localhost:8001/host/users
>> [
>>    "root",
>>    "bin",
>>    "daemon",
>>    "adm",
>>    "lp",
>>    "sync",
>>    "shutdown",
>>    "halt",
>>    "mail",
>>    "uucp",
>>    "operator",
>>    "games",
>>    "gopher",
>>    "ftp",
>>    "nobody",
>>    "dbus",
>>    "usbmuxd",
>>    "rpc",
>>    "vcsa",
>>    "rtkit",
>>    "avahi-autoipd",
>>    "saslauth",
>>    "postfix",
>>    "rpcuser",
>>    "nfsnobody",
>>    "ntp",
>>    "apache",
>>    "radvd",
>>    "haldaemon",
>>    "qemu",
>>    "pulse",
>>    "gsanslcd",
>>    "nm-openconnect",
>>    "gdm",
>>    "sshd",
>>    "tcpdump",
>>    "tify",
>>    "nginx"
>> ]
>>
>> curl -k -u root:pass -H "Content-Type: applicaion/json" -H "Accept:
>> application/json" https://localhost:8001/host/groups
>> [
>>    "root",
>>    "bin",
>>    "daemon",
>>    "sys",
>>    "adm",
>>    "tty",
>>    "disk",
>>    "lp",
>>    "mem",
>>    "kmem",
>>    "wheel",
>>    "mail",
>>    "uucp",
>>    "man",
>>    "games",
>>    "gopher",
>>    "video",
>>    "dip",
>>    "ftp",
>>    "lock",
>>    "audio",
>>    "nobody",
>>    "users",
>>    "dbus",
>>    "utmp",
>>    "utempter",
>>    "usbmuxd",
>>    "rpc",
>>    "avdefs",
>>    "floppy",
>>    "vcsa",
>>    "desktop_admin_r",
>>    "desktop_user_r",
>>    "rtkit",
>>    "avahi-autoipd",
>>    "cdrom",
>>    "tape",
>>    "dialout",
>>    "wbpriv",
>>    "cgred",
>>    "saslauth",
>>    "postdrop",
>>    "postfix",
>>    "rpcuser",
>>    "nfsnobody",
>>    "ntp",
>>    "apache",
>>    "radvd",
>>    "haldaemon",
>>    "kvm",
>>    "qemu",
>>    "pulse",
>>    "pulse-access",
>>    "fuse",
>>    "ldap",
>>    "nm-openconnect",
>>    "gdm",
>>    "stapusr",
>>    "stapsys",
>>    "stapdev",
>>    "sshd",
>>    "tcpdump",
>>    "slocate",
>>    "tify",
>>    "screen",
>>    "nginx"
>> ]
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list