From 25554a149c7d20cf1042bb6b5dcdd4b32a91d790 Mon Sep 17 00:00:00 2001
From: Gavin Lewis <gavin.b.lewis@intel.com>
Date: Thu, 3 Oct 2024 15:27:29 -0700
Subject: [PATCH 1/2] Don't modify user or group on TiberOS as these files are
 immutable

---
 .../usr/bin/mqtt-ensure-keys-generated        | 59 ++++++++++++++-----
 1 file changed, 44 insertions(+), 15 deletions(-)

diff --git a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
index 8f08638dc..5a59bc454 100755
--- a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
+++ b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
@@ -1,6 +1,14 @@
 #!/bin/bash
 set -euxo pipefail
 
+# Retrieve OS Release ID
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+else
+    echo "/etc/os-release not found. Exiting."
+    exit 1
+fi
+
 TC_PUBLIC="/etc/intel-manageability/public"
 TC_SECRET="/etc/intel-manageability/secret"
 DAYS_EXPIRY="2555"
@@ -38,7 +46,11 @@ check_no_insecure_user() {
       true
     else
       echo "User $user_to_check already exists and has insecure shell $user_shell. Changing shell to /usr/sbin/nologin."
-      chsh -s /usr/sbin/nologin "$user_to_check"
+      if [ "$ID" != "tiber" ]; then
+          chsh -s /usr/sbin/nologin "$user_to_check"
+      else
+          echo "Skipping shell change for user $user_to_check on 'tiber' OS."
+      fi
     fi
   fi
 }
@@ -46,21 +58,34 @@ check_no_insecure_user() {
 fix_permissions() {
     # Protect directories by group
     for dir in $(find "$TC_SECRET" -mindepth 1 -maxdepth 1 -type d) ; do
-        GROUP="$(basename $dir)"
-	USER="$GROUP"
-        if ! [ "$GROUP" == "lost+found" ] ; then
+        GROUP="$(basename "$dir")"
+        USER="$GROUP"
+        if [ "$GROUP" != "lost+found" ] ; then
             check_no_insecure_user "$USER"
-            getent group "$GROUP" || groupadd "$GROUP"
-	    if id "$USER" >&/dev/null; then
-                : user already exists
-	    else
-	        useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
-	    fi
+            
+            if [ "$ID" != "tiber" ]; then
+                # Only add groups and users if not on 'tiber'
+                getent group "$GROUP" || groupadd "$GROUP"
+                if id "$USER" >&/dev/null; then
+                    : # user already exists
+                else
+                    useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
+                fi
+            else
+                echo "Skipping group and user creation for $USER on 'tiber' OS."
+            fi
+
+            # Perform chgrp regardless of OS
             chgrp -R "$GROUP" "$dir"
-            # Ensure group does not have write, 'other' does not have read, write, or execute
-            chmod -R g-w,o-rwx "$dir"
-            # Ensure user has read/write and group has read
-            chmod -R u+rw,g+r "$dir"
+
+            if [ "$ID" != "tiber" ]; then
+                # Ensure group does not have write, 'other' does not have read, write, or execute
+                chmod -R g-w,o-rwx "$dir"
+                # Ensure user has read/write and group has read
+                chmod -R u+rw,g+r "$dir"
+            else
+                echo "Skipping chmod adjustments on 'tiber' OS for $dir."
+            fi
         fi
     done    
 
@@ -80,7 +105,11 @@ fix_permissions() {
     find /var/cache/manageability -type d -exec chmod g+s {} \;  # Make sure new files have correct group ownership
 
     # Make sure 'docker' group exists for diagnostic agent's .service file
-    getent group docker || groupadd docker
+    if [ "$ID" != "tiber" ]; then
+        getent group docker || groupadd docker
+    else
+        echo "Skipping 'docker' group creation on 'tiber' OS."
+    fi
 }
 
 # Ensure keys are provisioned

From b52d6044657e33f0b9a4eb4aa42993d9289bf845 Mon Sep 17 00:00:00 2001
From: Gavin Lewis <gavin.b.lewis@intel.com>
Date: Thu, 3 Oct 2024 15:30:22 -0700
Subject: [PATCH 2/2] fix

---
 .../template/usr/bin/mqtt-ensure-keys-generated   | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
index 5a59bc454..3063eb0de 100755
--- a/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
+++ b/inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
@@ -75,17 +75,12 @@ fix_permissions() {
                 echo "Skipping group and user creation for $USER on 'tiber' OS."
             fi
 
-            # Perform chgrp regardless of OS
+            # Perform chgrp/chmod regardless of OS
             chgrp -R "$GROUP" "$dir"
-
-            if [ "$ID" != "tiber" ]; then
-                # Ensure group does not have write, 'other' does not have read, write, or execute
-                chmod -R g-w,o-rwx "$dir"
-                # Ensure user has read/write and group has read
-                chmod -R u+rw,g+r "$dir"
-            else
-                echo "Skipping chmod adjustments on 'tiber' OS for $dir."
-            fi
+            # Ensure group does not have write, 'other' does not have read, write, or execute
+            chmod -R g-w,o-rwx "$dir"
+            # Ensure user has read/write and group has read
+            chmod -R u+rw,g+r "$dir"
         fi
     done