Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't modify user or group on TiberOS as these files are immutable #563

Merged
merged 2 commits into from
Oct 4, 2024
Merged

Don't modify user or group on TiberOS as these files are immutable #563

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
25554a1
Don't modify user or group on TiberOS as these files are immutable
gblewis1 Oct 3, 2024
b52d604
fix
gblewis1 Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 35 additions & 11 deletions inbm/fpm/mqtt/template/usr/bin/mqtt-ensure-keys-generated
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
#!/bin/bash
set -euxo pipefail

# Retrieve OS Release ID
if [ -f /etc/os-release ]; then
. /etc/os-release
else
echo "/etc/os-release not found. Exiting."
exit 1
fi

TC_PUBLIC="/etc/intel-manageability/public"
TC_SECRET="/etc/intel-manageability/secret"
DAYS_EXPIRY="2555"
Expand Down Expand Up @@ -38,24 +46,36 @@ check_no_insecure_user() {
true
else
echo "User $user_to_check already exists and has insecure shell $user_shell. Changing shell to /usr/sbin/nologin."
chsh -s /usr/sbin/nologin "$user_to_check"
if [ "$ID" != "tiber" ]; then
chsh -s /usr/sbin/nologin "$user_to_check"
else
echo "Skipping shell change for user $user_to_check on 'tiber' OS."
fi
fi
fi
}

fix_permissions() {
# Protect directories by group
for dir in $(find "$TC_SECRET" -mindepth 1 -maxdepth 1 -type d) ; do
GROUP="$(basename $dir)"
USER="$GROUP"
if ! [ "$GROUP" == "lost+found" ] ; then
GROUP="$(basename "$dir")"
USER="$GROUP"
if [ "$GROUP" != "lost+found" ] ; then
check_no_insecure_user "$USER"
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi

if [ "$ID" != "tiber" ]; then
# Only add groups and users if not on 'tiber'
getent group "$GROUP" || groupadd "$GROUP"
if id "$USER" >&/dev/null; then
: # user already exists
else
useradd -g "$GROUP" -s /usr/sbin/nologin "$USER" # user does not exist
fi
else
echo "Skipping group and user creation for $USER on 'tiber' OS."
fi

# Perform chgrp/chmod regardless of OS
chgrp -R "$GROUP" "$dir"
# Ensure group does not have write, 'other' does not have read, write, or execute
chmod -R g-w,o-rwx "$dir"
Expand All @@ -80,7 +100,11 @@ fix_permissions() {
find /var/cache/manageability -type d -exec chmod g+s {} \; # Make sure new files have correct group ownership

# Make sure 'docker' group exists for diagnostic agent's .service file
getent group docker || groupadd docker
if [ "$ID" != "tiber" ]; then
getent group docker || groupadd docker
else
echo "Skipping 'docker' group creation on 'tiber' OS."
fi
}

# Ensure keys are provisioned
Expand Down