Enhance security options for user creation

Bug #1763081 reported by Joseph Davis on 2018-04-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

We have observed that the rpm-packaging macro %openstack_pre_user_group_create is a convenient wrapper around useradd for creating users. And having the default shell specified as /sbin/nologin is good. But our security guru has noted that there is further hardening we could do with these service user accounts.

Some service users do not need a home directory created, and could have '/nonexistent' specified as the home directory. There is currently no option for that, and all users have a home created in %{sharedstatedir}/username for fedora or %{_localstatedir}/lib/username for suse whether it is used or not.

I have also observed that the user home created by useradd defaults to 755 permissions. For hardening purposes it should default to 750, or have an option to specify further restrictions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers