Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1367304 - ceph-installer UID shell should be /sbin/nologin
Summary: ceph-installer UID shell should be /sbin/nologin
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Ceph-Installer
Version: 3.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 3.1
Assignee: Gregory Meno
QA Contact: ceph-qe-bugs
URL: http://brewtap.app.eng.bos.redhat.com...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-16 07:33 UTC by Martin Kudlej
Modified: 2018-02-20 12:20 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-20 12:20:57 UTC


Attachments (Terms of Use)

Description Martin Kudlej 2016-08-16 07:33:01 UTC
BrewTap detected the following problem in ceph-installer-1.0.15-1.el7scon:

  UseraddBadShell or UseraddNoUid

See: http://brewtap.app.eng.bos.redhat.com/nvr/ceph-installer/1.0.15/1.el7scon

 •UseraddBadShell
 	Invocation of useradd with unexpected login shell /bin/bash (expected /sbin/nologin)
 	...in ceph-installer.spec:121
   useradd -r -g ceph-installer -d %{_var}/lib/ceph-installer -s /bin/bash -c "system account for ceph-installer REST API" ceph-installer


 •UseraddNoUid
 	Invocation of useradd without specifying a UID; this may be OK, because /usr/share/doc/setup-2.8.14/uidgid defines no UID for ceph-installer
 	...in ceph-installer.spec:121
   useradd -r -g ceph-installer -d %{_var}/lib/ceph-installer -s /bin/bash -c "system account for ceph-installer REST API" ceph-installer

Comment 2 Ken Dreyer (Red Hat) 2016-08-16 13:35:09 UTC
I think the non-fixed-UID thing is fine, and I don't see a value in using a fixed UID for ceph-installer (Fedora packaging policy seems to indicate that a non-fixed UID is fine).

I agree that the most secure option would be to set /sbin/nologin as the shell for the ceph-installer UID.

We can fix this in a future update.


Note You need to log in before you can comment on or make changes to this bug.