From 725f6245c1a45973731eb853e9e1b0d388295f92 Mon Sep 17 00:00:00 2001 From: Kam Nasim Date: Fri, 12 Aug 2016 17:40:31 -0400 Subject: [PATCH] US84147: Security: NON-OPENSTACK Processes: External services must run as non-root Add new snmpd and fm users/groups so that those services may be run as non-root. --- group | 2 ++ passwd | 2 ++ uidgid | 3 +++ 3 files changed, 7 insertions(+) diff --git a/group b/group index 87a03c1..8794dde 100644 --- a/group +++ b/group @@ -23,6 +23,8 @@ neutron:x:164:neutron cinder:x:165:cinder ceilometer:x:166:ceilometer sysinv:x:168:sysinv +snmpd:x:169:snmpd heat:x:187:heat nfv:x:172:nfv +fm:x:195:fm libvirt:x:991:nova diff --git a/passwd b/passwd index 46a3d52..2fb16ee 100644 --- a/passwd +++ b/passwd @@ -14,3 +14,5 @@ heat:x:992:187::/home/heat:/bin/sh ceilometer:x:991:166::/home/ceilometer:/bin/sh nfv:x:172:172:nfvi:/var/lib/nfv:/sbin/nologin postgres:x:120:120:PostgreSQL Server:/var/lib/pgsql:/bin/sh +snmpd:x:169:169:net-snmp:/usr/share/snmp:/sbin/nologin +fm:x:195:195:fm-mgr:/var/lib/fm:/sbin/nologin diff --git a/uidgid b/uidgid index c6bbd4b..f779665 100644 --- a/uidgid +++ b/uidgid @@ -134,6 +134,8 @@ quantum 164 164 /var/lib/quantum /sbin/nologin openstack-quantum cinder 165 165 /var/lib/cinder /sbin/nologin openstack-cinder ceilometer 166 166 /var/lib/ceilometer /sbin/nologin openstack-ceilometer ceph 167 167 /var/lib/ceph /sbin/nologin ceph-common +sysinv 168 168 /var/lib/sysinv /sbin/nologin sysinv +snmpd 169 169 /usr/share/snmp /sbin/nologin net-snmp avahi-autoipd 170 170 /var/lib/avahi-autoipd /sbin/nologin avahi pulse 171 171 /var/run/pulse /sbin/nologin pulseaudio rtkit 172 172 /proc /sbin/nologin rtkit @@ -163,6 +165,7 @@ systemd-network 192 192 / /sbin/nologin systemd systemd-resolve 193 193 / /sbin/nologin systemd gnats ? ? ? ? gnats, gnats-db listar ? ? ? ? listar +fm 195 195 /var/lib/fm /sbin/nologin fm-mgr nfsnobody 65534 65534 /var/lib/nfs /sbin/nologin nfs-utils # Note: nfsnobody is 4294967294 on 64-bit platforms (-2) -- 1.8.3.1