make UID_MIN and GID_MIN in login.defs configurable via attributes

dev-sec · Nov 28, 2014 · 17b7dd8 · 17b7dd8
1 parent 00bd5c5
commit 17b7dd8
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -62,6 +62,8 @@
 default['auth']['pam']['passwdqc']['enable']            = true
 default['auth']['pam']['passwdqc']['options']           = 'min=disabled,disabled,16,12,8'
 default['auth']['root_ttys']                          = %w(console tty1 tty2 tty3 tty4 tty5 tty6)
+default['auth']['uid_min']                             = 1000
+default['auth']['gid_min']                             = 1000
 # may contain: change_user
 default['security']['users']['allow']                  = []
 default['security']['kernel']['enable_module_loading'] = true

diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb
@@ -31,6 +31,8 @@
     login_retries: node['auth']['retries'],
     login_timeout: node['auth']['timeout'],
     chfn_restrict: '', # "rwh"
-    allow_login_without_home: node['auth']['allow_homeless']
+    allow_login_without_home: node['auth']['allow_homeless'],
+    uid_min: node['auth']['uid_min'],
+    gid_min: node['auth']['gid_min']
   )
 end
diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb
@@ -20,7 +20,10 @@
 describe 'os-hardening::login_defs' do
 
   let(:chef_run) do
-    ChefSpec::ServerRunner.new.converge(described_recipe)
+    ChefSpec::ServerRunner.new do |node|
+      node.set['auth']['uid_min'] = 5000
+      node.set['auth']['gid_min'] = 5000
+    end.converge(described_recipe)
   end
 
   it 'creates /etc/login.defs' do
@@ -29,4 +32,10 @@
       .with(owner: 'root')
       .with(group: 'root')
   end
+
+  it 'uses uid_min and gid_min in /etc/login.defs' do
+    expect(chef_run).to render_file('/etc/login.defs')
+      .with_content(/^UID_MIN\s+5000$/)
+      .with_content(/^GID_MIN\s+5000$/)
+  end
 end
diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb
@@ -109,14 +109,14 @@ PASS_MIN_DAYS <%= @password_min_age.to_s %>
 PASS_WARN_AGE	7
 
 # Min/max values for automatic uid selection in useradd
-UID_MIN			 1000
+UID_MIN			 <%= @uid_min.to_s %>
 UID_MAX			60000
 # System accounts
 #SYS_UID_MIN		  100
 #SYS_UID_MAX		  999
 
 # Min/max values for automatic gid selection in groupadd
-GID_MIN			 1000
+GID_MIN			 <%= @gid_min.to_s %>
 GID_MAX			60000
 # System accounts
 #SYS_GID_MIN		  100