Adduser consistency

README.md

@@ -53,6 +53,7 @@ We deprecated `sysctl` version before `0.6.0`. Future versions of this cookbook
 * `['env']['extra_user_paths'] = []`
   add additional paths to the user's `PATH` variable (default is empty).
 * `['env']['umask'] = "027"`
+  initial umask for processes (can also determine home directory mode for newly created users)
 * `['env']['root_path'] = "/"`
   where root is mounted
 * `['auth']['pw_max_age'] = 60`
@@ -71,6 +72,24 @@ We deprecated `sysctl` version before `0.6.0`. Future versions of this cookbook
   true if you want to use strong password checking in PAM using passwdqc
 * `['auth']['pam']['passwdqc']['options'] = "min=disabled,disabled,16,12,8"`
   set to any option line (as a string) that you want to pass to passwdqc
+* `['auth']['root_ttys'] = ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6']`
+  list of terminal devices where root login is allowed
+* `['auth']['uid_min'] = 1000`
+  minimum uid value for newly-created non-system user
+* `['auth']['gid_min'] = 1000`
+  minimum gid value for newly-created non-system user
+* `['adduser']['conf'] = "/etc/adduser.conf"`
+  path of configuration file for `adduser` command (will not be created or updated if it does not exist) 
+* `['useradd']['conf'] = "/etc/default/useradd"`
+  path of defaults file for `useradd` command
+* `['useradd']['usergroups'] = 'yes'`
+  'yes' if each user should have a private group of the same name, 'no' otherwise
+* `['useradd']['users_gid'] = 100`
+  gid of default group for newly created users (only used if 'usergroups' is 'no')
+* `['useradd']['dhome'] = "/home"`
+  default directory location for home directories of newly created users
+* `['useradd']['skel'] = "/etc/skel"`
+  template directory for home directories of newly created users
 * `['security']['users']['allow'] = []`
   list of things, that a user is allowed to do. May contain: `change_user`
 * `['security']['kernel']['enable_module_loading'] = true`

attributes/default.rb

@@ -64,6 +64,12 @@
 default['auth']['root_ttys']                          = %w(console tty1 tty2 tty3 tty4 tty5 tty6)
 default['auth']['uid_min']                             = 1000
 default['auth']['gid_min']                             = 1000
+default['adduser']['conf']                             = '/etc/adduser.conf'
+default['useradd']['conf']                             = '/etc/default/useradd'
+default['useradd']['usergroups']                       = 'yes' # per-user gids
+default['useradd']['users_gid']                        = 100 # if above is 'no'
+default['useradd']['dhome']                            = '/home'
+default['useradd']['skel']                             = '/etc/skel'
 # may contain: change_user
 default['security']['users']['allow']                  = []
 default['security']['kernel']['enable_module_loading'] = true

recipes/adduser.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+#
+# Cookbook Name: os-hardening
+# Recipe: adduser.rb
+#
+# Copyright 2015, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+template node['adduser']['conf'] do
+  only_if { File.exist?(node['adduser']['conf']) }
+  source 'adduser.conf.erb'
+  mode '0444'
+  owner 'root'
+  group 'root'
+  variables(
+    dhome: node['useradd']['dhome'],
+    skel: node['useradd']['skel'],
+    usergroups: node['useradd']['usergroups'],
+    users_gid: node['useradd']['users_gid'],
+    dir_mode: '0' + (0777 & ~(node['env']['umask'].to_i(8))).to_s(8),
+    gid_min: node['auth']['gid_min'],
+    uid_min: node['auth']['uid_min']
+  )
+end

recipes/default.rb

@@ -22,6 +22,8 @@
 include_recipe('os-hardening::packages')
 include_recipe('os-hardening::limits')
 include_recipe('os-hardening::login_defs')
+include_recipe('os-hardening::adduser')
+include_recipe('os-hardening::useradd')
 include_recipe('os-hardening::minimize_access')
 include_recipe('os-hardening::pam')
 include_recipe('os-hardening::profile')

recipes/login_defs.rb

@@ -32,6 +32,7 @@
     login_timeout: node['auth']['timeout'],
     chfn_restrict: '', # "rwh"
     allow_login_without_home: node['auth']['allow_homeless'],
+    usergroups: node['useradd']['usergroups'],
     uid_min: node['auth']['uid_min'],
     gid_min: node['auth']['gid_min']
   )

recipes/useradd.rb

@@ -0,0 +1,31 @@
+# encoding: utf-8
+#
+# Cookbook Name: os-hardening
+# Recipe: useradd.rb
+#
+# Copyright 2015, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+template node['useradd']['conf'] do
+  source 'default_useradd.erb'
+  mode '0444'
+  owner 'root'
+  group 'root'
+  variables(
+    users_gid: node['useradd']['users_gid'],
+    dhome: node['useradd']['dhome'],
+    skel: node['useradd']['skel']
+  )
+end

spec/recipes/adduser_spec.rb

@@ -0,0 +1,57 @@
+# encoding: UTF-8
+#
+# Copyright 2015, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../spec_helper'
+
+describe 'os-hardening::adduser' do
+
+  conffile = '/etc/adduser.conf'
+
+  let(:chef_run) do
+    ChefSpec::ServerRunner.new do |node|
+      node.set['env']['umask'] = '067'
+      node.set['auth']['uid_min'] = 5000
+      node.set['auth']['gid_min'] = 3000
+      node.set['useradd']['usergroups'] = 'no'
+      node.set['useradd']['users_gid'] = '42'
+      node.set['useradd']['skel'] = '/etc/.skel'
+      node.set['useradd']['dhome'] = '/user/dirs'
+    end.converge(described_recipe)
+  end
+
+  it 'creates ' + conffile do
+    expect(chef_run).to create_template(conffile).
+      with(mode: '0444').
+      with(owner: 'root').
+      with(group: 'root')
+  end
+
+  it 'uses uid_min, gid_min, usergroups and umask in ' + conffile do
+    expect(chef_run).to render_file(conffile).
+      with_content(/^FIRST_UID=5000$/).
+      with_content(/^FIRST_GID=3000$/).
+      with_content(/^USERGROUPS=no$/).
+      with_content(/^DIR_MODE=0710$/)
+  end
+
+  it 'uses users_gid, skel, and dhome in ' + conffile do
+    expect(chef_run).to render_file(conffile).
+      with_content(/^USERS_GID=42$/).
+      with_content(%r{^SKEL=/etc/\.skel$}).
+      with_content(%r{^DHOME=/user/dirs$})
+  end
+end

spec/recipes/useradd_spec.rb

@@ -0,0 +1,45 @@
+# encoding: UTF-8
+#
+# Copyright 2015, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../spec_helper'
+
+describe 'os-hardening::useradd' do
+
+  conffile = '/etc/default/useradd'
+
+  let(:chef_run) do
+    ChefSpec::ServerRunner.new do |node|
+      node.set['useradd']['users_gid'] = '47'
+      node.set['useradd']['skel'] = '/etc/.skel'
+      node.set['useradd']['dhome'] = '/home/dirs'
+    end.converge(described_recipe)
+  end
+
+  it 'creates ' + conffile do
+    expect(chef_run).to create_template(conffile).
+      with(mode: '0444').
+      with(owner: 'root').
+      with(group: 'root')
+  end
+
+  it 'uses users_gid, skel, and dhome in ' + conffile do
+    expect(chef_run).to render_file(conffile).
+      with_content(/^GROUP=47$/).
+      with_content(%r{^SKEL=/etc/\.skel$}).
+      with_content(%r{^HOME=/home/dirs$})
+  end
+end

templates/default/adduser.conf.erb

@@ -0,0 +1,90 @@
+<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
+# <%= l %>
+<% end %>
+#---
+
+# /etc/adduser.conf: `adduser' configuration.
+# See adduser(8) and adduser.conf(5) for full documentation.
+
+# The DSHELL variable specifies the default login shell on your
+# system.
+DSHELL=/bin/bash
+
+# The DHOME variable specifies the directory containing users' home
+# directories.
+DHOME=<%= @dhome %>
+
+# If GROUPHOMES is "yes", then the home directories will be created as
+# /home/groupname/user.
+GROUPHOMES=no
+
+# If LETTERHOMES is "yes", then the created home directories will have
+# an extra directory - the first letter of the user name. For example:
+# /home/u/user.
+LETTERHOMES=no
+
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+SKEL=<%= @skel %>
+
+# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
+# for dynamically allocated administrative and system accounts/groups.
+# Please note that system software, such as the users allocated by the base-passwd
+# package, may assume that UIDs less than 100 are unallocated.
+FIRST_SYSTEM_UID=100
+LAST_SYSTEM_UID=999
+
+FIRST_SYSTEM_GID=100
+LAST_SYSTEM_GID=999
+
+# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
+# allocated user accounts/groups.
+FIRST_UID=<%= @uid_min.to_s %>
+LAST_UID=29999
+
+FIRST_GID=<%= @gid_min.to_s %>
+LAST_GID=29999
+
+# The USERGROUPS variable can be either "yes" or "no".  If "yes" each
+# created user will be given their own group to use as a default.  If
+# "no", each created user will be placed in the group whose gid is
+# USERS_GID (see below).
+USERGROUPS=<%= @usergroups %>
+
+# If USERGROUPS is "no", then USERS_GID should be the GID of the group
+# `users' (or the equivalent group) on your system.
+USERS_GID=<%= @users_gid %>
+
+# If DIR_MODE is set, directories will be created with the specified
+# mode. Otherwise the default mode 0755 will be used.
+DIR_MODE=<%= @dir_mode %>
+
+# If SETGID_HOME is "yes" home directories for users with their own
+# group the setgid bit will be set. This was the default for
+# versions << 3.13 of adduser. Because it has some bad side effects we
+# no longer do this per default. If you want it nevertheless you can
+# still set it here.
+SETGID_HOME=no
+
+# If QUOTAUSER is set, a default quota will be set from that user with
+# `edquota -p QUOTAUSER newuser'
+QUOTAUSER=""
+
+# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this
+# regular expression when creating a new home directory
+SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
+
+# Set this if you want the --add_extra_groups option to adduser to add
+# new users to other groups.
+# This is the list of groups that new non-system users will be added to
+# Default:
+#EXTRA_GROUPS="dialout cdrom floppy audio video plugdev users"
+
+# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS
+# option above will be default behavior for adding new, non-system users
+#ADD_EXTRA_GROUPS=1
+
+
+# check user and group names also against this regular expression.
+#NAME_REGEX="^[a-z][-a-z0-9_]*\$"

templates/default/default_useradd.erb

@@ -0,0 +1,41 @@
+<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
+# <%= l %>
+<% end %>
+#---
+
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DSHELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+GROUP=<%= @users_gid %>
+#
+# The default home directory. Same as DHOME for adduser
+HOME=<%= @dhome %>
+#
+# The number of days after a password expires until the account
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+SKEL=<%= @skel %>
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes

templates/default/login.defs.erb

@@ -93,7 +93,7 @@ UMASK   <%= @umask %>
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB <%= @usergroups %>
 
 
 # Password aging controls