gravitational · atburke · Dec 6, 2023 · Dec 5, 2023
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2532,6 +2532,9 @@ enum CreateHostUserMode {
   HOST_USER_MODE_DROP = 2;
   // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end.
   HOST_USER_MODE_KEEP = 3;
+  // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes
+  // users at session end.
+  HOST_USER_MODE_INSECURE_DROP = 4;
 }
 
 // CreateDatabaseUserMode determines whether database user creation should be

diff --git a/api/types/role.go b/api/types/role.go
@@ -1814,9 +1814,10 @@ var LabelMatcherKinds = []string{
 }
 
 const (
-	createHostUserModeOffString  = "off"
-	createHostUserModeDropString = "drop"
-	createHostUserModeKeepString = "keep"
+	createHostUserModeOffString          = "off"
+	createHostUserModeDropString         = "drop"
+	createHostUserModeKeepString         = "keep"
+	createHostUserModeInsecureDropString = "insecure-drop"
 )
 
 func (h CreateHostUserMode) encode() (string, error) {
@@ -1829,6 +1830,8 @@ func (h CreateHostUserMode) encode() (string, error) {
 		return createHostUserModeDropString, nil
 	case CreateHostUserMode_HOST_USER_MODE_KEEP:
 		return createHostUserModeKeepString, nil
+	case CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP:
+		return createHostUserModeInsecureDropString, nil
 	}
 	return "", trace.BadParameter("invalid host user mode %v", h)
 }
@@ -1866,6 +1869,8 @@ func (h *CreateHostUserMode) decode(val any) error {
 		*h = CreateHostUserMode_HOST_USER_MODE_DROP
 	case createHostUserModeKeepString:
 		*h = CreateHostUserMode_HOST_USER_MODE_KEEP
+	case createHostUserModeInsecureDropString:
+		*h = CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP
 	default:
 		return trace.BadParameter("invalid host user mode %v", val)
 	}

diff --git a/api/types/role_test.go b/api/types/role_test.go
@@ -374,6 +374,7 @@ func TestMarshallCreateHostUserModeJSON(t *testing.T) {
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: ""},
 		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
+		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
 		got, err := json.Marshal(&tc.input)
 		require.NoError(t, err)
@@ -390,6 +391,7 @@ func TestMarshallCreateHostUserModeYAML(t *testing.T) {
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: "\"\""},
 		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
+		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
 		got, err := yaml.Marshal(&tc.input)
 		require.NoError(t, err)
@@ -408,6 +410,7 @@ func TestUnmarshallCreateHostUserModeJSON(t *testing.T) {
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "\"keep\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: 3},
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: 1},
+		{expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: 4},
 	} {
 		var got CreateHostUserMode
 		err := json.Unmarshal([]byte(fmt.Sprintf("%v", tc.input)), &got)
@@ -426,6 +429,7 @@ func TestUnmarshallCreateHostUserModeYAML(t *testing.T) {
 		{expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "drop"},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "keep"},
+		{expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: "insecure-drop"},
 	} {
 		var got CreateHostUserMode
 		err := yaml.Unmarshal([]byte(tc.input), &got)

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/integration/hostuser_test.go b/integration/hostuser_test.go
@@ -214,6 +214,29 @@ func TestRootHostUsers(t *testing.T) {
 		u, err := user.Lookup(testuser)
 		require.NoError(t, err)
 		requireUserInGroups(t, u, testGroups)
+		require.NotEmpty(t, u.HomeDir)
+		require.DirExists(t, u.HomeDir)
+
+		require.NoError(t, closer.Close())
+		_, err = user.Lookup(testuser)
+		require.Equal(t, err, user.UnknownUserError(testuser))
+		require.NoDirExists(t, u.HomeDir)
+	})
+
+	t.Run("test create temporary user without home dir", func(t *testing.T) {
+		users := srv.NewHostUsers(context.Background(), presence, "host_uuid")
+
+		testGroups := []string{"group1", "group2"}
+		closer, err := users.CreateUser(testuser, &services.HostUsersInfo{Groups: testGroups, Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP})
+		require.NoError(t, err)
+
+		testGroups = append(testGroups, types.TeleportServiceGroup)
+		t.Cleanup(cleanupUsersAndGroups([]string{testuser}, testGroups))
+
+		u, err := user.Lookup(testuser)
+		require.NoError(t, err)
+		requireUserInGroups(t, u, testGroups)
+		require.NoDirExists(t, u.HomeDir)
 
 		require.NoError(t, closer.Close())
 		_, err = user.Lookup(testuser)

diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto
@@ -2451,6 +2451,9 @@ enum CreateHostUserMode {
   HOST_USER_MODE_DROP = 2;
   // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end.
   HOST_USER_MODE_KEEP = 3;
+  // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes
+  // users at session end.
+  HOST_USER_MODE_INSECURE_DROP = 4;
 }
 
 // RoleOptions is a set of role options

diff --git a/lib/services/access_checker.go b/lib/services/access_checker.go
@@ -895,7 +895,8 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) {
 			mode = createHostUserMode
 		}
 		// prefer to use HostUserModeKeep over Drop if mode has already been set.
-		if mode == types.CreateHostUserMode_HOST_USER_MODE_DROP && createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_KEEP {
+		if (mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP) &&
+			createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_KEEP {
 			mode = types.CreateHostUserMode_HOST_USER_MODE_KEEP
 		}
 

diff --git a/lib/srv/usermgmt.go b/lib/srv/usermgmt.go
@@ -269,7 +269,7 @@ func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo)
 
 	groups := make([]string, len(ui.Groups))
 	copy(groups, ui.Groups)
-	if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_DROP {
+	if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP {
 		groups = append(groups, types.TeleportServiceGroup)
 	}
 	var errs []error
@@ -305,9 +305,10 @@ func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo)
 			return trace.Wrap(err)
 		}
 
-		err = u.backend.CreateHomeDirectory(name, user.Uid, user.Gid)
-		if err != nil {
-			return trace.Wrap(err)
+		if ui.Mode != types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP {
+			if err := u.backend.CreateHomeDirectory(name, user.Uid, user.Gid); err != nil {
+				return trace.Wrap(err)
+			}
 		}
 
 		return nil