From cd48373140cdb5482e75ddfded4a0af77cf61342 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Thu, 7 Dec 2023 13:03:08 -0800 Subject: [PATCH] Remove drop host user creation mode This change removes the drop host user creation mode. --- CHANGELOG.md | 7 ++ api/proto/teleport/legacy/types/types.proto | 6 +- api/types/role.go | 5 -- api/types/role_test.go | 4 -- api/types/types.pb.go | 69 +++++++++---------- integration/hostuser_test.go | 30 +------- .../resources/role_controller_test.go | 4 +- lib/services/access_checker.go | 6 +- lib/services/role_test.go | 12 ++-- lib/srv/usermgmt.go | 2 +- lib/srv/usermgmt_test.go | 8 +-- 11 files changed, 62 insertions(+), 91 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dba4c49f2007c..d68e5307abc67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,13 @@ rely on parsing the output from multiple nodes should pass the `--log-dir` flag to `tsh ssh`, which will create a directory where the separated output of each node will be written. +#### `drop` host user creation mode + +The `drop` host user creation mode has been removed in Teleport 15. It is replaced +by `insecure-drop`, which still creates temporary users but does not create a +home directory. Users who need home directory creation should either wrap `useradd`/`userdel` +or use PAM. + ## 14.0.0 (09/20/23) Teleport 14 brings the following new major features and improvements: diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 17b70c3281876..0ea7cb71671e8 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2531,11 +2531,11 @@ enum CreateHostUserMode { HOST_USER_MODE_UNSPECIFIED = 0; // HOST_USER_MODE_OFF disables host user creation. HOST_USER_MODE_OFF = 1; - // HOST_USER_MODE_DROP enables host user creation and deletes users at session end. - HOST_USER_MODE_DROP = 2; + reserved 2; // HOST_USER_MODE_DROP replaced by HOST_USER_MODE_INSECURE_DROP. + reserved "HOST_USER_MODE_DROP"; // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end. HOST_USER_MODE_KEEP = 3; - // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes + // HOST_USER_MODE_INSECURE_DROP enables host user creation without a home directory and deletes // users at session end. HOST_USER_MODE_INSECURE_DROP = 4; } diff --git a/api/types/role.go b/api/types/role.go index c4b8e94f77a47..98cd4843a1515 100644 --- a/api/types/role.go +++ b/api/types/role.go @@ -1815,7 +1815,6 @@ var LabelMatcherKinds = []string{ const ( createHostUserModeOffString = "off" - createHostUserModeDropString = "drop" createHostUserModeKeepString = "keep" createHostUserModeInsecureDropString = "insecure-drop" ) @@ -1826,8 +1825,6 @@ func (h CreateHostUserMode) encode() (string, error) { return "", nil case CreateHostUserMode_HOST_USER_MODE_OFF: return createHostUserModeOffString, nil - case CreateHostUserMode_HOST_USER_MODE_DROP: - return createHostUserModeDropString, nil case CreateHostUserMode_HOST_USER_MODE_KEEP: return createHostUserModeKeepString, nil case CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP: @@ -1865,8 +1862,6 @@ func (h *CreateHostUserMode) decode(val any) error { *h = CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED case createHostUserModeOffString: *h = CreateHostUserMode_HOST_USER_MODE_OFF - case createHostUserModeDropString: - *h = CreateHostUserMode_HOST_USER_MODE_DROP case createHostUserModeKeepString: *h = CreateHostUserMode_HOST_USER_MODE_KEEP case createHostUserModeInsecureDropString: diff --git a/api/types/role_test.go b/api/types/role_test.go index af5c74aa9e612..f587cfbdcf5e9 100644 --- a/api/types/role_test.go +++ b/api/types/role_test.go @@ -372,7 +372,6 @@ func TestMarshallCreateHostUserModeJSON(t *testing.T) { }{ {input: CreateHostUserMode_HOST_USER_MODE_OFF, expected: "off"}, {input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: ""}, - {input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"}, {input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"}, {input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"}, } { @@ -389,7 +388,6 @@ func TestMarshallCreateHostUserModeYAML(t *testing.T) { }{ {input: CreateHostUserMode_HOST_USER_MODE_OFF, expected: "\"off\""}, {input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: "\"\""}, - {input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"}, {input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"}, {input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"}, } { @@ -406,7 +404,6 @@ func TestUnmarshallCreateHostUserModeJSON(t *testing.T) { }{ {expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "\"off\""}, {expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""}, - {expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "\"drop\""}, {expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "\"keep\""}, {expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: 3}, {expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: 1}, @@ -427,7 +424,6 @@ func TestUnmarshallCreateHostUserModeYAML(t *testing.T) { {expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "\"off\""}, {expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "off"}, {expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""}, - {expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "drop"}, {expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "keep"}, {expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: "insecure-drop"}, } { diff --git a/api/types/types.pb.go b/api/types/types.pb.go index b9983d498dc7b..1836d53e7e13a 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -299,11 +299,9 @@ const ( CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED CreateHostUserMode = 0 // HOST_USER_MODE_OFF disables host user creation. CreateHostUserMode_HOST_USER_MODE_OFF CreateHostUserMode = 1 - // HOST_USER_MODE_DROP enables host user creation and deletes users at session end. - CreateHostUserMode_HOST_USER_MODE_DROP CreateHostUserMode = 2 // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end. CreateHostUserMode_HOST_USER_MODE_KEEP CreateHostUserMode = 3 - // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes + // HOST_USER_MODE_INSECURE_DROP enables host user creation without a home directory and deletes // users at session end. CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP CreateHostUserMode = 4 ) @@ -311,7 +309,6 @@ const ( var CreateHostUserMode_name = map[int32]string{ 0: "HOST_USER_MODE_UNSPECIFIED", 1: "HOST_USER_MODE_OFF", - 2: "HOST_USER_MODE_DROP", 3: "HOST_USER_MODE_KEEP", 4: "HOST_USER_MODE_INSECURE_DROP", } @@ -319,7 +316,6 @@ var CreateHostUserMode_name = map[int32]string{ var CreateHostUserMode_value = map[string]int32{ "HOST_USER_MODE_UNSPECIFIED": 0, "HOST_USER_MODE_OFF": 1, - "HOST_USER_MODE_DROP": 2, "HOST_USER_MODE_KEEP": 3, "HOST_USER_MODE_INSECURE_DROP": 4, } @@ -17620,7 +17616,7 @@ func init() { func init() { proto.RegisterFile("teleport/legacy/types/types.proto", fileDescriptor_9198ee693835762e) } var fileDescriptor_9198ee693835762e = []byte{ - // 24046 bytes of a gzipped FileDescriptorProto + // 24052 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0xbd, 0x6d, 0x70, 0x1c, 0x49, 0x76, 0x20, 0x36, 0xfd, 0x01, 0xa0, 0xf1, 0xf0, 0xd5, 0x48, 0x82, 0x24, 0x88, 0x19, 0x0e, 0x38, 0x35, 0x33, 0x1c, 0x92, 0x33, 0x43, 0x2e, 0xc1, 0x1d, 0xee, 0xce, 0xf7, 0x36, 0xba, 0x41, 0xa2, @@ -19094,36 +19090,37 @@ var fileDescriptor_9198ee693835762e = []byte{ 0x65, 0x95, 0xed, 0xda, 0xe8, 0x83, 0xc8, 0x43, 0x37, 0x15, 0x20, 0xbf, 0xb6, 0xbe, 0xb6, 0x14, 0x57, 0x47, 0x8f, 0x43, 0xa1, 0x54, 0xab, 0x99, 0xeb, 0x5b, 0x38, 0x86, 0x00, 0xc3, 0x95, 0xa5, 0x35, 0xd6, 0xb2, 0x1c, 0x2b, 0xa9, 0x99, 0xeb, 0xab, 0xeb, 0x1b, 0x4b, 0x95, 0x62, 0xfe, 0xca, - 0x2f, 0x65, 0x80, 0x70, 0x5f, 0x4b, 0x19, 0x0e, 0x07, 0xfb, 0xf2, 0x79, 0x98, 0x5b, 0xfe, 0x7f, - 0x28, 0xbb, 0xa2, 0xd6, 0xaa, 0x61, 0x28, 0x7c, 0xdb, 0xbb, 0x09, 0x1e, 0x1d, 0x66, 0x77, 0x73, - 0xbb, 0xe0, 0xa5, 0x0f, 0xa2, 0xe2, 0x22, 0xfa, 0xe2, 0xb3, 0x0f, 0x59, 0x9b, 0x9a, 0xb2, 0x36, - 0x29, 0x49, 0x8a, 0x3a, 0x84, 0xa0, 0xac, 0x48, 0x1f, 0xac, 0x30, 0xe7, 0x5f, 0xf0, 0x07, 0xf8, - 0xab, 0xf6, 0x22, 0xf8, 0x13, 0xf4, 0xfe, 0x12, 0x49, 0xda, 0xce, 0xdb, 0x6c, 0x14, 0x7c, 0xcc, - 0xf9, 0x4e, 0xd3, 0xaf, 0x87, 0xef, 0x94, 0x90, 0xf4, 0x9c, 0xda, 0x20, 0x38, 0x1a, 0x85, 0x48, - 0xfc, 0xc7, 0x3b, 0x80, 0x85, 0x87, 0x8b, 0x34, 0x45, 0xc1, 0xe2, 0x10, 0xf6, 0x3c, 0x7b, 0x22, - 0x45, 0x89, 0xc2, 0x1b, 0x80, 0x13, 0x4a, 0x4b, 0x34, 0xb7, 0xa1, 0xf4, 0x80, 0x41, 0x1b, 0xdd, - 0xa5, 0x5b, 0xf8, 0x7b, 0x00, 0x07, 0x1d, 0xc5, 0x41, 0x68, 0x57, 0x34, 0x57, 0xb0, 0xec, 0x4b, - 0xc2, 0x6f, 0x22, 0xb9, 0x0f, 0x68, 0x84, 0x76, 0x14, 0xef, 0xc3, 0xee, 0xc8, 0xea, 0x78, 0x84, - 0x36, 0x8d, 0x46, 0xe6, 0x63, 0xaa, 0xb4, 0xa1, 0x69, 0x2a, 0xa4, 0xee, 0x88, 0xcc, 0xf1, 0x43, - 0xd8, 0x8d, 0xeb, 0xf3, 0x0b, 0xbb, 0x3c, 0x6d, 0xbf, 0x36, 0x5f, 0x5a, 0x47, 0x61, 0x07, 0x6e, - 0xd3, 0xb7, 0x9a, 0x72, 0x95, 0x09, 0x8e, 0x66, 0x78, 0xe5, 0xf9, 0x0c, 0x82, 0x56, 0x8a, 0xa1, - 0x19, 0x7e, 0x0f, 0x77, 0x47, 0x0d, 0xdd, 0x0e, 0x61, 0x6f, 0x73, 0x5c, 0xd6, 0xed, 0x59, 0xd3, - 0x7e, 0x42, 0x33, 0x1f, 0x90, 0xdf, 0xda, 0xd6, 0x02, 0x4e, 0x36, 0x9b, 0x80, 0xae, 0xcf, 0x3f, - 0x37, 0xed, 0x87, 0x8b, 0xfa, 0x0c, 0x85, 0xf8, 0x05, 0xec, 0x8c, 0x0a, 0x5f, 0xed, 0x7d, 0x73, - 0xd1, 0x27, 0x52, 0x41, 0x93, 0xac, 0x2a, 0xd0, 0xb6, 0x15, 0x0c, 0xcb, 0x5e, 0x33, 0x04, 0xf8, - 0x47, 0x60, 0x17, 0x29, 0xae, 0x39, 0x4c, 0x91, 0x92, 0x81, 0xa9, 0x8d, 0x52, 0x57, 0x23, 0x4f, - 0x95, 0xea, 0x36, 0xfb, 0x57, 0xb0, 0xec, 0x07, 0x86, 0xf0, 0xc4, 0x30, 0x22, 0x93, 0x37, 0x44, - 0xda, 0xd0, 0xbd, 0x43, 0xa1, 0xd3, 0xc2, 0x86, 0xc5, 0x68, 0x51, 0xc5, 0x0c, 0xcd, 0x6d, 0xf8, - 0x47, 0xf6, 0x32, 0xe3, 0x68, 0xcb, 0x29, 0xeb, 0x9a, 0xb7, 0x9b, 0xd6, 0xe2, 0xdb, 0xb8, 0x01, - 0xe4, 0x7f, 0xe1, 0x7b, 0xed, 0xd4, 0x45, 0x56, 0x9c, 0x77, 0x32, 0xbf, 0x07, 0x77, 0x84, 0x66, - 0x54, 0xf6, 0x5d, 0x0c, 0x5c, 0xdb, 0x82, 0x8a, 0x93, 0x4a, 0x33, 0x21, 0xb3, 0x53, 0xa7, 0xf7, - 0x25, 0xec, 0xab, 0x9c, 0xc4, 0x27, 0x86, 0x0b, 0x6d, 0x32, 0x6e, 0x62, 0x46, 0x38, 0xa7, 0x39, - 0x02, 0xfc, 0x33, 0x80, 0x07, 0x13, 0x5b, 0xd8, 0x8b, 0xe7, 0x70, 0xc4, 0x28, 0x49, 0x72, 0xaa, - 0x94, 0xb1, 0x53, 0x52, 0xae, 0xfb, 0x03, 0x10, 0xf7, 0x1a, 0xf4, 0xe5, 0x76, 0x04, 0x8f, 0xa7, - 0xdd, 0xff, 0x65, 0xe7, 0x53, 0x78, 0x34, 0xed, 0xda, 0x67, 0x6b, 0xb8, 0xc0, 0xf0, 0x64, 0xda, - 0xf3, 0x2a, 0xcb, 0xe7, 0xc7, 0xaf, 0x2e, 0xff, 0x44, 0xb3, 0xcb, 0x75, 0x14, 0xfc, 0x5a, 0x47, - 0xc1, 0xef, 0x75, 0x14, 0x9c, 0x3e, 0xfb, 0x8f, 0x7f, 0x5e, 0x7c, 0xbc, 0xe5, 0x4e, 0xd8, 0x5e, - 0xfe, 0x0d, 0x00, 0x00, 0xff, 0xff, 0xc3, 0x92, 0x05, 0x9b, 0xe3, 0x66, 0x01, 0x00, + 0x2f, 0x67, 0x80, 0x70, 0x5f, 0x4b, 0x19, 0x0e, 0x07, 0xfb, 0xf2, 0x79, 0x98, 0x5b, 0xfe, 0x7f, + 0x28, 0xbb, 0x82, 0xdd, 0xa8, 0x61, 0x20, 0xba, 0xc9, 0x6e, 0x11, 0x0c, 0x54, 0x4c, 0xb7, 0xa5, + 0x5d, 0x89, 0xd5, 0x1e, 0x2a, 0x40, 0xd4, 0x08, 0x2e, 0x9c, 0x39, 0xb8, 0x1b, 0x07, 0x47, 0xdd, + 0xb5, 0x57, 0xb6, 0x23, 0xa0, 0x42, 0xb2, 0x40, 0x8d, 0x50, 0x0e, 0x04, 0xa9, 0x94, 0x5f, 0xe0, + 0x03, 0xf8, 0xaa, 0x5e, 0x90, 0xf8, 0x04, 0xd8, 0x2f, 0x41, 0x76, 0x92, 0xb2, 0x71, 0x51, 0xa4, + 0x1e, 0x3d, 0x6f, 0xe2, 0xbc, 0x8c, 0xde, 0x44, 0x96, 0x9d, 0x99, 0xb8, 0x20, 0x78, 0x1a, 0x4b, + 0x99, 0x84, 0x8f, 0xb7, 0x0f, 0xe3, 0x00, 0x97, 0x69, 0x8a, 0xd1, 0xf8, 0x00, 0x76, 0x03, 0xfb, + 0x09, 0x63, 0x2b, 0x1c, 0xba, 0x88, 0x05, 0x40, 0x2b, 0x01, 0x9b, 0x28, 0xb9, 0xc2, 0xd1, 0xe1, + 0xe8, 0x76, 0x8c, 0x31, 0x09, 0x2f, 0x77, 0x20, 0xf9, 0x1e, 0xc1, 0x7e, 0x4d, 0xb2, 0x95, 0xda, + 0x15, 0xd1, 0x29, 0x4c, 0x9a, 0xa2, 0xf0, 0xff, 0xd1, 0xdc, 0x03, 0xec, 0xa0, 0x35, 0xc9, 0x07, + 0xb0, 0xd3, 0xb1, 0x7a, 0x8a, 0xb1, 0x4b, 0xa4, 0x8e, 0xf9, 0x98, 0x69, 0x63, 0x59, 0x9a, 0x4a, + 0x65, 0x6a, 0x8e, 0x43, 0x72, 0x08, 0x3b, 0xf3, 0xe2, 0xfc, 0xc2, 0x2d, 0x50, 0xab, 0xaf, 0xe5, + 0x97, 0xca, 0x53, 0xd8, 0x86, 0x3b, 0xec, 0xad, 0x61, 0x42, 0x67, 0x52, 0xe0, 0x80, 0x4c, 0x03, + 0x9f, 0x56, 0xd2, 0x5a, 0x73, 0x1c, 0x90, 0xf7, 0x70, 0xaf, 0xd3, 0xd2, 0xed, 0x00, 0x76, 0x37, + 0xc7, 0xab, 0xa2, 0x3a, 0x2b, 0xab, 0x4f, 0x38, 0x08, 0x01, 0xf5, 0xad, 0xaa, 0x1c, 0xe0, 0x85, + 0xb3, 0x09, 0x98, 0xe2, 0xfc, 0x73, 0x59, 0x7d, 0xb8, 0x28, 0xce, 0x30, 0x26, 0x2f, 0x60, 0xbb, + 0x53, 0xfa, 0xea, 0xee, 0xbb, 0x90, 0x4d, 0x2a, 0x2d, 0x59, 0x92, 0xe5, 0x4b, 0xdc, 0x72, 0x92, + 0xe1, 0xd9, 0x6b, 0x8e, 0x40, 0x7e, 0x44, 0x6e, 0x99, 0xe2, 0xdb, 0xc3, 0x2c, 0x53, 0xda, 0x32, + 0x75, 0x51, 0xaa, 0xab, 0xe4, 0x99, 0xd6, 0xf5, 0x76, 0xff, 0x14, 0x26, 0xcd, 0xc0, 0x52, 0x91, + 0x58, 0x4e, 0x55, 0xf2, 0x86, 0x2a, 0x17, 0xba, 0x77, 0x18, 0x7b, 0x35, 0x6c, 0x58, 0xac, 0x91, + 0xf9, 0x9c, 0xe3, 0xd0, 0x85, 0xbf, 0x63, 0x5f, 0x65, 0x02, 0x47, 0x5e, 0x5b, 0xd7, 0xbc, 0xfd, + 0xb4, 0x0e, 0xdf, 0x22, 0x25, 0x60, 0xf8, 0x8d, 0xef, 0xb5, 0x73, 0x17, 0x95, 0x0b, 0x51, 0x0b, + 0xfd, 0x3e, 0xdc, 0x95, 0x86, 0x33, 0xd5, 0xf4, 0x31, 0xf0, 0x8d, 0x0b, 0x72, 0x41, 0x73, 0xc3, + 0xa5, 0xca, 0x4e, 0xbd, 0xe2, 0x27, 0xb0, 0xa7, 0x17, 0x74, 0x7e, 0x62, 0x85, 0x34, 0x36, 0x13, + 0x76, 0xce, 0xa9, 0x10, 0x6c, 0x81, 0x40, 0x7e, 0x46, 0xf0, 0xb0, 0x67, 0x13, 0x7b, 0xfc, 0x1c, + 0x8e, 0x38, 0xa3, 0xc9, 0x82, 0x69, 0x6d, 0xdd, 0x94, 0x4c, 0x98, 0xe6, 0x08, 0xc4, 0xbf, 0x08, + 0x43, 0xb9, 0x1d, 0xc1, 0xe3, 0x7e, 0xf7, 0x7f, 0xf9, 0xf9, 0x14, 0x1e, 0xf5, 0xbb, 0x36, 0xf9, + 0x1a, 0x8f, 0x09, 0x3c, 0xe9, 0xf7, 0xbc, 0xca, 0xf3, 0xe1, 0xf1, 0xab, 0xcb, 0x3f, 0xb3, 0xc1, + 0xe5, 0x7a, 0x16, 0xfd, 0x5a, 0xcf, 0xa2, 0xdf, 0xeb, 0x59, 0x74, 0xfa, 0xec, 0x06, 0x7f, 0xbd, + 0xf8, 0x78, 0xcb, 0x9f, 0xb1, 0xbd, 0xfc, 0x1b, 0x00, 0x00, 0xff, 0xff, 0x34, 0x02, 0x7d, 0xcf, + 0xe5, 0x66, 0x01, 0x00, } func (this *PluginSpecV1) Equal(that interface{}) bool { diff --git a/integration/hostuser_test.go b/integration/hostuser_test.go index 40621242bfe46..d268945dd3b08 100644 --- a/integration/hostuser_test.go +++ b/integration/hostuser_test.go @@ -203,28 +203,6 @@ func TestRootHostUsers(t *testing.T) { t.Cleanup(func() { require.NoError(t, bk.Close()) }) presence := local.NewPresenceService(bk) - t.Run("test create temporary user and close", func(t *testing.T) { - users := srv.NewHostUsers(context.Background(), presence, "host_uuid") - - testGroups := []string{"group1", "group2"} - closer, err := users.CreateUser(testuser, &services.HostUsersInfo{Groups: testGroups, Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP}) - require.NoError(t, err) - - testGroups = append(testGroups, types.TeleportServiceGroup) - t.Cleanup(cleanupUsersAndGroups([]string{testuser}, testGroups)) - - u, err := user.Lookup(testuser) - require.NoError(t, err) - requireUserInGroups(t, u, testGroups) - require.NotEmpty(t, u.HomeDir) - require.DirExists(t, u.HomeDir) - - require.NoError(t, closer.Close()) - _, err = user.Lookup(testuser) - require.Equal(t, err, user.UnknownUserError(testuser)) - require.NoDirExists(t, u.HomeDir) - }) - t.Run("test create temporary user without home dir", func(t *testing.T) { users := srv.NewHostUsers(context.Background(), presence, "host_uuid") @@ -255,7 +233,7 @@ func TestRootHostUsers(t *testing.T) { require.ErrorIs(t, err, user.UnknownGroupIdError(testGID)) closer, err := users.CreateUser(testuser, &services.HostUsersInfo{ - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, UID: testUID, GID: testGID, }) @@ -273,8 +251,6 @@ func TestRootHostUsers(t *testing.T) { require.Equal(t, u.Uid, testUID) require.Equal(t, u.Gid, testGID) - require.FileExists(t, filepath.Join("/home", testuser, ".bashrc")) - require.NoError(t, closer.Close()) _, err = user.Lookup(testuser) require.Equal(t, err, user.UnknownUserError(testuser)) @@ -298,7 +274,7 @@ func TestRootHostUsers(t *testing.T) { }) closer, err := users.CreateUser(testuser, &services.HostUsersInfo{ - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }) require.NoError(t, err) err = sudoers.WriteSudoers(testuser, []string{"ALL=(ALL) ALL"}) @@ -327,7 +303,7 @@ func TestRootHostUsers(t *testing.T) { deleteableUsers := []string{"teleport-user1", "teleport-user2", "teleport-user3"} for _, user := range deleteableUsers { - _, err := users.CreateUser(user, &services.HostUsersInfo{Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP}) + _, err := users.CreateUser(user, &services.HostUsersInfo{Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP}) require.NoError(t, err) } diff --git a/integrations/operator/controllers/resources/role_controller_test.go b/integrations/operator/controllers/resources/role_controller_test.go index f46f6c72ed89f..60fdc5157945c 100644 --- a/integrations/operator/controllers/resources/role_controller_test.go +++ b/integrations/operator/controllers/resources/role_controller_test.go @@ -90,7 +90,7 @@ allow: - ubuntu - root options: - create_host_user_mode: 2 + create_host_user_mode: 4 `, shouldFail: false, expectedSpec: &types.RoleSpecV6{ @@ -98,7 +98,7 @@ options: Logins: []string{"ubuntu", "root"}, }, Options: types.RoleOptions{ - CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }, }, }, diff --git a/lib/services/access_checker.go b/lib/services/access_checker.go index ded3d3b841fdd..50437b18a479c 100644 --- a/lib/services/access_checker.go +++ b/lib/services/access_checker.go @@ -883,7 +883,7 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) { if createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED { createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_OFF if createHostUser != nil && createHostUser.Value { - createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_DROP + createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_KEEP } } @@ -896,8 +896,8 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) { if mode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED { mode = createHostUserMode } - // prefer to use HostUserModeKeep over Drop if mode has already been set. - if (mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP) && + // prefer to use HostUserModeKeep over InsecureDrop if mode has already been set. + if mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP && createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_KEEP { mode = types.CreateHostUserMode_HOST_USER_MODE_KEEP } diff --git a/lib/services/role_test.go b/lib/services/role_test.go index 9d10693c409c4..693b505d0b911 100644 --- a/lib/services/role_test.go +++ b/lib/services/role_test.go @@ -7375,7 +7375,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) { { test: "test exact match, one role, can create", canCreate: true, - expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP, roles: NewRoleSet(&types.RoleV6{ Spec: types.RoleSpecV6{ Options: types.RoleOptions{ @@ -7398,7 +7398,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) { { test: "test two roles, 1 exact match, one can create", canCreate: false, - expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP, roles: NewRoleSet(&types.RoleV6{ Spec: types.RoleSpecV6{ Options: types.RoleOptions{ @@ -7430,7 +7430,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) { { test: "test three roles, 2 exact match, both can create", canCreate: true, - expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP, roles: NewRoleSet(&types.RoleV6{ Spec: types.RoleSpecV6{ Options: types.RoleOptions{ @@ -7496,9 +7496,9 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) { types.CreateHostUserMode_HOST_USER_MODE_OFF, ), createDefaultTCWithMode( - "test can create when create host user mode is drop", + "test can create when create host user mode is insecure-drop", true, - types.CreateHostUserMode_HOST_USER_MODE_DROP, + types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, ), createDefaultTCWithMode( "test can create when create host user mode is keep", @@ -7529,7 +7529,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) { }, &types.RoleV6{ Spec: types.RoleSpecV6{ Options: types.RoleOptions{ - CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }, Allow: types.RoleConditions{ NodeLabels: types.Labels{"success": []string{"abc"}}, diff --git a/lib/srv/usermgmt.go b/lib/srv/usermgmt.go index 2a29616dff1bb..72f1a6f11dce6 100644 --- a/lib/srv/usermgmt.go +++ b/lib/srv/usermgmt.go @@ -278,7 +278,7 @@ func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo) } groups = append(groups, group) } - if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP { + if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP { groups = append(groups, types.TeleportServiceGroup) } var errs []error diff --git a/lib/srv/usermgmt_test.go b/lib/srv/usermgmt_test.go index 16783263a3b19..5676d5779b3f0 100644 --- a/lib/srv/usermgmt_test.go +++ b/lib/srv/usermgmt_test.go @@ -172,7 +172,7 @@ func TestUserMgmt_CreateTemporaryUser(t *testing.T) { userinfo := &services.HostUsersInfo{ Groups: []string{"hello", "sudo"}, - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, } // create a user with some groups closer, err := users.CreateUser("bob", userinfo) @@ -219,7 +219,7 @@ func TestUserMgmtSudoers_CreateTemporaryUser(t *testing.T) { closer, err := users.CreateUser("bob", &services.HostUsersInfo{ Groups: []string{"hello", "sudo"}, - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }) require.NoError(t, err) require.NotNil(t, closer) @@ -242,13 +242,13 @@ func TestUserMgmtSudoers_CreateTemporaryUser(t *testing.T) { // been created backend.CreateUser("testuser", nil, "", "") _, err := users.CreateUser("testuser", &services.HostUsersInfo{ - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }) require.True(t, trace.IsAlreadyExists(err)) backend.CreateGroup(types.TeleportServiceGroup, "") // IsAlreadyExists error when teleport-service group now exists _, err = users.CreateUser("testuser", &services.HostUsersInfo{ - Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP, + Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, }) require.True(t, trace.IsAlreadyExists(err)) })