From aad254eb85755d41927fe1809cb52c65bb8aac20 Mon Sep 17 00:00:00 2001 From: Brett Smith Date: Fri, 23 Jun 2023 14:14:38 -0400 Subject: [PATCH] 20663: Expand the default SyncIgnoredGroups We discussed at standup that we prioritize the security of the default configuration over backwards compatibility. This new default does that. The list of groups is primarily informed by: Arvados-DCO-1.1-Signed-off-by: Brett Smith --- doc/admin/upgrading.html.textile.liquid | 6 ++++++ lib/config/config.default.yml | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid index c7db8c6b9f..1e0e9a8337 100644 --- a/doc/admin/upgrading.html.textile.liquid +++ b/doc/admin/upgrading.html.textile.liquid @@ -38,6 +38,12 @@ h3. Multi-node installer's domain name configuration changes The @domain_name@ variable at @terraform/vpc/terraform.tfvars@ and @DOMAIN@ variable at @local.params@ changed their meaning. In previous versions they were used in combination with @cluster_name@ and @CLUSTER@ to build the cluster's domain name (e.g.: @cluster_name@.@domain_name@). To allow the use of any arbitrary cluster domain, now we don't enforce using the cluster prefix as part of the domain, so @domain_name@ and @DOMAIN@ need to hold the entire domain for the given cluster. For example, if @cluster_name@ is set to @"xarv1"@ and @domain_name@ was previously set to @"example.com"@, it should now be set to @"xarv1.example.com"@ to keep using the same cluster domain. +h3. arvados-login-sync configuration changes, including ignored groups + +In the @Users@ section of your cluster configuration, there are now several options to control what system resources are or are not managed by @arvados-login-sync@. These options all have names that begin with @Sync@. + +The defaults for all of these options match the previous behavior of @arvados-login-sync@ _except_ for @SyncIgnoredGroups@. This list names groups that @arvados-login-sync@ will never modify by adding or removing members. As a security precaution, the default list names security-sensitive system groups on Debian- and Red Hat-based distributions. If you are using Arvados to manage system group membership on shell nodes, especially @sudo@ or @wheel@, you may want to provide your own list. Set @SyncIgnoredGroups: []@ to restore the original behavior of ignoring no groups. + h3. UseAWSS3v2Driver option removed The old "v1" S3 driver for keepstore has been removed. The new "v2" implementation, which has been the default since Arvados 2.5.0, is always used. The @Volumes.*.DriverParameters.UseAWSS3v2Driver@ configuration key is no longer recognized. If your config file uses it, remove it to avoid warning messages at startup. diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 6ae98157b9..49d62e2980 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -437,8 +437,22 @@ Clusters: # never modify these groups. If user login permissions list any groups # in SyncIgnoredGroups, they will be ignored. If a user's Unix account # belongs to any of these groups, arvados-login-sync will not remove - # the account from that group. - SyncIgnoredGroups: [] + # the account from that group. The default is a set of particularly + # security-sensitive groups across Debian- and Red Hat-based + # distributions. + SyncIgnoredGroups: + - adm + - disk + - kmem + - mem + - root + - shadow + - staff + - sudo + - sys + - utempter + - utmp + - wheel AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added -- 2.30.2