Setting up new accounts *without* building home directories


#1

I’m going through the ‘users’ cookbook, and various environments, and am trying to figure out how to set ‘useradd’ options to not use the ‘-M’ on Linux to automatically create home directories. There are all sorts of reasons not to want this: shared user homedirectories, NFS mounted homedirs that are temporarily offline, and root-squashed NFS shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having difficulty unfurling how to prevent it from being used at all or on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428


#2

This is the default for the user resource, but you can make it explicit if you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, “Kadel-Garcia, Nico” NKadelGarcia-consultant@Scholastic.com wrote:

I’m going through the ‘users’ cookbook, and various environments, and am trying to figure out how to set ‘useradd’ options to not use the ‘-M’ on Linux to automatically create home directories. There are all sorts of reasons not to want this: shared user homedirectories, NFS mounted homedirs that are temporarily offline, and root-squashed NFS shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having difficulty unfurling how to prevent it from being used at all or on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428


#3

On further review, can see that the current but the ‘users’ cookbook is enforcing such settings. I don’t see how to prevent it yet.

It’s also pretty insistent on creating a $HOME/.ssh directory, even if no SSH settings arep provided. I can submit a patch for that more easily.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Wednesday, June 04, 2014 6:08 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Setting up new accounts without building home directories

This is the default for the user resource, but you can make it explicit if you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, “Kadel-Garcia, Nico” NKadelGarcia-consultant@Scholastic.com wrote:

I’m going through the ‘users’ cookbook, and various environments, and am trying to figure out how to set ‘useradd’ options to not use the ‘-M’ on Linux to automatically create home directories. There are all sorts of reasons not to want this: shared user homedirectories, NFS mounted homedirs that are temporarily offline, and root-squashed NFS shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having difficulty unfurling how to prevent it from being used at all or on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428


#4

From what I see in the code, to disable home dir you can just set {home:
"/dev/null"}

Best Regards,
Roman

2014-06-05 1:50 GMT+03:00 Kadel-Garcia, Nico <
NKadelGarcia-consultant@scholastic.com>:

On further review, can see that the current but the ‘users’ cookbook is
enforcing such settings. I don’t see how to prevent it yet.

It’s also pretty insistent on creating a $HOME/.ssh directory, even if no
SSH settings arep provided. I can submit a patch for that more easily.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Wednesday, June 04, 2014 6:08 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Setting up new accounts without building home
directories

This is the default for the user resource, but you can make it explicit if
you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, "Kadel-Garcia, Nico"
NKadelGarcia-consultant@Scholastic.com wrote:

I’m going through the ‘users’ cookbook, and various environments, and
am trying to figure out how to set ‘useradd’ options to not use the '-M’
on Linux to automatically create home directories. There are all sorts of
reasons not to want this: shared user homedirectories, NFS mounted homedirs
that are temporarily offline, and root-squashed NFS shares on client
servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being
set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having
difficulty unfurling how to prevent it from being used at all or on an
environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428


#5

I’m sorry, but this is not the point. The problem is not that a $HOME is set, this is appropriate for any shell enabled account. The problem is that the “enable_home” settings are hard-coded, in the ‘users’ cookbook, to enforce the use of ‘useradd –m’ when creating new accounts. If the accounts are mounted without the ability for root to create home directories, as for example if home directories are auto-mounted with wildcards in /etc/auto.home, the directory cannot be created with ‘useradd’.

The ‘I insist on managing $HOME/.ssh’ for accounts that do not use any of the available .ssh configuration settings is a separate, but similar problem. Auto-mounted home directories that are temporarily unavailable cause chef recipes to fail.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: Roman Kushnir [mailto:broilerster@gmail.com]
Sent: Thursday, June 05, 2014 6:35 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Setting up new accounts without building home directories

From what I see in the code, to disable home dir you can just set {home: “/dev/null”}

Best Regards,
Roman

2014-06-05 1:50 GMT+03:00 Kadel-Garcia, Nico <NKadelGarcia-consultant@scholastic.commailto:NKadelGarcia-consultant@scholastic.com>:
On further review, can see that the current but the ‘users’ cookbook is enforcing such settings. I don’t see how to prevent it yet.

It’s also pretty insistent on creating a $HOME/.ssh directory, even if no SSH settings arep provided. I can submit a patch for that more easily.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.netmailto:noah@coderanger.net]
Sent: Wednesday, June 04, 2014 6:08 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Setting up new accounts without building home directories

This is the default for the user resource, but you can make it explicit if you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, “Kadel-Garcia, Nico” <NKadelGarcia-consultant@Scholastic.commailto:NKadelGarcia-consultant@Scholastic.com> wrote:

I’m going through the ‘users’ cookbook, and various environments, and am trying to figure out how to set ‘useradd’ options to not use the ‘-M’ on Linux to automatically create home directories. There are all sorts of reasons not to want this: shared user homedirectories, NFS mounted homedirs that are temporarily offline, and root-squashed NFS shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having difficulty unfurling how to prevent it from being used at all or on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428


#6

Just don’t use the users cookbook then, sounds like your use is specific enough to write your own.

On June 23, 2014 8:32:27 AM PDT, “Kadel-Garcia, Nico” NKadelGarcia-consultant@Scholastic.com wrote:

I’m sorry, but this is not the point. The problem is not that a $HOME
is set, this is appropriate for any shell enabled account. The problem
is that the “enable_home” settings are hard-coded, in the ‘users’
cookbook, to enforce the use of ‘useradd –m’ when creating new
accounts. If the accounts are mounted without the ability for root to
create home directories, as for example if home directories are
auto-mounted with wildcards in /etc/auto.home, the directory cannot be
created with ‘useradd’.

The ‘I insist on managing $HOME/.ssh’ for accounts that do not use any
of the available .ssh configuration settings is a separate, but similar
problem. Auto-mounted home directories that are temporarily unavailable
cause chef recipes to fail.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: Roman Kushnir [mailto:broilerster@gmail.com]
Sent: Thursday, June 05, 2014 6:35 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Setting up new accounts without building
home directories

From what I see in the code, to disable home dir you can just set
{home: “/dev/null”}

Best Regards,
Roman

2014-06-05 1:50 GMT+03:00 Kadel-Garcia, Nico
<NKadelGarcia-consultant@scholastic.commailto:NKadelGarcia-consultant@scholastic.com>:
On further review, can see that the current but the ‘users’ cookbook
is enforcing such settings. I don’t see how to prevent it yet.

It’s also pretty insistent on creating a $HOME/.ssh directory, even if
no SSH settings arep provided. I can submit a patch for that more
easily.


Nico Kadel-Garcia
Senior Systems Consultant
Email:
nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428

-----Original Message-----
From: Noah Kantrowitz
[mailto:noah@coderanger.netmailto:noah@coderanger.net]
Sent: Wednesday, June 04, 2014 6:08 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Setting up new accounts without building home
directories

This is the default for the user resource, but you can make it explicit
if you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, “Kadel-Garcia, Nico”
<NKadelGarcia-consultant@Scholastic.commailto:NKadelGarcia-consultant@Scholastic.com>
wrote:

I’m going through the ‘users’ cookbook, and various environments,
and am trying to figure out how to set ‘useradd’ options to not use
the ‘-M’ on Linux to automatically create home directories. There are
all sorts of reasons not to want this: shared user homedirectories, NFS
mounted homedirs that are temporarily offline, and root-squashed NFS
shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is
being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m
having difficulty unfurling how to prevent it from being used at all or
on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email:
nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428


#7

I’ve already sent in patches to stop touch $HOME/.ssh if no SSH characteristics are set. Correctly handling the underlying ‘manage_home’ for select environments, and not using a hardcoded ‘useradd –m’, seems just the sort of thing to justify a patch. These settings are not really environment specific: any environment that relies on network mounted home directories, detachable drives for home directories, or has NFSv3 or NFSv4 permissions interfering is at risk of having the cookbook fail outright, as it stands.

The suggestion of “just set your home directory to /dev/null” is simply unworkable.

From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Monday, June 23, 2014 7:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: Re: Setting up new accounts without building home directories

Just don’t use the users cookbook then, sounds like your use is specific enough to write your own.
On June 23, 2014 8:32:27 AM PDT, “Kadel-Garcia, Nico” <NKadelGarcia-consultant@Scholastic.commailto:NKadelGarcia-consultant@Scholastic.com> wrote:
I’m sorry, but this is not the point. The problem is not that a $HOME is set, this is appropriate for any shell enabled account. The problem is that the “enable_home” settings are hard-coded, in the ‘users’ cookbook, to enforce the use of ‘useradd –m’ when creating new accounts. If the accounts are mounted without the ability for root to create home directories, as for example if home directories are auto-mounted with wildcards in /etc/auto.home, the directory cannot be created with ‘useradd’.

The ‘I insist on managing $HOME/.ssh’ for accounts that do not use any of the available .ssh configuration settings is a separate, but similar problem. Auto-mounted home directories that are temporarily unavailable cause chef recipes to fail.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: Roman Kushnir [mailto:broilerster@gmail.com]
Sent: Thursday, June 05, 2014 6:35 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Setting up new accounts without building home directories

From what I see in the code, to disable home dir you can just set {home: “/dev/null”}

Best Regards,
Roman

2014-06-05 1:50 GMT+03:00 Kadel-Garcia, Nico <NKadelGarcia-consultant@scholastic.commailto:NKadelGarcia-consultant@scholastic.com>:
On further review, can see that the current but the ‘users’ cookbook is enforcing such settings. I don’t see how to prevent it yet.

It’s also pretty insistent on creating a $HOME/.ssh directory, even if no SSH settings arep provided. I can submit a patch for that more easily.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.netmailto:noah@coderanger.net]
Sent: Wednesday, June 04, 2014 6:08 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Setting up new accounts without building home directories

This is the default for the user resource, but you can make it explicit if you prefer:

user ‘foo’ do
supports manage_home: false
end

–Noah

On Jun 4, 2014, at 3:04 PM, “Kadel-Garcia, Nico” <NKadelGarcia-consultant@Scholastic.commailto:NKadelGarcia-consultant@Scholastic.com> wrote:

I’m going through the ‘users’ cookbook, and various environments, and am trying to figure out how to set ‘useradd’ options to not use the ‘-M’ on Linux to automatically create home directories. There are all sorts of reasons not to want this: shared user homedirectories, NFS mounted homedirs that are temporarily offline, and root-squashed NFS shares on client servers are only some of them.

I see where the ‘-m’, which enforces home directory allocation, is being set up in lib/chef/provider/user/useradd.rb. But I’m afraid I’m having difficulty unfurling how to prevent it from being used at all or on an environment by environment basis.


Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.commailto:nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428tel:%2B1.339.368.2428