Red Hat Bugzilla – Bug 845078
Reserve static UID/GID for OpenStack heat daemon
Last modified: 2016-04-26 22:19:13 EDT
Description of problem:
The heat package requires a static UID/GID combination for security concerns. We would rather not dynamically allocate this UID/GID as it could cause problems during upgrade or backup and we wish to quiet rpmlint.
Version-Release number of selected component (if applicable):
Rawhide - targeted at F18
Heat is a network facing daemon which contains sensitive user information in its persistent storage area. The persistent storage area is /var/lib/heat. The current packaging uses root permissions. We absolutely don't want heat to run as root user, so our alternative is a dynamic UID/GID which would result in problems during the upgrade or backup process.
The uid/gid combo desired is 'openstack-heat'.
Just to be sure - so the reserved user/group name should be openstack-heat and homedir should be /var/lib/heat? Which package will be responsible for the user/group creation? Shell should be /sbin/nologin , right?
yes user/group are openstack-heat, homedir should be /var/lib/heat. Shell should be /sbin/nologin. The package responsible for creation can either be setup or heat, depending on what you think is appropriate.
heat package is more appropriate for the user/group creation. I have reserved 187:187 uidgid pair for openstack-heat in setup-2.8.57-1.fc18 , feel free to use this static id in your next heat build. Closing RAWHIDE.
Note that this was renamed to just "heat" in bug 923858.