Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mac_user: fixing gid and system properties, and adding hidden property #9275

Merged
merged 6 commits into from Feb 3, 2020
Merged

mac_user: fixing gid and system properties, and adding hidden property #9275

merged 6 commits into from Feb 3, 2020

Conversation

chilcote
Copy link
Contributor

@chilcote chilcote commented Jan 24, 2020
edited

Goals:

  • mac_user provider will now use the numeric GID when creating a user, instead of passing what was literally in the resource (e.g. it will use 80 instead of "admin")
  • brings back support for system true from the old dscl provider.
  • adds support for new property hidden which will set the IsHidden value in the user plist.

Description

The GID will fix issues where the system does not recognize the user (for chown operations, or id, etc)

The system: true works, but there are still macOS quirks. For instance, if you run chef manually in terminal, you'll be prompted to give Terminal.app privacy protection rights to be able to set the UID. When run via launchd, which is how most orgs would use chef, macOS just ignores the UID you pass and pulls its own (usually starting at 502 and going up to the next available one). This seems to be a limitation in the sysadminctl tool itself, in conjunction with the added privacy protections around updating a UID for a user. The fix for this behavior would involve signing chef (or chef's ruby) and whitelisting it for SystemPolicySysAdminFiles via MDM.

Since what most of us are interested in is not specifically assigning a UID under 500 (which Apple doesn't even support), I'm also adding in support to this resource for the IsHidden dscl attribute. Setting this to 1 (which, apple terms, means "true"), the account will not show up in System Prefs or at the Login Window.

Related Issue

#9171

Types of changes

  • [x ] Bug fix (non-breaking change which fixes an issue)
  • [ x] New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • [ x] I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • [x ] All commits have been signed-off for the Developer Certificate of Origin.

@chilcote
Fixes #9171
72ebba1 
mac_user will now use the numeric GID when creating a user, and
adds support for `system true`
@chilcote
Fixes #9171
c747cd7 
mac_user will now use the numeric GID when creating a user, and
adds support for `system true`

Signed-off-by: Joseph Chilcote <chilcote@fb.com>
@chilcote
Merge branch 'mac_user_fix' of github.com:chilcote/chef into mac_user…
b1f628c 
…_fix
@chilcote chilcote requested review from a team as code owners January 24, 2020 23:05
@chilcote
editing one more line out
130e1c9 
Signed-off-by: Joseph Chilcote <chilcote@fb.com>
@tas50 tas50 changed the title fixing mac_user provider for chef 15 mac_user: use numeric gid and restore system property usage Jan 25, 2020
@chilcote
Adding support for IsHidden user attribute (macOS)
fc76265 
Signed-off-by: Joseph Chilcote <chilcote@fb.com>
@chilcote chilcote changed the title mac_user: use numeric gid and restore system property usage mac_user: fixing gid and system properties, and adding hidden property Jan 25, 2020
@chilcote
Account for if the propery is not being set in the resource, and also…
9f3b604 
… if it doesn't exist in the user record

Signed-off-by: Joseph Chilcote <chilcote@fb.com>
@tas50
Copy link
Contributor

tas50 commented Feb 3, 2020

@chilcote As of Chef Infra Client 15.8 we will be signing all the binaries in Chef to comply with all the new notarization requirements. So next week we'll be signed

@tas50 tas50 merged commit 293acda into chef:master Feb 3, 2020
@tas50 tas50 mentioned this pull request Feb 3, 2020
Merged
@chilcote
Copy link
Contributor Author

chilcote commented Feb 4, 2020
edited

@tas50 That's very interesting news! Is there info posted on what needs to be added to the kernel extension whitelist full disk access payloads?

@lashomb lashomb mentioned this pull request Feb 4, 2020
Closed
@lock
Copy link

lock bot commented Feb 18, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Feb 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lamont-granquist lamont-granquist lamont-granquist approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chilcote @tas50 @lamont-granquist