Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-134606 / 25.10 / restrict changes to builtin groups #15908

Merged
merged 1 commit into from
Mar 5, 2025
Merged

NAS-134606 / 25.10 / restrict changes to builtin groups #15908

merged 1 commit into from
Mar 5, 2025

Conversation

anodos325
Copy link
Contributor

@anodos325 anodos325 commented Mar 5, 2025
edited
Loading

Historically TrueNAS has done little to limit the changes admins can make to builtin groups (root, sssd, ntp, sudo, etc). This usually isn't problematic because admins know enough to not alter builtin groups. This is because changes to them can cause undefined system behavior, including introducing security vulnerabilities. This commit introduces additional validation to prevent problematic changes to these special system groups.

@bugclerk bugclerk changed the title restrict changes to builtin groups NAS-134606 / 25.10 / restrict changes to builtin groups Mar 5, 2025
@bugclerk
Copy link
Contributor

bugclerk commented Mar 5, 2025

Jira URL: https://ixsystems.atlassian.net/browse/NAS-134606

@anodos325 anodos325 added the WIP label Mar 5, 2025
@anodos325
restrict changes to builtin groups
373543e 
Historically TrueNAS has done little to limit the changes admins can
make to builtin groups. This usually isn't problematic because admins
know enough to not alter builtin groups because it can cause undefined
system behavior including introducing security vulnerabilities. This
commit introduces additional validation to prevent problematic
changes to these special system groups.
@anodos325 anodos325 force-pushed the restrict-builtin-group-changes branch from 74e89df to 373543e Compare March 5, 2025 14:41
@anodos325 anodos325 removed the WIP label Mar 5, 2025
@anodos325 anodos325 merged commit 1a62642 into master Mar 5, 2025
2 checks passed
@anodos325 anodos325 deleted the restrict-builtin-group-changes branch March 5, 2025 14:42
@bugclerk bugclerk mentioned this pull request Mar 5, 2025
Merged
@bugclerk
Copy link
Contributor

bugclerk commented Mar 5, 2025

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Mar 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@yocalebo yocalebo yocalebo approved these changes

Assignees
No one assigned
Labels
backport-25.04.0 backported jira-medium no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anodos325 @bugclerk @yocalebo