Skip to content

Commit

Permalink
feat: also check nixbld user groups
Browse files Browse the repository at this point in the history
  • Loading branch information
samrose committed May 21, 2024
1 parent b3cd55a commit b535cf3
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
21 changes: 21 additions & 0 deletions ansible-nix/files/permission_check.py
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,24 @@ def compare_results(username, query_result):
print("Got:", query_result)
sys.exit(1)

def check_nixbld_users():
query = """
SELECT u.username, g.groupname
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
WHERE u.username LIKE 'nixbld%';
"""
query_result = run_osquery(query)
parsed_result = parse_json(query_result)

for user in parsed_result:
if user['groupname'] != 'nixbld':
print(f"User '{user['username']}' is in group '{user['groupname']}' instead of 'nixbld'.")
sys.exit(1)

print("All nixbld users are in the 'nixbld' group.")

# Define usernames for which you want to compare results
usernames = ["postgres", "ubuntu", "root", "daemon", "bin", "sys", "sync", "games","man","lp","mail","news","uucp","proxy","www-data","backup","list","irc","gnats","nobody","systemd-network","systemd-resolve","systemd-timesync","messagebus","ec2-instance-connect","sshd","wal-g","pgbouncer","gotrue","envoy","kong","nginx","vector","adminapi","postgrest","tcpdump","systemd-coredump"]

Expand All @@ -181,3 +199,6 @@ def compare_results(username, query_result):
query_result = run_osquery(query)
parsed_result = parse_json(query_result)
compare_results(username, parsed_result)

# Check if all nixbld users are in the nixbld group
check_nixbld_users()
2 changes: 1 addition & 1 deletion common-nix.vars.pkr.hcl
Original file line number Diff line number Diff line change
@@ -1 +1 @@
postgres-version = "15.6.1.51-nix-staged"
postgres-version = "15.6.1.52-nix-staged"

0 comments on commit b535cf3

Please sign in to comment.