[FEATURE] use system user and group

[remichristiaan]

Is your feature request related to a problem?

Not related to a problem, could be related to best practices.

Describe the solution you'd like

Currently the user and group are created as "normal" non-system. I would like to have them created as system-user and system-group with no home-dir or have the option to do so in the pillar ... only if there is a good reason not to do so.

general_config.sls

openvpn_group:
  group.present:
    - name: {{ map.group }}
    - system: true
    - require_in:
      - file: openvpn_config_dir
      - sls: openvpn.config
{%- endif %}
{%- if not (map.manage_user is sameas false or map.user == 'nobody') %}
openvpn_user:
  user.present:
    - name: {{ map.user }}
    - home: "/nonexistent"
    - createhome: false
    - system: true
    - gid: {{ map.group }}
{%-   if manage_group %}
    - require:
      - group: openvpn_group
{%-   endif %}
    - require_in:
      - file: openvpn_config_dir
      - sls: openvpn.config
{%- endif %}

Describe alternatives you've considered

I can make the changes in my own fork, but in general thats not realy handy.

Additional context

I currently do not have much time to create a pull-request myself unfortunately. But if no one picks this up, I'll see what I can do later.

[daks]

Hello,

I'm not using this formula myself but from the code it seems that it uses user and group nobody (see https://github.com/saltstack-formulas/openvpn-formula/blob/master/openvpn/defaults.yaml#L20. Tests are configured to setup a openvpn user, see here https://github.com/saltstack-formulas/openvpn-formula/blob/master/test/salt/pillar/default.sls#L14

I'm not sure modifying the formula is absolutely necesary, you should be able to do it this way:

• create your own user/group in a state
• setup the formula to use this user/group with pillars openvpn:lookup:user and openvpn:lookup:group
• order your states to run your state before the formula ones (or insert some require/require_in)

[remichristiaan]

Perhaps there is a way to create the users yourself and feed them to the formula to use, but that goes besides the point that the user and group that are created by the formula are not "system" which should be the defacto case for deamons.

[daks]

What happens (at least on Debian, I think most distributions do it that way too), is that the package manages it itself, creating the user when installing and removing it when uninstalling the package. If this user is not sufficiently secured, maybe bugs must be opened on distribution bugtrackers directly because security could/should be improved upstream :)

edit: in fact, when the formula creates the user itself (which is not the default though), its security could be improved, any PR would be appreciated :)

[remichristiaan]

If I remember correctly the OpenVPN package on Debian/Ubuntu does not create users because in the examples they use nobody:nobody. In hardening OpenVPN it's sugested to create a specific user and group.

When I have time, I'll look into the PR.