usc: using kvmd-selfauth group instead of users list

2025-12-12 01:00:29 +08:00 · 2025-05-18 22:10:50 +03:00 · 2025-05-18 22:10:50 +03:00 · d7963f3271
commit d7963f3271
parent c3eed7c497
3 changed files with 6 additions and 6 deletions
--- a/configs/os/sysusers.conf
+++ b/configs/os/sysusers.conf
@ -1,4 +1,5 @@
 g kvmd - -
+g kvmd-selfauth - -
 g kvmd-media - -
 g kvmd-pst - -
 g kvmd-ipmi - -
@ -29,8 +30,10 @@ m kvmd-media kvmd
 m kvmd-pst kvmd

 m kvmd-ipmi kvmd
+m kvmd-ipmi kvmd-selfauth

 m kvmd-vnc kvmd
+m kvmd-vnc kvmd-selfauth
 m kvmd-vnc kvmd-certbot

 m kvmd-janus kvmd
--- a/kvmd/apps/init.py
+++ b/kvmd/apps/init.py
@ -362,11 +362,8 @@ def _get_config_scheme() -> dict:
                "expire":  Option(0,    type=valid_expire),

                "usc": {
-                    "users":  Option([
-                        "kvmd-ipmi",
-                        "kvmd-vnc",
-                    ], type=valid_users_list),  # PiKVM username has a same regex as a UNIX username
-                    "groups": Option([], type=valid_users_list),  # groupname has a same regex as a username
+                    "users":  Option([], type=valid_users_list),  # PiKVM username has a same regex as a UNIX username
+                    "groups": Option(["kvmd-selfauth"], type=valid_users_list),  # groupname has a same regex as a username
                },

                "internal": {
--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@ -85,7 +85,7 @@ class AuthManager:  # pylint: disable=too-many-arguments,too-many-instance-attri

        self.__usc_uids = self.__load_usc_uids(usc_users, usc_groups)
        if self.__usc_uids:
-            logger.info("Unauth UNIX socket access is allowed for users: %s",
+            logger.info("Selfauth UNIX socket access is allowed for users: %s",
                        list(self.__usc_uids.values()))

        self.__unauth_paths = frozenset(unauth_paths)  # To speed up