NV UID and GID Reservation Tool#
NV UID and GID Reservation tool allows SDK users to reserve groups and users in the DriveOS Linux filesystem for achieving Discretionary Access Control security requirements.
The tool ensures the GIDs uses are the reserved ranges for SDK users and there is no overlap with existing users and groups DriveOS has reserved.
Prerequisites#
python3 >= 3.10
Getting Started#
Navigate to the script location
$ cd ${NV_WORKSPACE}/drive-linux/filesystem/tools/nvusermod
# You will find the tool nv_uid_gid_reservation.py in this directory
# Sample invocation
$ python3 nv_uid_gid_reservation.py add_u_g sdk_group
See the Examples section to add and reserve users/groups in the filesystem image.
Categories of Users#
System: System users as per definition of System User Accounts.
This is not usually relevant for SDK users, it’s meant for special privileged users that are part of the filesystem image. For instance, users like root, systemd-network, mail, etc.
Login: These are part of Regular User Accounts.
These are kept to allow login into the filesystem in test_nsr, test_sr, debug_sr, dev_nsr PCT variants, for instance, nvidia user.
Nologin: These are part of Regular User Accounts.
These accounts are differentiated, because they are only used for launching a particular process, and doesn’t require login or home directory. E.g. nvsciipc user. For achieving DAC we will be adding users of this category mostly.
Tool Inputs#
Tool doesn’t take in any input file from user. Only inputs are collected as strings from the command line.
Command Format#
$ python3 nv_uid_gid_reservation.py add_u_g [options] [username]
$ python3 nv_uid_gid_reservation.py addusertogroup [username] [group1] [group2].....
Tool Options#
Command: add_u_g#
This command adds a new UID/GID reservation, and defaults to “nologin” user type.
Usage:
$ python3 nv_uid_gid_reservation.py add_u_g [options] [username]
Option |
Arguments |
Description |
Example |
---|---|---|---|
-c |
<path_to_config_file> |
Valid Unix path to tool configuration file, where the supported ranges and common access control yaml is recorded. |
-c configs/nv_uid_gid_reservation.CONFIG.yaml |
–system |
N/A |
This user is considered to be a system user. |
–system |
-p |
<password> |
This implies the user being added is a login user. Takes in string value as passwd. Stores as salted hash internally. |
-p nvidia |
-u |
id |
Reserve the user and group with the specific ID. |
-u 2000 |
[username] |
N/A |
user & group name |
./nv_uid_gid_reservation.py add_u_g linuxuser |
Command: addusertogroup#
This command adds a given username to a given list of groups. It does not accept UID/GID.
Usage:
$ python3 nv_uid_gid_reservation.py addusertogroup [username] [group1] [group2].....
Argument |
Description |
Example |
---|---|---|
[username] |
The user to be added to groups |
sdk_system |
[group1] [group2]… |
One or more groups to add the user to |
sdk_user sdk_admin |
Tool Output Files#
RFSAccessControl YAML:
Output file for this tool, and input file for Nvidia Build-FS (Image generation tool) for user management in the filesystem image.
Example output file:
Users:
nvsciipc:
UID: 2000
Username: nvsciipc
Shell: /usr/sbin/nologin
Home: ''
nvsciipc2:
UID: 2001
Username: nvsciipc2
Shell: /usr/sbin/nologin
Home: ''
libnvsciipc:
UID: 2002
Username: libnvsciipc
Shell: /usr/sbin/nologin
Home: ''
libnvscievent:
UID: 2003
Username: libnvscievent
Home: ''
Groups:
nvsciipc:
GID: 2000
Groupname: nvsciipc
nvsciipc2:
GID: 2001
Groupname: nvsciipc2
libnvsciipc:
GID: 2002
Groupname: libnvsciipc
libnvscievent:
GID: 2003
Groupname: libnvscievent
Memberships:
nvsciipc:
- libnvsciipc
Examples#
Adding a Nologin User#
This workflow is what most of the SDK users need while reserving new users/groups.
$ python3 nv_uid_gid_reservation.py add_u_g sdk_user
- INFO - Allocated UID 40001 for [nologin user] 'sdk_user'
- INFO - User 'sdk_user' successfully added to output file with UID 40001.
- INFO - Group 'sdk_user' successfully added to output with GID 40001.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml
Adding a Nologin User with a Specific ID#
$ python3 nv_uid_gid_reservation.py add_u_g sdk_user_specific -u 40005
- INFO - User 'sdk_user_specific' successfully added to output file with UID 40005.
- INFO - Group 'sdk_user_gid_specific' successfully added to output with GID 40005.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml
Adding a Login User#
These users are created with the -p
argument to specify a password. The user gets a prompt to enter shell.
$ python3 nv_uid_gid_reservation.py add_u_g login -p test
- INFO - Allocated UID 1500 for [login user] 'login'
Enter shell for login [/bin/bash]:
- INFO - Encrypted password: $1$/yc26Z.E$UZoRQJHmdwAw.nBfHZLCT/
- INFO - User 'login' successfully added to output file with UID 1500.
- INFO - Group 'login' successfully added to output with GID 1500.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml
Adding a System User#
$ python3 nv_uid_gid_reservation.py add_u_g sdk_system --system
- INFO - Allocated UID 600 for [system user] 'sdk_system'
- INFO - User 'sdk_system' successfully added to output file with UID 600.
- INFO - Group 'sdk_system' successfully added to output with GID 600.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml
Adding a User to a Group#
$ python3 nv_uid_gid_reservation.py addusertogroup sdk_system sdk_user
- INFO - User 'sdk_system' added to groups: sdk_user
- INFO - User 'sdk_system' is a member of: sdk_user
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml