NV UID and GID Reservation Tool#

NV UID and GID Reservation tool allows SDK users to reserve groups and users in the DriveOS Linux filesystem for achieving Discretionary Access Control security requirements.

The tool ensures the GIDs uses are the reserved ranges for SDK users and there is no overlap with existing users and groups DriveOS has reserved.

Prerequisites#

  • python3 >= 3.10

Getting Started#

Navigate to the script location

$ cd ${NV_WORKSPACE}/drive-linux/filesystem/tools/nvusermod
# You will find the tool nv_uid_gid_reservation.py in this directory
# Sample invocation
$ python3 nv_uid_gid_reservation.py add_u_g sdk_group

See the Examples section to add and reserve users/groups in the filesystem image.

Categories of Users#

  • System: System users as per definition of System User Accounts.

    This is not usually relevant for SDK users, it’s meant for special privileged users that are part of the filesystem image. For instance, users like root, systemd-network, mail, etc.

  • Login: These are part of Regular User Accounts.

    These are kept to allow login into the filesystem in test_nsr, test_sr, debug_sr, dev_nsr PCT variants, for instance, nvidia user.

  • Nologin: These are part of Regular User Accounts.

    These accounts are differentiated, because they are only used for launching a particular process, and doesn’t require login or home directory. E.g. nvsciipc user. For achieving DAC we will be adding users of this category mostly.

Tool Inputs#

Tool doesn’t take in any input file from user. Only inputs are collected as strings from the command line.

Command Format#

$ python3 nv_uid_gid_reservation.py add_u_g [options] [username]
$ python3 nv_uid_gid_reservation.py addusertogroup [username] [group1] [group2].....

Tool Options#

Command: add_u_g#

This command adds a new UID/GID reservation, and defaults to “nologin” user type.

Usage:

$ python3 nv_uid_gid_reservation.py add_u_g [options] [username]

Option

Arguments

Description

Example

-c

<path_to_config_file>

Valid Unix path to tool configuration file, where the supported ranges and common access control yaml is recorded.

-c configs/nv_uid_gid_reservation.CONFIG.yaml

–system

N/A

This user is considered to be a system user.

–system

-p

<password>

This implies the user being added is a login user. Takes in string value as passwd. Stores as salted hash internally.

-p nvidia

-u

id

Reserve the user and group with the specific ID.

-u 2000

[username]

N/A

user & group name

./nv_uid_gid_reservation.py add_u_g linuxuser

Command: addusertogroup#

This command adds a given username to a given list of groups. It does not accept UID/GID.

Usage:

$ python3 nv_uid_gid_reservation.py addusertogroup [username] [group1] [group2].....

Argument

Description

Example

[username]

The user to be added to groups

sdk_system

[group1] [group2]…

One or more groups to add the user to

sdk_user sdk_admin

Tool Output Files#

RFSAccessControl YAML:

Output file for this tool, and input file for Nvidia Build-FS (Image generation tool) for user management in the filesystem image.

Example output file:

Users:
    nvsciipc:
        UID: 2000
        Username: nvsciipc
        Shell: /usr/sbin/nologin
        Home: ''
    nvsciipc2:
        UID: 2001
        Username: nvsciipc2
        Shell: /usr/sbin/nologin
        Home: ''
    libnvsciipc:
        UID: 2002
        Username: libnvsciipc
        Shell: /usr/sbin/nologin
        Home: ''
    libnvscievent:
        UID: 2003
        Username: libnvscievent
        Home: ''
Groups:
    nvsciipc:
        GID: 2000
        Groupname: nvsciipc
    nvsciipc2:
        GID: 2001
        Groupname: nvsciipc2
    libnvsciipc:
        GID: 2002
        Groupname: libnvsciipc
    libnvscievent:
        GID: 2003
        Groupname: libnvscievent
Memberships:
    nvsciipc:
    - libnvsciipc

Examples#

Adding a Nologin User#

This workflow is what most of the SDK users need while reserving new users/groups.

$ python3 nv_uid_gid_reservation.py add_u_g sdk_user
- INFO - Allocated UID 40001 for [nologin user] 'sdk_user'
- INFO - User 'sdk_user' successfully added to output file with UID 40001.
- INFO - Group 'sdk_user' successfully added to output with GID 40001.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml

Adding a Nologin User with a Specific ID#

$ python3 nv_uid_gid_reservation.py add_u_g sdk_user_specific -u 40005
- INFO - User 'sdk_user_specific' successfully added to output file with UID 40005.
- INFO - Group 'sdk_user_gid_specific' successfully added to output with GID 40005.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml

Adding a Login User#

These users are created with the -p argument to specify a password. The user gets a prompt to enter shell.

$ python3 nv_uid_gid_reservation.py add_u_g login -p test
- INFO - Allocated UID 1500 for [login user] 'login'
Enter shell for login [/bin/bash]:
- INFO - Encrypted password: $1$/yc26Z.E$UZoRQJHmdwAw.nBfHZLCT/
- INFO - User 'login' successfully added to output file with UID 1500.
- INFO - Group 'login' successfully added to output with GID 1500.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml

Adding a System User#

$ python3 nv_uid_gid_reservation.py add_u_g sdk_system --system
- INFO - Allocated UID 600 for [system user] 'sdk_system'
- INFO - User 'sdk_system' successfully added to output file with UID 600.
- INFO - Group 'sdk_system' successfully added to output with GID 600.
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml

Adding a User to a Group#

$ python3 nv_uid_gid_reservation.py addusertogroup sdk_system sdk_user
- INFO - User 'sdk_system' added to groups: sdk_user
- INFO - User 'sdk_system' is a member of: sdk_user
- INFO - Changes saved to: /drive/drive-linux/filesystem/build-fs/configs/access_control_configs/rfs_access_control.CONFIG.yaml