Add ipsec user to shill group.
This CL is in preparation to run the shill process tree as a non-root
user.
There are runtime data dirs that need to be shared between shill and
strongSwan VPN, including /run/l2tpipsec_vpn and /run/ipsec. Ideally,
this would be done by making these directories owned by shill:ipsec (or
ipsec:shill.. doesn't matter) so that both shill (running as
shill:shill) and strongSwan (running as ipsec:ipsec) can have access.
One caveat to this is that we want a way to quickly back out of our
attempt to sandbox shill (from running as root:root to shill:shill) in
case something comes up that we need to fix. Having to change file/dir
perms would slow this revert down (ideally could just do an update to
devices in the field without any code reverts). So for now make ipsec
user part of shill group so we can make the dirs/files owned by
root:shill. This way we can easily switch between running shill as
root:root and shill:shill without updating the perms. After shill
sandboxing has landed we can set up perms as shill:ipsec or vice versa
and get rid of this group membership.
CQ-DEPEND=CL:1080041
BUG=chromium:649417
TEST=tested as part of larger shill sandboxing CL
Change-Id: Ief89c2e08a2f7c2949396be042367f064322af18
Reviewed-on: https://chromium-review.googlesource.com/1076890
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
1 file changed
