Add kerberosd-exec user and group In order to prevent exploits in third-party code from accessing password information, the Kerberos daemon will run third-party code as kerberosd-exec user in a separate process and prevent it from switching back. BUG=chromium:973391 TEST=None Cq-Depend: chromium:1655314 Change-Id: I2da6c00bc6449242236a27111afc90d5273aa300 Reviewed-on: https://chromium-review.googlesource.com/1655609 Tested-by: Lutz Justen <ljusten@chromium.org> Commit-Ready: Lutz Justen <ljusten@chromium.org> Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org>

commit: cc0531ea4f99f906f60892a1411c2f4d4974fd44 [log] [tgz]
author: Lutz Justen <ljusten@chromium.org> Wed Jun 12 13:26:25 2019 +0200
committer: chrome-bot <chrome-bot@chromium.org> Sat Jun 22 12:40:24 2019 -0700
tree: 589afa9f8aac4328aa6fe95ae7e325cd5139aeb7
parent: 735e0a5ac48b748d45966164832f916c5024a650 [diff]
diff --git a/profiles/base/accounts/group/kerberosd-exec b/profiles/base/accounts/group/kerberosd-exec
new file mode 100644
index 0000000..24d24e7
--- /dev/null
+++ b/profiles/base/accounts/group/kerberosd-exec

@@ -0,0 +1,3 @@
+group:kerberosd-exec
+gid:20138
+users:kerberosd-exec

diff --git a/profiles/base/accounts/user/kerberosd-exec b/profiles/base/accounts/user/kerberosd-exec
new file mode 100644
index 0000000..251bcb2
--- /dev/null
+++ b/profiles/base/accounts/user/kerberosd-exec

@@ -0,0 +1,6 @@
+user:kerberosd-exec
+uid:20138
+gid:20138
+gecos:kerberos daemon process executing third party code
+home:/dev/null
+shell:/bin/false
commit	cc0531ea4f99f906f60892a1411c2f4d4974fd44	[log] [tgz]
author	Lutz Justen <ljusten@chromium.org>	Wed Jun 12 13:26:25 2019 +0200
committer	chrome-bot <chrome-bot@chromium.org>	Sat Jun 22 12:40:24 2019 -0700
tree	589afa9f8aac4328aa6fe95ae7e325cd5139aeb7
parent	735e0a5ac48b748d45966164832f916c5024a650 [diff]