[PSA] (most) new users/groups no longer need whitelisting

[Mike Frysinger]

Jorge has landed a change to security_AccountsBaseline so people no longer need to update the user/group baseline in most cases.  specifically, if your new user/group is standalone and does not have a shell/home dir, it will be automatically "approved".  only in cases where you try to add a user to a different group will you have to update the baselines.  e.g. adding more users to the "chronos-access" group requires a change, but creating user/group "foo" does not.

this is to reflect the fact that the majority of non-root accounts do not expose attack surfaces, so having to whitelist them was pointless friction.

drop all the roots!

-mike

[Brian Norris]

W00t! That'll probably help avoid a few dozen [1] needless CQ failures a year.

[1] Number completely imagined.

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en

[Jorge Lucangeli Obes]

Thanks Mike for the PSA, I thought about sending it a bunch of times yesterday but then got distracted, probably by something shiny.

Just a quick note that if you're feeling particularly generous, we'd still appreciate keeping the test baseline updated -- but at least now there's no need to CQ-DEPEND the changes.

Cheers,

Jorge