Skip to content

Feature: Optional adding the OS user to a OS group#122

Open
ohmer1 wants to merge 1 commit into
open-webui:mainfrom
ohmer1:feature-add-usergroup
Open

Feature: Optional adding the OS user to a OS group#122
ohmer1 wants to merge 1 commit into
open-webui:mainfrom
ohmer1:feature-add-usergroup

Conversation

@ohmer1

@ohmer1 ohmer1 commented May 6, 2026

Copy link
Copy Markdown

This PR adds an OS user to an existing OS group. This feature is used to further restrict sudo privileges by limiting them to runas members of a specific group only. Here is an example :

The USER_GROUP variable have otusers as value. The USER_PREFIX have ot_ as value. The service run as openterminal user. My sudoers file is the following.

Defaults:openterminal !requiretty, !use_pty, !pam_session

Cmnd_Alias OPENTERMINAL_CMDS = \
    /usr/sbin/useradd ^-m -s /bin/bash ot_[a-z0-9_]{1,32}$, \
    /usr/bin/chown ^(-R )?ot_[a-z0-9_]{1,32}:ot_[a-z0-9_]{1,32} /home/ot_[a-z0-9_]{1,32}(/[a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9_][a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9%&_.+\$()\ -]*)*/?$, \
    /usr/bin/chmod ^2770 /home/ot_[a-z0-9_]{1,32}(/[a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9_][a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9%&_.+\$()\ -]*)*/?$, \
    /usr/bin/chmod ^g\+w /home/ot_[a-z0-9_]{1,32}(/[a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9_][a-zA-ZÀÂÄÉÈÊËÎÏÔÖÙÛÜÇàâäéèêëîïôöùûüç0-9%&_.+\$()\ -]*)*/?$, \
    /usr/sbin/usermod ^-aG otusers ot_[a-z0-9_]{1,32}$, \
    /usr/sbin/usermod ^-aG ot_[a-z0-9_]{1,32} openterminal$

openterminal ALL=(root) NOPASSWD: OPENTERMINAL_CMDS

openterminal ALL=(%otusers) NOPASSWD: ALL

The service's privileges are constrained on two fronts:

  • When acting as root, it is restricted to the explicitly defined OPENTERMINAL_CMDS allowlist, covering only the necessary useradd, chown, chmod, and usermod operations.
  • When impersonating other users, it can only do so for members of the otusers group, preventing any lateral movement to unrelated system accounts.

This ensures the service cannot gain unrestricted root access or impersonate arbitrary users, significantly limiting its attack surface. I also constrained the systemd service, but this is out of scope of this PR and doesn't require patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant