feat: Add user management daemon #309

rd-foredge · 2025-11-15T03:25:16Z

does faillock support individual config per group/role/user ?

This is applied per role.

Copilot · 2025-11-25T16:48:30Z

The PAM faillock configuration template only uses the first role's max_login_attempts value due to the way the template is structured. The loop iterates over all roles but each iteration overwrites the previous deny setting. This means only the last processed role's setting will be effective. Consider restructuring the template to either apply different settings per user or use a global setting based on the most restrictive policy.

Suggested change

{% for role, policy in security_policies.items() %}

{% if policy.max_login_attempts %}

# {{ role }} role settings

deny = {{ policy.max_login_attempts }}

unlock_time = 900 # 15 minutes

{% endif %}

{% endfor %}

{% set max_attempts_list = [] %}

{% for role, policy in security_policies.items() %}

{% if policy.max_login_attempts %}

{% set _ = max_attempts_list.append(policy.max_login_attempts) %}

{% endif %}

{% endfor %}

{% if max_attempts_list %}

deny = {{ max_attempts_list | min }}

unlock_time = 900 # 15 minutes

{% else %}

# No max_login_attempts set in any role, use default

deny = 5

unlock_time = 900

{% endif %}

Copilot · 2025-11-25T16:48:34Z

[nitpick] The changelog indicates a future date (Mon, 11 Aug 2025) which is unusual. Typically changelog dates should reflect the actual release date or use the current date. Consider using the current date or a placeholder that will be updated upon release.

Suggested change

-- SONiC Maintainers <[email protected]> Mon, 11 Aug 2025 08:00:00 +0000

-- SONiC Maintainers <[email protected]> TODO: update upon release

Copilot · 2025-11-25T16:48:30Z

[nitpick] The service configuration has Restart=always with RestartSec=5, which means if the daemon crashes due to a configuration error or bug, it will restart indefinitely every 5 seconds. Consider adding StartLimitBurst and StartLimitIntervalSec to prevent endless restart loops that could impact system stability.

Suggested change

RestartSec=5

RestartSec=5

StartLimitBurst=3

StartLimitIntervalSec=60

-Original file line number
+Diff line change
@@ -0,0 +1,26 @@
+    # Makefile for sonic-host-userd
+    .PHONY: all clean install build-cpp
+    # Default target
+    all: build-cpp
+    # Build C++ components
+    build-cpp:
+    	mkdir -p build
+    	cd build && cmake ../src && make
+    # Clean build artifacts
+    clean:
+    	rm -rf build
+    # Install (called by debian packaging)
+    install: build-cpp
+    	mkdir -p $(DESTDIR)/usr/local/bin
+    	cp build/userd $(DESTDIR)/usr/local/bin/userd
+    	chmod +x $(DESTDIR)/usr/local/bin/userd
+    # For development/testing
+    install-local: build-cpp
+    	sudo cp build/userd /usr/local/bin/userd
+    	sudo chmod +x /usr/local/bin/userd

Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		11

-Original file line number
+Diff line change
@@ -0,0 +1,11 @@
+    Source: sonic-host-userd
+    Maintainer: SONiC Maintainers <[email protected]>
+    Section: misc
+    Priority: optional
+    Standards-Version: 0.1
+    Build-Depends: debhelper (>=11), cmake, g++, pkg-config, libcrypt-dev, nlohmann-json3-dev, libswsscommon-dev
+    Package: sonic-host-userd
+    Architecture: any
+    Depends: ${shlibs:Depends}, ${misc:Depends}, sonic-host-services-data, libswsscommon
+    Description: SONiC host userd binary

-Original file line number
+Diff line change
@@ -0,0 +1,20 @@
+    Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+    Upstream-Name: sonic-host-userd
+    Source: https://github.com/Azure/sonic-buildimage
+    Files: *
+    Copyright: 2025 Microsoft Corporation
+    License: Apache-2.0
+    License: Apache-2.0
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+     .
+     http://www.apache.org/licenses/LICENSE-2.0
+     .
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.

Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		build/userd /usr/local/bin/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add user management daemon #309

Uh oh!

Diff view

Diff view

There are no files selected for viewing

rd-foredge Nov 15, 2025

Uh oh!

manoharan-nexthop Nov 25, 2025

Uh oh!

Copilot AI Nov 25, 2025

Uh oh!

Copilot AI Nov 25, 2025

Uh oh!

Copilot AI Nov 25, 2025

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ -0,0 +1,20 @@
+    #!/usr/bin/make -f
+    %:
+    	dh $@
+    override_dh_auto_build:
+    	dh_auto_build
+    	# Build C++ components
+    	make build-cpp
+    override_dh_auto_install:
+    	dh_auto_install
+    	# Install C++ components
+    	make install DESTDIR=$(CURDIR)/debian/sonic-host-userd
+    override_dh_installsystemd:
+    	dh_installsystemd --no-start --name=sonic-host-userd
+    override_dh_usrlocal:
+    	# Skip dh_usrlocal since we're intentionally installing to /usr/local/bin

-Original file line number
+Diff line change
@@ -0,0 +1,31 @@
+    cmake_minimum_required(VERSION 3.10)
+    project(sonic-host-userd)
+    set(CMAKE_CXX_STANDARD 17)
+    set(CMAKE_CXX_STANDARD_REQUIRED ON)
+    # Include directories (SONiC standard paths)
+    include_directories(/usr/include/swss)
+    include_directories(/usr/include)
+    # Compiler flags
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Wextra -Werror")
+    set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -g -O0")
+    set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O2")
+    # Add executable
+    add_executable(userd userd.cpp)
+    # Link libraries
+    target_link_libraries(userd
+        swsscommon
+        pthread
+        crypt
+    )
+    # Install target
+    install(TARGETS userd
+        RUNTIME DESTINATION /usr/local/bin
+    )

feat: Add user management daemon #309

Are you sure you want to change the base?

Uh oh!

feat: Add user management daemon #309

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

rd-foredge Nov 15, 2025

Choose a reason for hiding this comment

Uh oh!

manoharan-nexthop Nov 25, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 25, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 25, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Nov 25, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!