How to disable Google Accounts daemon

Enforcing your own security policy that defines users, SSH keys, and sudo configuration inside custom templates based on official images in Google Cloud requires that you disable Google Accounts service, so it won’t get in the way.

This blog post is now obsolete.

Google Accounts service manages user accounts on Google Compute Engine instances.

Jun 24 09:59:46 instance-test-2 instance-setup: INFO Running google_set_multiqueue.
Jun 24 09:59:47 instance-test-2 google-clock-skew: INFO Starting Google Clock Skew daemon.
Jun 24 09:59:47 instance-test-2 google-clock-skew: INFO Clock drift token has changed: 0.
Jun 24 09:59:47 instance-test-2 google-networking: INFO Starting Google Networking daemon.
Jun 24 09:59:47 instance-test-2 google-accounts: INFO Starting Google Accounts daemon.
Jun 24 09:59:48 instance-test-2 google-clock-skew: INFO Synced system time with hardware clock.
Jun 24 09:59:48 instance-test-2 google-accounts: INFO Creating a new user account for milosz.
Jun 24 09:59:48 instance-test-2 google-accounts: INFO Created user account milosz.
Jun 24 09:59:48 instance-test-2 google-accounts: INFO Adding user milosz to the Google sudoers group.
Jun 24 09:59:48 instance-test-2 google_accounts_daemon: Adding user milosz to group google-sudoers

It will also add users to the google-sudoers group.

[milosz@instance-blog-2 ~]$ groups
milosz google-sudoers

Which provides an easy way to gain full system access.

$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL

$ sudo -l
Matching Defaults entries for milosz on instance-blog-2:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
    LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User milosz may run the following commands on instance-blog-2:
    (ALL : ALL) NOPASSWD: ALL

To disable the Google Accounts daemon, create /etc/default/instance_configs.cfg.template configuration template file and set accounts_daemon to false.

I assume that you are creating an image or template based on official Google Cloud images.

$ cat  /etc/default/instance_configs.cfg.template

[Daemons]
accounts_daemon = false

Regenerate /etc/default/instance_configs.cfg configuration file.

$ sudo /usr/bin/google_instance_setup

Verify this configuration file.

$ cat /etc/default/instance_configs.cfg

# This file is automatically created at boot time by the /usr/lib/python                                 
# 2.7/site-packages/google_compute_engine/instance_setup/instance_config
# .pyc script. Do not edit this file directly. If you need to add items
# to this file, create or edit
# /etc/default/instance_configs.cfg.template instead and then run
# /usr/bin/google_instance_setup.

[Accounts]
deprovision_remove = false
gpasswd_add_cmd = gpasswd -a {user} {group}
gpasswd_remove_cmd = gpasswd -d {user} {group}
groupadd_cmd = groupadd {group}
groups = adm,dip,docker,lxd,plugdev,video
useradd_cmd = useradd -m -s /bin/bash -p * {user}
userdel_cmd = userdel -r {user}
usermod_cmd = usermod -G {groups} {user}

[Daemons]
accounts_daemon = false
clock_skew_daemon = true
ip_forwarding_daemon = true
network_daemon = true

[Instance]
instance_id = 8326045414360301718

[InstanceSetup]
host_key_types = ecdsa,ed25519,rsa
network_enabled = true
optimize_local_ssd = true
set_boto_config = true
set_host_keys = true
set_multiqueue = true

[IpForwarding]
ethernet_proto_id = 66
ip_aliases = true
target_instance_ips = true

[MetadataScripts]
default_shell = /bin/bash
run_dir =
shutdown = true
startup = true

[NetworkInterfaces]
dhclient_script = /sbin/google-dhclient-script
dhcp_command =
ip_forwarding = true
setup = true

Stop google-accounts-daemon service.

$ sudo systemctl stop google-accounts-daemon

Disable google-accounts-daemon service.

$ sudo systemctl disable google-accounts-daemon

It will be disabled, and it won’t start at boot.

Jun 24 11:47:54 instance-test-2 instance-setup: INFO Running google_set_multiqueue.
Jun 24 11:47:54 instance-test-2 google-clock-skew: INFO Starting Google Clock Skew daemon.
Jun 24 11:47:54 instance-test-2 google-clock-skew: INFO Clock drift token has changed: 0.
Jun 24 11:47:54 instance-test-2 google-networking: INFO Starting Google Networking daemon.
Jun 24 11:47:55 instance-test-2 google-clock-skew: INFO Synced system time with hardware clock.

You can use this instance as is or create a custom template to globally take advantage of the applied modification.

Additional information

Inspect Packages for Google Compute Engine Linux images, its documentation, and accounts_daemon.py source code.

Additional information#

Additional information