diff options
author | Matei Valeanu <Matei.Valeanu@enea.com> | 2021-06-24 17:29:04 +0200 |
---|---|---|
committer | Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2021-06-30 06:35:36 +0200 |
commit | eea99925d3bef32434653aa6c2fabe6de24be950 (patch) | |
tree | 758367825ddfa8eeb214d1531ad796e6d199081a | |
parent | 7ede3bf0c747d741994e85230e8d9e529b33c9ab (diff) | |
download | meta-el-nfv-access-eea99925d3bef32434653aa6c2fabe6de24be950.tar.gz |
Update UID/GID
New groups and users:
-g - kvm: added by libvirt [2]
-g - render: added by systemd, after boot-up introduced in [1]
Removed groups and users:
-g and u - systemd-resolve and systemd-network:
both were only kept for backward compatibility, not needed anymore
-g - lock: systemd_246.9.bb no longer adds it in GROUPADD_PARAM,
unlike systemd version on 2.4.0-2
-g and u - polkitd: systemd_246.9.bb no longer adds polkit in
PACKAGECONFIG
-g and u - ntp: meta-enea-virtualization/recipes-enea/ntp-user-stub/\
ntp-user-stub_1.0.bb removed
-g - netdev: dbus_1.12.20.bb no longer adds netdev in GROUPADD_PARAM
Added systemd_246.9.bbappend to overwrite basic.conf.in
and add 'render' using GROUPADD_PARAM at build-time instead on boot-time
Add new groups/users in basic.conf.in using fixed ids, in sync with
<layer>/files/{group,passwd}
[1] https://github.com/systemd/systemd/commit/4e15a7343cb
[2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/\
commit/recipes-extended/libvirt?h=gatesgarth&id=b5b5defc78ea03c8
Change-Id: If1768a544c53552bf2eff1d8051830975ae0ed2f
Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
-rw-r--r-- | files/group | 9 | ||||
-rw-r--r-- | files/passwd | 5 | ||||
-rw-r--r-- | recipes-core/systemd/files/basic.conf.in | 50 | ||||
-rw-r--r-- | recipes-core/systemd/systemd_247.6.bbappend | 19 |
4 files changed, 71 insertions, 12 deletions
diff --git a/files/group b/files/group index cc37138..ffb9c82 100644 --- a/files/group +++ b/files/group | |||
@@ -34,24 +34,19 @@ utmp:x:43: | |||
34 | video:x:44: | 34 | video:x:44: |
35 | sasl:x:45: | 35 | sasl:x:45: |
36 | plugdev:x:46: | 36 | plugdev:x:46: |
37 | kvm:x:47:qemu | ||
37 | staff:x:50: | 38 | staff:x:50: |
38 | games:x:60: | 39 | games:x:60: |
39 | shutdown:x:70: | 40 | shutdown:x:70: |
40 | users:x:100: | 41 | users:x:100: |
41 | dhcpcd:x:984: | 42 | render:x:983: |
42 | systemd-bus-proxy:x:985: | 43 | systemd-bus-proxy:x:985: |
43 | systemd-resolve:x:986: | ||
44 | systemd-network:x:987: | ||
45 | systemd-timesync:x:988: | 44 | systemd-timesync:x:988: |
46 | systemd-journal:x:989: | 45 | systemd-journal:x:989: |
47 | lock:x:990: | ||
48 | sshd:x:991: | 46 | sshd:x:991: |
49 | qemu:x:992: | 47 | qemu:x:992: |
50 | polkitd:x:993: | ||
51 | ntp:x:994: | ||
52 | docker:x:995: | 48 | docker:x:995: |
53 | messagebus:x:996: | 49 | messagebus:x:996: |
54 | netdev:x:997: | ||
55 | bind:x:998: | 50 | bind:x:998: |
56 | _apt:x:999: | 51 | _apt:x:999: |
57 | nogroup:x:65534: | 52 | nogroup:x:65534: |
diff --git a/files/passwd b/files/passwd index 5a26de4..2b3f831 100644 --- a/files/passwd +++ b/files/passwd | |||
@@ -15,15 +15,10 @@ backup:x:34:34:backup:/var/backups:/bin/sh | |||
15 | list:x:38:38:Mailing List Manager:/var/list:/bin/sh | 15 | list:x:38:38:Mailing List Manager:/var/list:/bin/sh |
16 | irc:x:39:39:ircd:/var/run/ircd:/bin/sh | 16 | irc:x:39:39:ircd:/var/run/ircd:/bin/sh |
17 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh | 17 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh |
18 | dhcpcd:x:988:984::/var/lib/dhcpcd:/bin/false | ||
19 | systemd-bus-proxy:x:989:985::/:/bin/nologin | 18 | systemd-bus-proxy:x:989:985::/:/bin/nologin |
20 | systemd-resolve:x:990:986::/:/bin/nologin | ||
21 | systemd-network:x:991:987::/:/bin/nologin | ||
22 | systemd-timesync:x:992:988::/:/bin/nologin | 19 | systemd-timesync:x:992:988::/:/bin/nologin |
23 | sshd:x:993:991::/var/run/sshd:/bin/false | 20 | sshd:x:993:991::/var/run/sshd:/bin/false |
24 | qemu:x:994:992::/home/qemu:/bin/sh | 21 | qemu:x:994:992::/home/qemu:/bin/sh |
25 | polkitd:x:995:993::/etc/polkit-1:/bin/sh | ||
26 | ntp:x:996:994::/var/lib/ntp:/bin/false | ||
27 | messagebus:x:997:996::/var/lib/dbus:/bin/false | 22 | messagebus:x:997:996::/var/lib/dbus:/bin/false |
28 | bind:x:998:998::/var/cache/bind:/bin/sh | 23 | bind:x:998:998::/var/cache/bind:/bin/sh |
29 | _apt:x:999:999::/nonexistent:/bin/false | 24 | _apt:x:999:999::/nonexistent:/bin/false |
diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in new file mode 100644 index 0000000..6532f64 --- /dev/null +++ b/recipes-core/systemd/files/basic.conf.in | |||
@@ -0,0 +1,50 @@ | |||
1 | # This file is part of systemd. | ||
2 | # | ||
3 | # systemd is free software; you can redistribute it and/or modify it | ||
4 | # under the terms of the GNU Lesser General Public License as published by | ||
5 | # the Free Software Foundation; either version 2.1 of the License, or | ||
6 | # (at your option) any later version. | ||
7 | |||
8 | # The superuser | ||
9 | u root 0 "Super User" /root | ||
10 | |||
11 | # Administrator group: can *see* more than normal users | ||
12 | g adm - - - | ||
13 | |||
14 | # Access to certain kernel and userspace facilities | ||
15 | g kmem - - - | ||
16 | g tty @TTY_GID@ - - | ||
17 | g utmp - - - | ||
18 | |||
19 | # Hardware access groups | ||
20 | g audio - - - | ||
21 | g cdrom - - - | ||
22 | g dialout - - - | ||
23 | g disk - - - | ||
24 | g input - - - | ||
25 | g lp - - - | ||
26 | g tape - - - | ||
27 | g video - - - | ||
28 | |||
29 | # Default group for normal users | ||
30 | g users @USERS_GID@ - - | ||
31 | ## ENEA_start ## | ||
32 | # Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades: | ||
33 | # - nothing in NFVA uses the wheel group, do not create it; | ||
34 | # - the 'nobody' group was automatically created for the existing 'nobody' user, | ||
35 | # which is not necessary, NFVA already has 'nogroup' (GID 65534); | ||
36 | # | ||
37 | # Administrator group: can *do* more than normal users | ||
38 | # g wheel - - - | ||
39 | # The nobody user for NFS file systems | ||
40 | # u @NOBODY_USER_NAME@ 65534 "Nobody" - | ||
41 | # | ||
42 | # Keep the next users/groups in sync with those in <layer>/files/{passwd,group} | ||
43 | # If an upgrade updates /etc/{passwd,group} then the next users and groups already exist | ||
44 | # and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group} | ||
45 | # we must dynamically add them, with fixed ids. Ids are the same as in | ||
46 | # <layer>/files/{passwd,group} | ||
47 | g kvm 47 - - | ||
48 | m qemu kvm | ||
49 | g render 983 - - | ||
50 | ## ENEA_end ## | ||
diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend new file mode 100644 index 0000000..871da64 --- /dev/null +++ b/recipes-core/systemd/systemd_247.6.bbappend | |||
@@ -0,0 +1,19 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | ||
2 | |||
3 | SRC_URI_append_sota = " file://basic.conf.in" | ||
4 | |||
5 | GROUPADD_PARAM_${PN}_append_sota = "; -r render" | ||
6 | |||
7 | # systemd uses certain groups unless configured not to (e.g. journal logs are more | ||
8 | # broadly available to the 'wheel' group unless told otherwise), while some resources | ||
9 | # are using to the 'nobody' group. Configure systemd to: | ||
10 | # - not use the 'wheel' group (journal access will be restriced to root user); | ||
11 | # - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup'); | ||
12 | EXTRA_OEMESON += " \ | ||
13 | -Dwheel-group=false \ | ||
14 | -Dnobody-group=nogroup \ | ||
15 | " | ||
16 | |||
17 | do_configure_prepend_sota() { | ||
18 | cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in | ||
19 | } | ||