From 23ed226a4b4b7c1cac2c52e6808631d9f0d6f652 Mon Sep 17 00:00:00 2001
From: Matei Valeanu <Matei.Valeanu@enea.com>
Date: Fri, 19 Feb 2021 19:17:20 +0100
Subject: Set the users and groups statically

Cannot set USERADD_ERROR_DYNAMIC to error as it breaks the build.
We need to be carefull when adding new users/groups, to also add
them to files/{groups,passwd}

Change-Id: I7ecfa9936af6319ced946e243cbe3bbcd23e8e4c
Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
---
 conf/template.atom-c3000-debug/local.conf.sample | 26 +++++++++++
 conf/template.atom-c3000/local.conf.sample       | 26 +++++++++++
 conf/template.xeon-d-debug/local.conf.sample     | 26 +++++++++++
 conf/template.xeon-d/local.conf.sample           | 26 +++++++++++
 files/group                                      | 56 ++++++++++++++++++++++++
 files/passwd                                     | 29 ++++++++++++
 6 files changed, 189 insertions(+)
 create mode 100644 files/group
 create mode 100644 files/passwd

diff --git a/conf/template.atom-c3000-debug/local.conf.sample b/conf/template.atom-c3000-debug/local.conf.sample
index c749b24..60e8955 100644
--- a/conf/template.atom-c3000-debug/local.conf.sample
+++ b/conf/template.atom-c3000-debug/local.conf.sample
@@ -250,3 +250,29 @@ SOTA_MACHINE ?= "${MACHINE}"
 DISTRO_FEATURES_append = " sota"
 DISTRO_FEATURES_NATIVE_append = " sota"
 INHERIT += " sota"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.atom-c3000/local.conf.sample b/conf/template.atom-c3000/local.conf.sample
index 8c24e77..b015f43 100644
--- a/conf/template.atom-c3000/local.conf.sample
+++ b/conf/template.atom-c3000/local.conf.sample
@@ -247,3 +247,29 @@ SOTA_MACHINE ?= "${MACHINE}"
 DISTRO_FEATURES_append = " sota"
 DISTRO_FEATURES_NATIVE_append = " sota"
 INHERIT += " sota"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.xeon-d-debug/local.conf.sample b/conf/template.xeon-d-debug/local.conf.sample
index e898db6..6474a37 100644
--- a/conf/template.xeon-d-debug/local.conf.sample
+++ b/conf/template.xeon-d-debug/local.conf.sample
@@ -251,3 +251,29 @@ SOTA_MACHINE ?= "${MACHINE}"
 DISTRO_FEATURES_append = " sota"
 DISTRO_FEATURES_NATIVE_append = " sota"
 INHERIT += " sota"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.xeon-d/local.conf.sample b/conf/template.xeon-d/local.conf.sample
index 3b1063e..5cfebf5 100644
--- a/conf/template.xeon-d/local.conf.sample
+++ b/conf/template.xeon-d/local.conf.sample
@@ -248,3 +248,29 @@ SOTA_MACHINE ?= "${MACHINE}"
 DISTRO_FEATURES_append = " sota"
 DISTRO_FEATURES_NATIVE_append = " sota"
 INHERIT += " sota"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/files/group b/files/group
new file mode 100644
index 0000000..99cb628
--- /dev/null
+++ b/files/group
@@ -0,0 +1,56 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+input:x:19:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+shutdown:x:70:
+users:x:100:
+systemd-bus-proxy:x:985:
+systemd-resolve:x:986:
+systemd-network:x:987:
+systemd-timesync:x:988:
+systemd-journal:x:989:
+lock:x:990:
+sshd:x:991:
+qemu:x:992:
+polkitd:x:993:
+ntp:x:994:
+docker:x:995:
+messagebus:x:996:
+netdev:x:997:
+bind:x:998:
+_apt:x:999:
+nogroup:x:65534:
diff --git a/files/passwd b/files/passwd
new file mode 100644
index 0000000..2c21e09
--- /dev/null
+++ b/files/passwd
@@ -0,0 +1,29 @@
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+systemd-bus-proxy:x:989:985::/:/bin/nologin
+systemd-resolve:x:990:986::/:/bin/nologin
+systemd-network:x:991:987::/:/bin/nologin
+systemd-timesync:x:992:988::/:/bin/nologin
+sshd:x:993:991::/var/run/sshd:/bin/false
+qemu:x:994:992::/home/qemu:/bin/sh
+polkitd:x:995:993::/etc/polkit-1:/bin/sh
+ntp:x:996:994::/var/lib/ntp:/bin/false
+messagebus:x:997:996::/var/lib/dbus:/bin/false
+bind:x:998:998::/var/cache/bind:/bin/sh
+_apt:x:999:999::/nonexistent:/bin/false
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
-- 
cgit v1.2.3-54-g00ecf