From eea99925d3bef32434653aa6c2fabe6de24be950 Mon Sep 17 00:00:00 2001 From: Matei Valeanu Date: Thu, 24 Jun 2021 17:29:04 +0200 Subject: Update UID/GID New groups and users: -g - kvm: added by libvirt [2] -g - render: added by systemd, after boot-up introduced in [1] Removed groups and users: -g and u - systemd-resolve and systemd-network: both were only kept for backward compatibility, not needed anymore -g - lock: systemd_246.9.bb no longer adds it in GROUPADD_PARAM, unlike systemd version on 2.4.0-2 -g and u - polkitd: systemd_246.9.bb no longer adds polkit in PACKAGECONFIG -g and u - ntp: meta-enea-virtualization/recipes-enea/ntp-user-stub/\ ntp-user-stub_1.0.bb removed -g - netdev: dbus_1.12.20.bb no longer adds netdev in GROUPADD_PARAM Added systemd_246.9.bbappend to overwrite basic.conf.in and add 'render' using GROUPADD_PARAM at build-time instead on boot-time Add new groups/users in basic.conf.in using fixed ids, in sync with /files/{group,passwd} [1] https://github.com/systemd/systemd/commit/4e15a7343cb [2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/\ commit/recipes-extended/libvirt?h=gatesgarth&id=b5b5defc78ea03c8 Change-Id: If1768a544c53552bf2eff1d8051830975ae0ed2f Signed-off-by: Matei Valeanu --- files/group | 9 ++---- files/passwd | 5 --- recipes-core/systemd/files/basic.conf.in | 50 +++++++++++++++++++++++++++++ recipes-core/systemd/systemd_247.6.bbappend | 19 +++++++++++ 4 files changed, 71 insertions(+), 12 deletions(-) create mode 100644 recipes-core/systemd/files/basic.conf.in create mode 100644 recipes-core/systemd/systemd_247.6.bbappend diff --git a/files/group b/files/group index cc37138..ffb9c82 100644 --- a/files/group +++ b/files/group @@ -34,24 +34,19 @@ utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: +kvm:x:47:qemu staff:x:50: games:x:60: shutdown:x:70: users:x:100: -dhcpcd:x:984: +render:x:983: systemd-bus-proxy:x:985: -systemd-resolve:x:986: -systemd-network:x:987: systemd-timesync:x:988: systemd-journal:x:989: -lock:x:990: sshd:x:991: qemu:x:992: -polkitd:x:993: -ntp:x:994: docker:x:995: messagebus:x:996: -netdev:x:997: bind:x:998: _apt:x:999: nogroup:x:65534: diff --git a/files/passwd b/files/passwd index 5a26de4..2b3f831 100644 --- a/files/passwd +++ b/files/passwd @@ -15,15 +15,10 @@ backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh -dhcpcd:x:988:984::/var/lib/dhcpcd:/bin/false systemd-bus-proxy:x:989:985::/:/bin/nologin -systemd-resolve:x:990:986::/:/bin/nologin -systemd-network:x:991:987::/:/bin/nologin systemd-timesync:x:992:988::/:/bin/nologin sshd:x:993:991::/var/run/sshd:/bin/false qemu:x:994:992::/home/qemu:/bin/sh -polkitd:x:995:993::/etc/polkit-1:/bin/sh -ntp:x:996:994::/var/lib/ntp:/bin/false messagebus:x:997:996::/var/lib/dbus:/bin/false bind:x:998:998::/var/cache/bind:/bin/sh _apt:x:999:999::/nonexistent:/bin/false diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in new file mode 100644 index 0000000..6532f64 --- /dev/null +++ b/recipes-core/systemd/files/basic.conf.in @@ -0,0 +1,50 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# The superuser +u root 0 "Super User" /root + +# Administrator group: can *see* more than normal users +g adm - - - + +# Access to certain kernel and userspace facilities +g kmem - - - +g tty @TTY_GID@ - - +g utmp - - - + +# Hardware access groups +g audio - - - +g cdrom - - - +g dialout - - - +g disk - - - +g input - - - +g lp - - - +g tape - - - +g video - - - + +# Default group for normal users +g users @USERS_GID@ - - +## ENEA_start ## +# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades: +# - nothing in NFVA uses the wheel group, do not create it; +# - the 'nobody' group was automatically created for the existing 'nobody' user, +# which is not necessary, NFVA already has 'nogroup' (GID 65534); +# +# Administrator group: can *do* more than normal users +# g wheel - - - +# The nobody user for NFS file systems +# u @NOBODY_USER_NAME@ 65534 "Nobody" - +# +# Keep the next users/groups in sync with those in /files/{passwd,group} +# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist +# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group} +# we must dynamically add them, with fixed ids. Ids are the same as in +# /files/{passwd,group} +g kvm 47 - - +m qemu kvm +g render 983 - - +## ENEA_end ## diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend new file mode 100644 index 0000000..871da64 --- /dev/null +++ b/recipes-core/systemd/systemd_247.6.bbappend @@ -0,0 +1,19 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_sota = " file://basic.conf.in" + +GROUPADD_PARAM_${PN}_append_sota = "; -r render" + +# systemd uses certain groups unless configured not to (e.g. journal logs are more +# broadly available to the 'wheel' group unless told otherwise), while some resources +# are using to the 'nobody' group. Configure systemd to: +# - not use the 'wheel' group (journal access will be restriced to root user); +# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup'); +EXTRA_OEMESON += " \ + -Dwheel-group=false \ + -Dnobody-group=nogroup \ +" + +do_configure_prepend_sota() { + cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in +} -- cgit v1.2.3-54-g00ecf