From eea99925d3bef32434653aa6c2fabe6de24be950 Mon Sep 17 00:00:00 2001
From: Matei Valeanu <Matei.Valeanu@enea.com>
Date: Thu, 24 Jun 2021 17:29:04 +0200
Subject: Update UID/GID

New groups and users:
 -g - kvm: added by libvirt [2]
 -g - render: added by systemd, after boot-up introduced in [1]
Removed groups and users:
 -g and u - systemd-resolve and systemd-network:
both were only kept for backward compatibility, not needed anymore
 -g - lock: systemd_246.9.bb no longer adds it in GROUPADD_PARAM,
unlike systemd version on 2.4.0-2
 -g and u - polkitd: systemd_246.9.bb no longer adds polkit in
PACKAGECONFIG
 -g and u - ntp: meta-enea-virtualization/recipes-enea/ntp-user-stub/\
ntp-user-stub_1.0.bb removed
 -g - netdev: dbus_1.12.20.bb no longer adds netdev in GROUPADD_PARAM

Added systemd_246.9.bbappend to overwrite basic.conf.in
and add 'render' using GROUPADD_PARAM at build-time instead on boot-time
Add new groups/users in basic.conf.in using fixed ids, in sync with
<layer>/files/{group,passwd}

[1] https://github.com/systemd/systemd/commit/4e15a7343cb
[2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/\
commit/recipes-extended/libvirt?h=gatesgarth&id=b5b5defc78ea03c8

Change-Id: If1768a544c53552bf2eff1d8051830975ae0ed2f
Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
---
 recipes-core/systemd/files/basic.conf.in    | 50 +++++++++++++++++++++++++++++
 recipes-core/systemd/systemd_247.6.bbappend | 19 +++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 recipes-core/systemd/files/basic.conf.in
 create mode 100644 recipes-core/systemd/systemd_247.6.bbappend

(limited to 'recipes-core')

diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in
new file mode 100644
index 0000000..6532f64
--- /dev/null
+++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# The superuser
+u root    0     "Super User" /root
+
+# Administrator group: can *see* more than normal users
+g adm     -     -            -
+
+# Access to certain kernel and userspace facilities
+g kmem    -     -            -
+g tty     @TTY_GID@     -            -
+g utmp    -     -            -
+
+# Hardware access groups
+g audio   -     -            -
+g cdrom   -     -            -
+g dialout -     -            -
+g disk    -     -            -
+g input   -     -            -
+g lp      -     -            -
+g tape    -     -            -
+g video   -     -            -
+
+# Default group for normal users
+g users   @USERS_GID@     -            -
+## ENEA_start ##
+# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
+# - nothing in NFVA uses the wheel group, do not create it;
+# - the 'nobody' group was automatically created for the existing 'nobody' user,
+#   which is not necessary, NFVA already has 'nogroup' (GID 65534);
+#
+# Administrator group: can *do* more than normal users
+# g wheel   -     -            -
+# The nobody user for NFS file systems
+# u @NOBODY_USER_NAME@  65534 "Nobody"     -
+#
+# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
+# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
+# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
+# we must dynamically add them, with fixed ids. Ids are the same as in
+# <layer>/files/{passwd,group}
+g kvm     47       -      -
+m qemu    kvm
+g render  983      -      -
+## ENEA_end ##
diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend
new file mode 100644
index 0000000..871da64
--- /dev/null
+++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,19 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_sota = " file://basic.conf.in"
+
+GROUPADD_PARAM_${PN}_append_sota = "; -r render"
+
+# systemd uses certain groups unless configured not to (e.g. journal logs are more
+# broadly available to the 'wheel' group unless told otherwise), while some resources
+# are using to the 'nobody' group. Configure systemd to:
+# - not use the 'wheel' group (journal access will be restriced to root user);
+# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
+EXTRA_OEMESON += " \
+    -Dwheel-group=false \
+    -Dnobody-group=nogroup \
+"
+
+do_configure_prepend_sota() {
+    cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
+}
-- 
cgit v1.2.3-54-g00ecf