rpms/systemd
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Version 249-rc2

Browse Source
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-06-25 17:25:07 +02:00
parent 2383d1a974
commit 379f157396
3 changed files with 10 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

273
19950.patch
View File

@ -1,273 +0,0 @@
From 420ae742ef584fbe5b98780c3cdada528a45ad67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 23 May 2021 22:00:22 +0200
Subject: [PATCH] meson: allow "soft-static" allocations for uids and gids in
the initrd
The general idea with users and groups created through sysusers is that an
appropriate number is picked when the allocation is made. The number that is
selected will be different on each system based on the order of creation of
users, installed packages, etc. Since system users and groups are not shared
between installations, this generally is not an issue. But it becomes a problem
for initrd: some file systems are shared between the initrd and the host (/run
and /dev are probably the only ones that matter). If the allocations are
different in the host and the initrd, and files survive switch-root, they will
have wrong ownership.
This makes the gids build-time-configurable for all groups and users where
state may survive the switch from initrd to the host.
In particular, all "hardware access" groups are like this: files in /dev will
be owned by them. Eventually the new udev would change ownership, but there
would be a momemnt where the files were owned by the wrong group. The
allocations are "soft-static" in the language of Fedora packaging guidelines:
the uid/gid will be used if possible, but we'll fall back to a different
one. TTY_GID is the exception, because the number is used directly.
Similarly, the possibility to configure "soft-static" uids is added for daemons
which may usefully run in the initramfs: systemd-network (lease information and
interface state is serialized to /run), systemd-resolve (stub files and
interface state), systemd-timesync (/run/systemd/timesync).
Journal files are owned by the group systemd-journal, and acls are granted
for wheel and adm.
systemd-oom and systemd-coredump are excluded from this patch: I assume that
oomd is not useful in the initrd, and coredump leaves no state (it only creates
a pipe in /run?).
The defaults are not changed: if nothing is configured, dynamic allocation will
be used. I looked at a Debian system, and the numbers are all different than
on Fedora.
For Fedora, see the list of uids and gids at https://pagure.io/setup/blob/master/f/uidgid.
In particular, systemd-network and systemd-resolve got soft-static numbers to
make it easy to transition from a non-host-specific initrd to a host system
already a few years back (https://bugzilla.redhat.com/show_bug.cgi?id=1102002).
I also requested static allocations for sgx, input, render in
https://pagure.io/packaging-committee/issue/1078,
https://pagure.io/setup/pull-request/27.
---
meson.build | 40 ++++++++++++++++++++++++-------
meson_options.txt | 48 ++++++++++++++++++++++++++++++++++----
sysusers.d/basic.conf.in | 38 +++++++++++++++---------------
sysusers.d/systemd.conf.in | 8 +++----
4 files changed, 99 insertions(+), 35 deletions(-)
diff --git a/meson.build b/meson.build
index 0b136529e3a1..3634ce0a3cb0 100644
--- a/meson.build
+++ b/meson.build
@@ -793,12 +793,37 @@ endif
conf.set_quoted('NOBODY_USER_NAME', nobody_user)
conf.set_quoted('NOBODY_GROUP_NAME', nobody_group)
-tty_gid = get_option('tty-gid')
-conf.set('TTY_GID', tty_gid)
-
-# Ensure provided GID argument is numeric, otherwise fall back to default assignment
-users_gid = get_option('users-gid')
-conf.set('USERS_GID', users_gid < 0 ? '-' : users_gid)
+static_ugids = []
+foreach option : ['adm-gid',
+ 'audio-gid',
+ 'cdrom-gid',
+ 'dialout-gid',
+ 'disk-gid',
+ 'input-gid',
+ 'kmem-gid',
+ 'kvm-gid',
+ 'lp-gid',
+ 'render-gid',
+ 'sgx-gid',
+ 'tape-gid',
+ 'tty-gid',
+ 'users-gid',
+ 'utmp-gid',
+ 'video-gid',
+ 'wheel-gid',
+ 'systemd-journal-gid',
+ 'systemd-network-uid',
+ 'systemd-resolve-uid',
+ 'systemd-timesync-uid']
+ name = option.underscorify().to_upper()
+ val = get_option(option)
+
+ # Ensure provided GID argument is numeric, otherwise fall back to default assignment
+ conf.set(name, val >= 0 ? val : '-')
+ if val >= 0
+ static_ugids += '@0@:@1@'.format(option, val)
+ endif
+endforeach
conf.set10('ENABLE_ADM_GROUP', get_option('adm-group'))
conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
@@ -3713,14 +3738,13 @@ status = [
'extra start script: @0@'.format(get_option('rc-local')),
'debug shell: @0@ @ @1@'.format(get_option('debug-shell'),
get_option('debug-tty')),
- 'TTY GID: @0@'.format(tty_gid),
- 'users GID: @0@'.format(conf.get('USERS_GID')),
'system UIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_UID_MAX'),
conf.get('SYSTEM_ALLOC_UID_MIN')),
'system GIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_GID_MAX'),
conf.get('SYSTEM_ALLOC_GID_MIN')),
'dynamic UIDs: @0@…@1@'.format(dynamic_uid_min, dynamic_uid_max),
'container UID bases: @0@…@1@'.format(container_uid_base_min, container_uid_base_max),
+ 'static UID/GID allocations: @0@'.format(' '.join(static_ugids)),
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
'render group access mode: @0@'.format(get_option('group-render-mode')),
'certificate root directory: @0@'.format(get_option('certificate-root')),
diff --git a/meson_options.txt b/meson_options.txt
index fc58e888d939..5048de755d91 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -204,6 +204,7 @@ option('status-unit-format-default', type : 'combo',
description : 'use unit name or description in messages by default')
option('time-epoch', type : 'integer', value : '-1',
description : 'time epoch for time clients')
+
option('system-alloc-uid-min', type : 'integer', value : '-1',
description : 'minimum system UID used when allocating')
option('system-alloc-gid-min', type : 'integer', value : '-1',
@@ -220,10 +221,6 @@ option('container-uid-base-min', type : 'integer', value : 0x00080000,
description : 'minimum container UID base')
option('container-uid-base-max', type : 'integer', value : 0x6FFF0000,
description : 'maximum container UID base')
-option('tty-gid', type : 'integer', value : 5,
- description : 'the numeric GID of the "tty" group')
-option('users-gid', type : 'integer', value : '-1',
- description : 'the numeric GID of the "users" group')
option('adm-group', type : 'boolean',
description : 'the ACL for adm group should be added')
option('wheel-group', type : 'boolean',
@@ -234,6 +231,49 @@ option('nobody-user', type : 'string',
option('nobody-group', type : 'string',
description : 'The name of the nobody group (the one with GID 65534)',
value : 'nobody')
+option('adm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "adm" group')
+option('audio-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "audio" group')
+option('cdrom-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "cdrom" group')
+option('dialout-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "dialout" group')
+option('disk-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "disk" group')
+option('input-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "input" group')
+option('kmem-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kmem" group')
+option('kvm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kvm" group')
+option('lp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "lp" group')
+option('render-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "render" group')
+option('sgx-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "sgx" group')
+option('tape-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "tape" group')
+option('tty-gid', type : 'integer', value : 5,
+ description : 'the numeric GID of the "tty" group')
+option('users-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "users" group')
+option('utmp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "utmp" group')
+option('video-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "video" group')
+option('wheel-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "wheel" group')
+option('systemd-journal-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-journal group')
+option('systemd-network-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-network user')
+option('systemd-resolve-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-resolve user')
+option('systemd-timesync-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-timesync user')
+
option('dev-kvm-mode', type : 'string', value : '0666',
description : '/dev/kvm access mode')
option('group-render-mode', type : 'string', value : '0666',
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 9da02514216d..8cc1a7cad218 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -12,28 +12,28 @@ u root 0 "Super User" /root
u {{NOBODY_USER_NAME}} 65534 "Nobody" -
# Administrator group: can *see* more than normal users
-g adm - - -
+g adm {{ADM_GID }} - -
# Administrator group: can *do* more than normal users
-g wheel - - -
+g wheel {{WHEEL_GID }} - -
-# Access to certain kernel and userspace facilities
-g kmem - - -
-g tty {{TTY_GID}} - -
-g utmp - - -
+# Access to shared database of users on the system
+g utmp {{UTMP_GID }} - -
-# Hardware access groups
-g audio - - -
-g cdrom - - -
-g dialout - - -
-g disk - - -
-g input - - -
-g kvm - - -
-g lp - - -
-g render - - -
-g sgx - - -
-g tape - - -
-g video - - -
+# Physical and virtual hardware access groups
+g audio {{AUDIO_GID }} - -
+g cdrom {{CDROM_GID }} - -
+g dialout {{DIALOUT_GID}} - -
+g disk {{DISK_GID }} - -
+g input {{INPUT_GID }} - -
+g kmem {{KMEM_GID }} - -
+g kvm {{KVM_GID }} - -
+g lp {{LP_GID }} - -
+g render {{RENDER_GID }} - -
+g sgx {{SGX_GID }} - -
+g tape {{TAPE_GID }} - -
+g tty {{TTY_GID }} - -
+g video {{VIDEO_GID }} - -
# Default group for normal users
-g users {{USERS_GID}} - -
+g users {{USERS_GID }} - -
diff --git a/sysusers.d/systemd.conf.in b/sysusers.d/systemd.conf.in
index 9905eb596c61..9941ef8ef4f7 100644
--- a/sysusers.d/systemd.conf.in
+++ b/sysusers.d/systemd.conf.in
@@ -5,18 +5,18 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
-g systemd-journal - -
+g systemd-journal {{SYSTEMD_JOURNAL_GID}} -
{% if ENABLE_NETWORKD %}
-u systemd-network - "systemd Network Management"
+u systemd-network {{SYSTEMD_NETWORK_UID}} "systemd Network Management"
{% endif %}
{% if ENABLE_OOMD %}
u systemd-oom - "systemd Userspace OOM Killer"
{% endif %}
{% if ENABLE_RESOLVE %}
-u systemd-resolve - "systemd Resolver"
+u systemd-resolve {{SYSTEMD_RESOLVE_UID}} "systemd Resolver"
{% endif %}
{% if ENABLE_TIMESYNCD %}
-u systemd-timesync - "systemd Time Synchronization"
+u systemd-timesync {{SYSTEMD_TIMESYNC_UID}} "systemd Time Synchronization"
{% endif %}
{% if ENABLE_COREDUMP %}
u systemd-coredump - "systemd Core Dumper"

2
sources
View File

@ -1 +1 @@
SHA512 (systemd-249-rc1.tar.gz) = dd75fd6a2f63ce296973c7052ebd199619c99805935e9e04a65b58b0de6053f51157233070f32a4731c43cb65e8d232051a0b5c26508256218ae63f11cd24f1b
SHA512 (systemd-249-rc2.tar.gz) = 97570607fb3262cbcf9c956eb6a05d83877de411b6de90d2b359e85fa4cc0e14fe7efd6e71e135f9922374fb69ee7f328c3d2240bf736d0016b8fbb68e3f0725

13
systemd.spec
View File

@ -30,8 +30,8 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
%if %{without inplace}
Version: 249~rc1
Release: 2%{?dist}
Version: 249~rc2
Release: 1%{?dist}
%else
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
@ -91,7 +91,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# Any patches which are "in preparation" upstream should be listed
# here, rather than in the next section. Packit CI will drop any
# patches in this range before applying upstream pull requests.
Patch0001: https://github.com/systemd/systemd/pull/19950.patch
# Downstream-only patches (50009999)
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828
@ -995,12 +995,17 @@ fi
%files standalone-sysusers -f .file-list-standalone-sysusers
%changelog
* Fri Jun 25 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 249~rc2-1
- Latest upstream prerelease with various bugfixes, see
https://github.com/systemd/systemd/blob/v248-rc2/NEWS.
- Ignore FORCERENEW DHCP packets (TALOS-2020-1142, CVE-2020-13529, #1959398)
* Thu Jun 17 2021 Adam Williamson <awilliam@redhat.com> - 249~rc1-2
- Stop systemd providing systemd-resolved, now the subpackage exists (#1973462)
* Wed Jun 16 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 249~rc1-1
- Latest upstream prerelease, see
https://github.com/systemd/systemd/blob/v248-rc4/NEWS.
https://github.com/systemd/systemd/blob/v249-rc1/NEWS.
Fixes #1963428.
- Use systemd-sysusers to create users (#1965815)
- Move systemd-resolved into systemd-resolved subpackage (#1923727)