From 388cd917f1a5b6d3730a1dcc23f9394f462bbfbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 21 Feb 2018 15:23:30 +0100
Subject: [PATCH] Add purge-nobody-user

---
 purge-nobody-user | 101 ++++++++++++++++++++++++++++++++++++++++++++++
 sources           |   2 +-
 systemd.spec      |  12 +++++-
 3 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100755 purge-nobody-user

diff --git a/purge-nobody-user b/purge-nobody-user
new file mode 100755
index 0000000..66404fe
--- /dev/null
+++ b/purge-nobody-user
@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi
diff --git a/sources b/sources
index c124c7f..df48775 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (systemd-dff4849.tar.gz) = 32bd7f6a6ded8ca326eacd3fcf896b237f50f3cc030fce2104367251b5c363a79b420e716831c7837954b93c77df275e4f9849ea018d7745578f7b6c7732fdb4
+SHA512 (systemd-84c8da5.tar.gz) = 0d46bde746afb2678dfe2ce803091f7c30517db35532256e18a960996689cfcbf3e5391a16752093e2fb3594313771056d7cc16ee0f0c0ab4d170c28466dbb3c
diff --git a/systemd.spec b/systemd.spec
index e56f9c6..8a37fdc 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%global gitcommit dff48497371a78212d8a71db6ac9130754939b3f
+%global gitcommit 84c8da5ed92282f8ef51d5d4f8e1630c37fef3e9
 %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -28,6 +28,7 @@ Source0:        https://github.com/systemd/systemd/archive/v%{version}.tar.gz#/%
 # It is generated during systemd build and can be found in src/core/.
 Source1:        triggers.systemd
 Source2:        split-files.py
+Source3:        purge-nobody-user
 
 # Prevent accidental removal of the systemd package
 Source4:        yum-protect-systemd.conf
@@ -425,6 +426,8 @@ install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d
 
 install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
 
+install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
+
 %find_lang %{name}
 
 # Split files in build root into rpms. See split-files.py for the
@@ -434,6 +437,7 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %config(noreplace) /etc/crypttab
 %ghost /etc/udev/hwdb.bin
 /etc/inittab
+/usr/lib/systemd/purge-nobody-user
 %ghost %config(noreplace) /etc/vconsole.conf
 %ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
 %ghost %attr(0664,root,utmp) /var/run/utmp
@@ -702,6 +706,12 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
+* Wed Feb 21 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-2.git84c8da5
+- Update some patches for test skipping that were updated upstream
+  before merging
+- Add /usr/lib/systemd/purge-nobody-user — a script to check if nobody is defined
+  correctly and possibly replace existing mappings
+
 * Tue Feb 20 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-2.gitdff4849
 - Backport a bunch of patches, most notably for the journal and various
   memory issues. Some minor build fixes.