uuidd: use locked system user account if available

Beginning with systemd 257, it is possible to fully lock a sysuser
account. Do so for systems with met requirements.

Older systemd versions still use unlocked accounts.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/Makefile.am b/Makefile.am
index 75bab88f4e055230e4dd631b2e6d8f8fd0a912f2..eefe5cd1cf6c8b51438d2469d42fb757347f68df 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -189,6 +189,7 @@ edit_cmd = sed \
         -e 's|@usrlib_execdir[@]|$(usrlib_execdir)|g' \
         -e 's|@usrbin_execdir[@]|$(usrbin_execdir)|g' \
         -e 's|@usrsbin_execdir[@]|$(usrsbin_execdir)|g' \
+        -e 's|@SYSTEMD_USER_LOCK[@]|$(SYSTEMD_USER_LOCK)|g' \
         -e 's|@SOCKET_LIBS[@]|$(SOCKET_LIBS)|g' \
         -e 's|@VERSION[@]|$(VERSION)|g' \
         -e 's|@ADJTIME_PATH[@]|$(ADJTIME_PATH)|g' \

diff --git a/configure.ac b/configure.ac
index 2ff5c0d32a74e55e90335b06f394d5aabf2643e0..8e22d04e7e07bb1a4f56a6b5eb26de4750740dbb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2683,7 +2683,14 @@ AC_ARG_WITH([systemd],
 have_systemd=no
 AS_IF([test "x$with_systemd" != xno], [
   # new version -- all libsystemd-* libs merged into libsystemd
-  PKG_CHECK_MODULES([SYSTEMD], [libsystemd], [have_systemd=yes], [have_systemd=no])
+  # if 257 or newer, use locked system user accounts
+  PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 257], [
+      have_systemd=yes
+      SYSTEMD_USER_LOCK="!"
+    ], [
+      SYSTEMD_USER_LOCK=
+      PKG_CHECK_MODULES([SYSTEMD], [libsystemd], [have_systemd=yes], [have_systemd=no])
+  ])
   # old versions
   AS_IF([test "x$have_systemd" != "xyes"], [
     PKG_CHECK_MODULES([SYSTEMD_DAEMON], [libsystemd-daemon],
@@ -2702,6 +2709,7 @@ AS_IF([test "x$with_systemd" != xno], [
        AC_CHECK_DECLS([sd_session_get_username], [], [], [#include <systemd/sd-login.h>])
        AC_CHECK_DECLS([sd_device_new_from_syspath], [], [], [#include <systemd/sd-device.h>])
        AC_CHECK_DECLS([sd_device_open], [], [], [#include <systemd/sd-device.h>])
+       AC_SUBST([SYSTEMD_USER_LOCK])
   )
 ])
 AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$have_systemd" = xyes])

diff --git a/meson.build b/meson.build
index c09342b1f66572ee8fcfe845442fb427daffb84d..22e43ddbd0a6d96fd9a41c3ce9d78f83811ff55c 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -373,6 +373,11 @@ systemd = dependency(
   'systemd',
   required : get_option('systemd'))
 
+# Since systemd-257, which provides locked system user accounts.
+if systemd.version().version_compare('>=257')
+  conf.set('SYSTEMD_USER_LOCK', '!')
+endif
+
 lib_systemd = dependency(
   'libsystemd',
   required : get_option('systemd'))

diff --git a/misc-utils/uuidd-sysusers.conf.in b/misc-utils/uuidd-sysusers.conf.in
index c33c49f2a12b97bd071597de5b5f9c52f7a18a7b..59127b8b0cf79883106ba01cb8441ab09ccaecd3 100644 (file)
--- a/misc-utils/uuidd-sysusers.conf.in
+++ b/misc-utils/uuidd-sysusers.conf.in
@@ -1 +1 @@
-u uuidd - "UUID generator helper daemon" @localstatedir@/lib/libuuid
+u@SYSTEMD_USER_LOCK@ uuidd - "UUID generator helper daemon" @localstatedir@/lib/libuuid