meson: allow "soft-static" allocations for uids and gids in the initrd

The general idea with users and groups created through sysusers is that an
appropriate number is picked when the allocation is made. The number that is
selected will be different on each system based on the order of creation of
users, installed packages, etc. Since system users and groups are not shared
between installations, this generally is not an issue. But it becomes a problem
for initrd: some file systems are shared between the initrd and the host (/run
and /dev are probably the only ones that matter). If the allocations are
different in the host and the initrd, and files survive switch-root, they will
have wrong ownership.

This makes the gids build-time-configurable for all groups and users where
state may survive the switch from initrd to the host.

In particular, all "hardware access" groups are like this: files in /dev will
be owned by them.  Eventually the new udev would change ownership, but there
would be a momemnt where the files were owned by the wrong group. The
allocations are "soft-static" in the language of Fedora packaging guidelines:
the uid/gid will be used if possible, but we'll fall back to a different
one. TTY_GID is the exception, because the number is used directly.

Similarly, the possibility to configure "soft-static" uids is added for daemons
which may usefully run in the initramfs: systemd-network (lease information and
interface state is serialized to /run), systemd-resolve (stub files and
interface state), systemd-timesync (/run/systemd/timesync).

Journal files are owned by the group systemd-journal, and acls are granted
for wheel and adm.

systemd-oom and systemd-coredump are excluded from this patch: I assume that
oomd is not useful in the initrd, and coredump leaves no state (it only creates
a pipe in /run?).

The defaults are not changed: if nothing is configured, dynamic allocation will
be used. I looked at a Debian system, and the numbers are all different than
on Fedora.

For Fedora, see the list of uids and gids at https://pagure.io/setup/blob/master/f/uidgid.
In particular, systemd-network and systemd-resolve got soft-static numbers to
make it easy to transition from a non-host-specific initrd to a host system
already a few years back (https://bugzilla.redhat.com/show_bug.cgi?id=1102002).

I also requested static allocations for sgx, input, render in
https://pagure.io/packaging-committee/issue/1078,
https://pagure.io/setup/pull-request/27.

diff --git a/meson.build b/meson.build
index 0b136529e3a14fd258839b11845b9f2c2e862a9b..3634ce0a3cb021586187d11a659eb1c4ba42a445 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -793,12 +793,37 @@ endif
 conf.set_quoted('NOBODY_USER_NAME', nobody_user)
 conf.set_quoted('NOBODY_GROUP_NAME', nobody_group)
 
-tty_gid = get_option('tty-gid')
-conf.set('TTY_GID', tty_gid)
-
-# Ensure provided GID argument is numeric, otherwise fall back to default assignment
-users_gid = get_option('users-gid')
-conf.set('USERS_GID', users_gid < 0 ? '-' : users_gid)
+static_ugids = []
+foreach option : ['adm-gid',
+                  'audio-gid',
+                  'cdrom-gid',
+                  'dialout-gid',
+                  'disk-gid',
+                  'input-gid',
+                  'kmem-gid',
+                  'kvm-gid',
+                  'lp-gid',
+                  'render-gid',
+                  'sgx-gid',
+                  'tape-gid',
+                  'tty-gid',
+                  'users-gid',
+                  'utmp-gid',
+                  'video-gid',
+                  'wheel-gid',
+                  'systemd-journal-gid',
+                  'systemd-network-uid',
+                  'systemd-resolve-uid',
+                  'systemd-timesync-uid']
+        name = option.underscorify().to_upper()
+        val = get_option(option)
+
+        # Ensure provided GID argument is numeric, otherwise fall back to default assignment
+        conf.set(name, val >= 0 ? val : '-')
+        if val >= 0
+                static_ugids += '@0@:@1@'.format(option, val)
+        endif
+endforeach
 
 conf.set10('ENABLE_ADM_GROUP', get_option('adm-group'))
 conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
@@ -3713,14 +3738,13 @@ status = [
         'extra start script:                @0@'.format(get_option('rc-local')),
         'debug shell:                       @0@ @ @1@'.format(get_option('debug-shell'),
                                                               get_option('debug-tty')),
-        'TTY GID:                           @0@'.format(tty_gid),
-        'users GID:                         @0@'.format(conf.get('USERS_GID')),
         'system UIDs:                       <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_UID_MAX'),
                                                                         conf.get('SYSTEM_ALLOC_UID_MIN')),
         'system GIDs:                       <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_GID_MAX'),
                                                                         conf.get('SYSTEM_ALLOC_GID_MIN')),
         'dynamic UIDs:                      @0@…@1@'.format(dynamic_uid_min, dynamic_uid_max),
         'container UID bases:               @0@…@1@'.format(container_uid_base_min, container_uid_base_max),
+        'static UID/GID allocations:        @0@'.format(' '.join(static_ugids)),
         '/dev/kvm access mode:              @0@'.format(get_option('dev-kvm-mode')),
         'render group access mode:          @0@'.format(get_option('group-render-mode')),
         'certificate root directory:        @0@'.format(get_option('certificate-root')),

diff --git a/meson_options.txt b/meson_options.txt
index fc58e888d9390a9343524659b04835215bde4b3c..5048de755d917f8ac7337f78252e997b473b4446 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -204,6 +204,7 @@ option('status-unit-format-default', type : 'combo',
        description : 'use unit name or description in messages by default')
 option('time-epoch', type : 'integer', value : '-1',
        description : 'time epoch for time clients')
+
 option('system-alloc-uid-min', type : 'integer', value : '-1',
        description : 'minimum system UID used when allocating')
 option('system-alloc-gid-min', type : 'integer', value : '-1',
@@ -220,10 +221,6 @@ option('container-uid-base-min', type : 'integer', value : 0x00080000,
        description : 'minimum container UID base')
 option('container-uid-base-max', type : 'integer', value : 0x6FFF0000,
        description : 'maximum container UID base')
-option('tty-gid', type : 'integer', value : 5,
-       description : 'the numeric GID of the "tty" group')
-option('users-gid', type : 'integer', value : '-1',
-       description : 'the numeric GID of the "users" group')
 option('adm-group', type : 'boolean',
        description : 'the ACL for adm group should be added')
 option('wheel-group', type : 'boolean',
@@ -234,6 +231,49 @@ option('nobody-user', type : 'string',
 option('nobody-group', type : 'string',
        description : 'The name of the nobody group (the one with GID 65534)',
        value : 'nobody')
+option('adm-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "adm" group')
+option('audio-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "audio" group')
+option('cdrom-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "cdrom" group')
+option('dialout-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "dialout" group')
+option('disk-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "disk" group')
+option('input-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "input" group')
+option('kmem-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "kmem" group')
+option('kvm-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "kvm" group')
+option('lp-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "lp" group')
+option('render-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "render" group')
+option('sgx-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "sgx" group')
+option('tape-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "tape" group')
+option('tty-gid', type : 'integer', value : 5,
+       description : 'the numeric GID of the "tty" group')
+option('users-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "users" group')
+option('utmp-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "utmp" group')
+option('video-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "video" group')
+option('wheel-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the "wheel" group')
+option('systemd-journal-gid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the systemd-journal group')
+option('systemd-network-uid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the systemd-network user')
+option('systemd-resolve-uid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the systemd-resolve user')
+option('systemd-timesync-uid', type : 'integer', value : '-1',
+       description : 'soft-static allocation for the systemd-timesync user')
+
 option('dev-kvm-mode', type : 'string', value : '0666',
        description : '/dev/kvm access mode')
 option('group-render-mode', type : 'string', value : '0666',

diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 9da02514216d74a97eedb97126a4d70c31ac99ca..8cc1a7cad218fc9ca1f977dca8749bdcb7a771bd 100644 (file)
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -12,28 +12,28 @@ u root    0     "Super User" /root
 u {{NOBODY_USER_NAME}}  65534 "Nobody"     -
 
 # Administrator group: can *see* more than normal users
-g adm     -     -            -
+g adm     {{ADM_GID    }}     -            -
 
 # Administrator group: can *do* more than normal users
-g wheel   -     -            -
+g wheel   {{WHEEL_GID  }}     -            -
 
-# Access to certain kernel and userspace facilities
-g kmem    -     -            -
-g tty     {{TTY_GID}}     -            -
-g utmp    -     -            -
+# Access to shared database of users on the system
+g utmp    {{UTMP_GID   }}     -            -
 
-# Hardware access groups
-g audio   -     -            -
-g cdrom   -     -            -
-g dialout -     -            -
-g disk    -     -            -
-g input   -     -            -
-g kvm     -     -            -
-g lp      -     -            -
-g render  -     -            -
-g sgx     -     -            -
-g tape    -     -            -
-g video   -     -            -
+# Physical and virtual hardware access groups
+g audio   {{AUDIO_GID  }}     -            -
+g cdrom   {{CDROM_GID  }}     -            -
+g dialout {{DIALOUT_GID}}     -            -
+g disk    {{DISK_GID   }}     -            -
+g input   {{INPUT_GID  }}     -            -
+g kmem    {{KMEM_GID   }}     -            -
+g kvm     {{KVM_GID    }}     -            -
+g lp      {{LP_GID     }}     -            -
+g render  {{RENDER_GID }}     -            -
+g sgx     {{SGX_GID    }}     -            -
+g tape    {{TAPE_GID   }}     -            -
+g tty     {{TTY_GID    }}     -            -
+g video   {{VIDEO_GID  }}     -            -
 
 # Default group for normal users
-g users   {{USERS_GID}}     -            -
+g users   {{USERS_GID  }}     -            -

diff --git a/sysusers.d/systemd.conf.in b/sysusers.d/systemd.conf.in
index 9905eb596c6177a92463946611289c57903aee12..9941ef8ef4f78a76a94b3aa6c8724c21671db015 100644 (file)
--- a/sysusers.d/systemd.conf.in
+++ b/sysusers.d/systemd.conf.in
@@ -5,18 +5,18 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-g systemd-journal   - -
+g systemd-journal   {{SYSTEMD_JOURNAL_GID}} -
 {% if ENABLE_NETWORKD %}
-u systemd-network   - "systemd Network Management"
+u systemd-network   {{SYSTEMD_NETWORK_UID}} "systemd Network Management"
 {% endif %}
 {% if ENABLE_OOMD %}
 u systemd-oom       - "systemd Userspace OOM Killer"
 {% endif %}
 {% if ENABLE_RESOLVE %}
-u systemd-resolve   - "systemd Resolver"
+u systemd-resolve   {{SYSTEMD_RESOLVE_UID}} "systemd Resolver"
 {% endif %}
 {% if ENABLE_TIMESYNCD %}
-u systemd-timesync  - "systemd Time Synchronization"
+u systemd-timesync  {{SYSTEMD_TIMESYNC_UID}} "systemd Time Synchronization"
 {% endif %}
 {% if ENABLE_COREDUMP %}
 u systemd-coredump  - "systemd Core Dumper"