Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shadow, passwd,group: reallocate users/groups between static/dynamic (sumo) #326

Merged
merged 3 commits into from
Feb 9, 2022
Merged

shadow, passwd,group: reallocate users/groups between static/dynamic (sumo) #326

merged 3 commits into from
Feb 9, 2022

Conversation

bstreiff
Copy link
Contributor

@bstreiff bstreiff commented Feb 9, 2022

Cherry-pick the same set of commits as in #324 to resolve same issues in sumo.

@bstreiff
shadow: update UID and GID ranges for dynamic groups
57ad3c3 
At distro build time, the 'useradd-staticids' extension results in all
`useradd` or `groupadd` commands being rewritten to use an explicit a
distro-defined UID/GID. This is desirable so that we get consistent
results regardless of package build order. However, many of these users
do not exist in /etc/passwd or /etc/group at runtime until their
associated packages are installed, which means that we can run into a
situation where a package built from outside our distro build ecosystem
(such as NIFeeds) invokes "useradd" and ends up claiming, simply by
virtue of being next-in-sequence, an ID that a distro-built package is
now hardcoded to expect to use.

For system users `useradd` and `groupadd` pick the lowest number that
isn't in use. Because of this, in practice, the first `useradd` that
would occur on-target would pick the next-lowest from `lldpd` (362),
which had been assigned to `redis` (361), so a later install of redis
would then try to use an ID already in use.

To deal with this, partition the existing range almost-nearly in half.
The `lvuser` and `webserv` users need to stay at 500 and 501 and `ni`
at 500 due to legacy reasons, but we can say that anything higher than
those should be free for automatic on-target `useradd` usage, and below
used for things built as part of the distro.

Signed-off-by: Brenda Streiff <brenda.streiff@ni.com>
@bstreiff
files/{passwd,group}: reorder users and groups to be below 500
0e1ef2f 
Reorder the group and passwd files used for static assignment.

Several users changed IDs:
    netdev         999 -> 350
    messagebus     998 -> 349
    avahi          997 -> 348
    avahi-autoipd  996 -> 347
    docker         499 -> 346
    libvirt        498 -> 345
    sshd           497 -> 344
    rwhod          496 -> 343
    opensaf        495 -> 342
    tracing        494 -> 341

Several groups changed IDs; consistency was kept with corresponding UIDs.
    messagebus     999 -> 349
    avahi          998 -> 348
    sshd           498 -> 344
    rshod          497 -> 343
    opensaf        496 -> 342

Changing these users was done to rearrange IDs to fit into the 100-500
range, which is where we want to have statically-defined-via-OE users
and groups. It also resolves two conflicts, which is that both `openvpn`
and `docker` were at 499 and `niwscerts` and `libvirt` were both at 498.

The file also has been changed to put IDs in sorted order. Descending
order was chosen because the file was already mostly in descending order
and this minimizes diff noise. Keeping this in order is an aid to not
create conflicts in the future.

Signed-off-by: Brenda Streiff <brenda.streiff@ni.com>
@bstreiff
shadow: enforce consistency of static passwd,group with login.defs
cdbc55a 
Add a test within the recipe to ensure that logins.def declares no IDs
that are within the ranges defined by login.defs (`[UG]ID_MIN` -> `MAX`
and `SYS_[UG]ID_MIN` -> `MAX`). Additionally, the test ensures that the
files remain in sorted order.

This is intended as a safety check to ensure that we do not statically
declare a user/group that will conflict with the dynamic range, and also
that we do not decare them in such a way that they will conflict with
each other.

Signed-off-by: Brenda Streiff <brenda.streiff@ni.com>
@amstewart amstewart merged commit 0791a9d into ni:nilrt/master/sumo Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amstewart amstewart amstewart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bstreiff @amstewart