This reverts commit df5ba729d6.
Reason: The MariaDB and MySQL sysusers.d files has to use soft static allocation in order to correctly handle the MariaDB PAM v2 plugin which utilizes setuid-to-root binary "/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool".
Related: RHEL-119790 RHEL-119789
This mirrors the same change from 49bb7fe5f88fc35b8529d7d8dfcd4c151a9aaf1a
and 4ced52595f3e0367a0f2823be8b7acf6d7b7c2be in systemd. Instead of potentially
allocating random GIDs for the root and nobody groups, let's insist that these
have the expected GIDs.
These were added to systemd's basic.conf in
4ced52595f3e0367a0f2823be8b7acf6d7b7c2be,
49bb7fe5f88fc35b8529d7d8dfcd4c151a9aaf1a and
9361a712f85860ead532dba1468dbd3deef00e34. Let's add them to the setup
package as well to ensure we match with systemd's expected user/group
layout.
The test failed:
+ cd etc
+ bash /builddir/build/SOURCES/uidgidlint ./uidgid
grep: ./uidgid: No such file or directory
grep: ./uidgid: No such file or directory
but because pipefail wasn't set, the script iterated over empty input
and didn't actually test anything.
Set -o eu,pipefail to catch similar errors in the future and fix the
invocation so that the test passes.
[skip changelog]
This is a partial revert of 7ced36d60b
and a follow-up. I was in the middle of reworking the commit and
pushed the not-ready version to the upstream repo by mistake.
The passwd and group files that are now generated are dropped.
[skip changelog]
I was trying to figure out what is the actual number of static allocations that
we use. I checked various names that didn't seem familiar, and indeed, many of
those packages have been long retired. For some names, I couldn't find any
reliable references, which means that most likely they stopped being used
sometime before the git era.
This inverts the order of operations: previously, the passwd and group
files were the original source of information, and shadow and gpasswd
were created using sed, and sysusers fragments were generated using a
shell script.
There are a few problems with the previous approach:
- We had two sysusers files, one for groups and one for users. This
split makes things more complicated. By default sysusers will create
a group with the same name and number, if a user is defined without
an explicit group override. This is what we want to do, to make the
config shorter and easier to read.
- The rpm sysusers generator created two sets of 'Provides:group(…)'
attributes.
In the new approach, we use the sysusers file as the "source of truth",
and run systemd-sysusers to generate passwd, group, shadow, and gshadow
files.
This has the following advantages:
- No code to maintain here.
- The config is easier to read.
- Toes a lint of the data. If a uid conflict was present, we'd
get a warning.
- With the support for sysusers in rpm, when we install this package on
a system, because of the Provides, rpm will create the users and groups
using systemd-sysusers anyway. So by doing the same during the build,
we match what rpm would do anyway, so we get a file that is closer to
what will actually appear in the system.
- Since we now have a file generated by systemd-sysusers in the payload,
we can see how things will actually look on the installed system.
This allowed me to notice a bug in systemd packaging.
On systems with merged-sbin, /usr/sbin is a symlink to /usr/bin
(https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin).
As reported in the Fedora Python channel,
python3 -c 'import sys; print(sys.executable)'
now returns /usr/sbin/python3 rather than /usr/bin/python3.
We don't want the symlinked directories in the $PATH at all.
Some packages within the same transaction (e.g. during system-upgrades) may
rely on having the pre-allocated system users and/or system groups provided
by the setup package already to be present when the dependee package gets
installed; waiting for the %%transfiletriggerin to run `systemd-sysusers`
will be too late in such cases.
The above statement also applies for the temporary files from this package
to be created by running `systemd-tmpfiles`.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
This implements https://pagure.io/setup/issue/51.
The "upstream" is only used to build the package in our dist-git, so we can reduce the
total amount of work by moving files downstream and maintaining them there.
The package after the rebuild is identical, except for intentional changes
(removal of Group, updating of Url, bumping of the Version):
$ rpmdiff -iT noarch/setup-2.14.5-2.fc41.noarch.rpm noarch/setup-2.15.0-1.fc41.noarch.rpm
S.5..... GROUP
S.5..... URL
removed REQUIRES config(setup) = 2.14.5-2.fc41
added REQUIRES config(setup) = 2.15.0-1.fc41
removed PROVIDES config(setup) = 2.14.5-2.fc41
removed PROVIDES setup = 2.14.5-2.fc41
added PROVIDES config(setup) = 2.15.0-1.fc41
added PROVIDES setup = 2.15.0-1.fc41
bashrc: switch PROMPT_COMMAND to be an array (rhbz#2097525)
profile: don't overwrite the HISTSIZE environment variable
hosts: use "example.org" as example domain (rhbz#2246220)
csh.login: source csh.local (RHEL-17226)
sysusers.d: add script and generate configuration fragment for users
Add fallback to hostname determination for csh.login (rhbz#2079768)
Remove ancient Conflicts
files: mark /run/motd as an ephemeral ghost entry
sysusers.d: add script and configuration fragments for groups
passwd: align 'nologin' shell path with systemd defaults
uidgid: assign GID 101 for 'ssh_keys' group
uidgid: assign UID/GID 114 for 'polkitd'
passwd: update GECOS field for 'root' user
services: remove commas from aliases for ircu-3
setup.spec: throw away newaliases output again
bashrc sets hardcoded umask (#1902166)
bashrc: clean up unused references to VTE
uidgid: simplify table format and other format enhancements
uidgid: fix news and lock entries, move basic groups to systemd
os.execute uses /bin/sh, which to a large extent defeats the purpose of having
the scriptlet in lua ;)
$ strace -qq -ff -eexecve rpm -E "%{lua:os.execute('true')}"
execve("/usr/bin/rpm", ["rpm", "-E", "%{lua:os.execute('true')}"], 0x7ffd180ce638 /* 60 vars */) = 0
[pid 849466] execve("/bin/sh", ["sh", "-c", "true"], 0x7fff73cfc9d8 /* 60 vars */) = 0
Let's use posix.exec(). rpm.execute() would be nice, but it does not
support suppressing of stderr.
Move /var/log/lastlog ownership to systemd (#1798685)
tcsh sets variable p to /usr/sbin from /etc/csh.login (#2019874)
'history -a' doesn't belong in /etc/bashrc (#1871744)
localhost.localdomain in wrong order /etc/hosts (#1724539)
