From 690241b0e3fb46d90ef3b5da5358ca25e4fc5dbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Fri, 13 Dec 2024 19:43:14 +0100 Subject: [PATCH 01/19] Ensure pre-allocated users, groups, and tmpfiles are created in %%post MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some packages within the same transaction (e.g. during system-upgrades) may rely on having the pre-allocated system users and/or system groups provided by the setup package already to be present when the dependee package gets installed; waiting for the %%transfiletriggerin to run `systemd-sysusers` will be too late in such cases. The above statement also applies for the temporary files from this package to be created by running `systemd-tmpfiles`. Signed-off-by: Björn Esser --- setup.spec | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/setup.spec b/setup.spec index 7067aeb..e85c42b 100644 --- a/setup.spec +++ b/setup.spec @@ -106,13 +106,15 @@ cat >%{buildroot}/usr/share/dnf5/libdnf.conf.d/protect-setup.conf <= 4.20) but fallback to forking if not %post -p +-- Throw away useless and dangerous update stuff until rpm will be able to +-- handle it. See: http://rpm.org/ticket/6 for i, name in ipairs({"passwd", "shadow", "group", "gshadow"}) do os.remove("/etc/"..name..".rpmnew") end +-- Use rpm.spawn() if available (in >= 4.20) but fallback to forking if not. +-- +-- Initialize or update /etc/alias.db from /etc/aliases for sendmail, etc. if posix.access("/usr/bin/newaliases", "x") then if rpm.spawn ~= nil then rpm.spawn({'/usr/bin/newaliases'}, {stdout='/dev/null'}) @@ -126,6 +128,34 @@ if posix.access("/usr/bin/newaliases", "x") then end end end +-- Ensure pre-allocated users and groups are created immediately on upgrades. +if posix.access("/usr/bin/systemd-sysusers", "x") then + if rpm.spawn ~= nil then + rpm.spawn({"/usr/bin/systemd-sysusers"}, {stderr='/dev/null'}) + else + local pid = posix.fork() + if pid == 0 then + posix.redirect2null(2) + posix.exec("/usr/bin/systemd-sysusers") + elseif pid > 0 then + posix.wait(pid) + end + end +end +-- Ensure pre-allocated tmpfiles are created immediately on upgrades. +if posix.access("/usr/bin/systemd-tmpfiles", "x") then + if rpm.spawn ~= nil then + rpm.spawn({"/usr/bin/systemd-tmpfiles", "--create"}, {stderr='/dev/null'}) + else + local pid = posix.fork() + if pid == 0 then + posix.redirect2null(2) + posix.exec("/usr/bin/systemd-tmpfiles", "--create") + elseif pid > 0 then + posix.wait(pid) + end + end +end %files %license docs/COPYING From 03d0796999825b7bc5660ea4e919e2eb2ad249d6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 10:28:46 +0000 Subject: [PATCH 02/19] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 69d504812b3ee4c1647372d94148adcbdef5448a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Jan 2025 14:58:39 +0100 Subject: [PATCH 03/19] Add clock group for systemd --- group | 1 + uidgid | 1 + 2 files changed, 2 insertions(+) diff --git a/group b/group index 7d81402..20b7056 100644 --- a/group +++ b/group @@ -23,6 +23,7 @@ ftp:x:50: lock:x:54: audio:x:63: users:x:100: +clock:x:103: input:x:104: render:x:105: sgx:x:106: diff --git a/uidgid b/uidgid index 1d9d378..77ddad7 100644 --- a/uidgid +++ b/uidgid @@ -112,6 +112,7 @@ ident 98 98 / /usr/sbin/nologin ident # Note: 99 used to be the old uid for nobody, now moved to 65534, do not reuse users - 100 - - setup ssh_keys - 101 - - openssh +clock - 103 - - systemd input - 104 - - systemd render - 105 - - systemd sgx - 106 - - systemd From 3ee2a7088bb26b02948353c279fce6f811d891e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 10 Feb 2025 11:37:00 +0100 Subject: [PATCH 04/19] Drop pre-allocation of users and groups, during %%post MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is handled by rpm during %%pre now. See: https://pagure.io/fesco/issue/3318 Signed-off-by: Björn Esser --- setup.spec | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/setup.spec b/setup.spec index e85c42b..390249d 100644 --- a/setup.spec +++ b/setup.spec @@ -128,20 +128,6 @@ if posix.access("/usr/bin/newaliases", "x") then end end end --- Ensure pre-allocated users and groups are created immediately on upgrades. -if posix.access("/usr/bin/systemd-sysusers", "x") then - if rpm.spawn ~= nil then - rpm.spawn({"/usr/bin/systemd-sysusers"}, {stderr='/dev/null'}) - else - local pid = posix.fork() - if pid == 0 then - posix.redirect2null(2) - posix.exec("/usr/bin/systemd-sysusers") - elseif pid > 0 then - posix.wait(pid) - end - end -end -- Ensure pre-allocated tmpfiles are created immediately on upgrades. if posix.access("/usr/bin/systemd-tmpfiles", "x") then if rpm.spawn ~= nil then From 827730533e34a87ff743c15f81e218488232dbc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Mar 2025 13:46:36 +0100 Subject: [PATCH 05/19] profile: do not add /usr/sbin to the path On systems with merged-sbin, /usr/sbin is a symlink to /usr/bin (https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin). As reported in the Fedora Python channel, python3 -c 'import sys; print(sys.executable)' now returns /usr/sbin/python3 rather than /usr/bin/python3. We don't want the symlinked directories in the $PATH at all. --- profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profile b/profile index 6ce1347..8bcc0e8 100644 --- a/profile +++ b/profile @@ -9,6 +9,9 @@ # will prevent the need for merging in future updates. pathmunge () { + # If the path is a compat symlink, do nothing. + [ -h "$1" ] && return + case ":${PATH}:" in *:"$1":*) ;; From df5ba729d6563460b72c6f17462e5a727aeaccc0 Mon Sep 17 00:00:00 2001 From: Martin Osvald Date: Mon, 10 Mar 2025 11:12:42 +0100 Subject: [PATCH 06/19] Removed uidgid pair 27:27 for MySQL/MariaDB --- uidgid | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/uidgid b/uidgid index 77ddad7..2d23694 100644 --- a/uidgid +++ b/uidgid @@ -34,7 +34,8 @@ squid 23 23 /var/spool/squid /dev/null squid pvm 24 24 /usr/share/pvm3 /bin/bash pvm named 25 25 /var/named /bin/false bind postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server -mysql 27 27 /var/lib/mysql /bin/bash mysql +# Dynamic on new systems, removed Mar2025, can be freed if necessary later +#mysql 27 27 /var/lib/mysql /bin/bash mysql nscd 28 28 / /bin/false nscd rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils console - 31 - - dev From c9bb85dabb9b3038c71df572028d1a3f8e7f7c25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 15:07:44 +0100 Subject: [PATCH 07/19] uidgid: make rtkit user dynamic Also https://src.fedoraproject.org/rpms/rtkit/pull-request/5. --- uidgid | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/uidgid b/uidgid index 2d23694..7791df5 100644 --- a/uidgid +++ b/uidgid @@ -146,7 +146,8 @@ ceilometer 166 166 /var/lib/ceilometer /usr/sbin/nologin openstack-ceilometer ceph 167 167 /var/lib/ceph /usr/sbin/nologin ceph-common avahi-autoipd 170 170 /var/lib/avahi-autoipd /usr/sbin/nologin avahi pulse 171 171 /var/run/pulse /usr/sbin/nologin pulseaudio -rtkit 172 172 /proc /usr/sbin/nologin rtkit +# Dynamic on new systems, removed Mar2025, can be reused if necessary later +# rtkit 172 172 /proc /usr/sbin/nologin rtkit abrt 173 173 /etc/abrt /usr/sbin/nologin abrt retrace 174 174 /usr/share/retrace-server /usr/sbin/nologin retrace-server ovirtagent 175 175 / /usr/sbin/nologin ovirt-guest-agent From 7ced36d60b67c9e74f7951123225200597e3d2fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 17:57:55 +0100 Subject: [PATCH 08/19] Create passwd,group files from sysusers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This inverts the order of operations: previously, the passwd and group files were the original source of information, and shadow and gpasswd were created using sed, and sysusers fragments were generated using a shell script. There are a few problems with the previous approach: - We had two sysusers files, one for groups and one for users. This split makes things more complicated. By default sysusers will create a group with the same name and number, if a user is defined without an explicit group override. This is what we want to do, to make the config shorter and easier to read. - The rpm sysusers generator created two sets of 'Provides:group(…)' attributes. In the new approach, we use the sysusers file as the "source of truth", and run systemd-sysusers to generate passwd, group, shadow, and gshadow files. This has the following advantages: - No code to maintain here. - The config is easier to read. - Toes a lint of the data. If a uid conflict was present, we'd get a warning. - With the support for sysusers in rpm, when we install this package on a system, because of the Provides, rpm will create the users and groups using systemd-sysusers anyway. So by doing the same during the build, we match what rpm would do anyway, so we get a file that is closer to what will actually appear in the system. - Since we now have a file generated by systemd-sysusers in the payload, we can see how things will actually look on the installed system. This allowed me to notice a bug in systemd packaging. --- generate-sysusers-fragments.sh | 31 ---------------------- setup.spec | 47 ++++++++++++++-------------------- setup.sysusers.conf | 39 ++++++++++++++++++++++++++++ uidgidlint | 25 ------------------ 4 files changed, 58 insertions(+), 84 deletions(-) delete mode 100755 generate-sysusers-fragments.sh create mode 100644 setup.sysusers.conf delete mode 100755 uidgidlint diff --git a/generate-sysusers-fragments.sh b/generate-sysusers-fragments.sh deleted file mode 100755 index 6ff9470..0000000 --- a/generate-sysusers-fragments.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash -#SPDX-License-Identifier: 0BSD - -set -euo pipefail - -test -f etc/group -test -f etc/passwd - -mkdir -p sysusers.d - -while read -r line; do - groupname=$(echo "${line}" | cut -d: -f1) - gid=$(echo "${line}" | cut -d: -f3) - echo "g ${groupname} ${gid}" -done sysusers.d/20-setup-groups.conf - -while read -r line; do - username=$(echo "${line}" | cut -d: -f1) - uid=$(echo "${line}" | cut -d: -f3) - gid=$(echo "${line}" | cut -d: -f4) - gecos=$(echo "${line}" | cut -d: -f5) - homedir=$(echo "${line}" | cut -d: -f6) - if [ "${homedir}" == "/" ]; then - homedir="-" - fi - shell=$(echo "${line}" | cut -d: -f7) - if [ "${shell}" == "/usr/sbin/nologin" ]; then - shell="-" - fi - echo "u ${username} ${uid}:${gid} \"${gecos}\" ${homedir} ${shell}" -done sysusers.d/20-setup-users.conf diff --git a/setup.spec b/setup.spec index 390249d..83e6d62 100644 --- a/setup.spec +++ b/setup.spec @@ -12,31 +12,29 @@ Source0003: csh.cshrc Source0004: csh.login Source0005: ethertypes Source0006: filesystems -Source0007: group -Source0008: host.conf -Source0009: hosts -Source0010: inputrc -Source0011: networks -Source0012: passwd -Source0013: printcap -Source0014: profile -Source0015: protocols -Source0016: services -Source0017: shells +Source0007: host.conf +Source0008: hosts +Source0009: inputrc +Source0010: networks +Source0011: printcap +Source0012: profile +Source0013: protocols +Source0014: services +Source0015: shells Source0021: lang.csh Source0022: lang.sh Source0031: COPYING Source0032: uidgid -Source0033: generate-sysusers-fragments.sh -Source0034: uidgidlint +Source0033: setup.sysusers.conf Source0035: serviceslint BuildArch: noarch BuildRequires: bash BuildRequires: tcsh BuildRequires: perl-interpreter +BuildRequires: /usr/bin/systemd-sysusers #systemd-rpm-macros: required to use _sysusersdir and _tmpfilesdir macro BuildRequires: systemd-rpm-macros #require system release for saner dependency order @@ -48,21 +46,18 @@ setup files, such as passwd, group, and profile. %prep mkdir -p etc/profile.d -cp %{lua: for i=1,17 do print(sources[i]..' ') end} etc/ +cp %{lua: for i=1,15 do print(sources[i]..' ') end} etc/ cp %SOURCE21 %SOURCE22 etc/profile.d/ -touch etc/{exports,motd,subgid,subuid} +touch etc/{exports,motd,subgid,subuid,environment,fstab} mkdir -p docs cp %SOURCE31 %SOURCE32 docs/ -bash %SOURCE33 - %build -#make prototype for /etc/shadow -sed -e "s/:.*/:*:`expr $(date +%s) / 86400`:0:99999:7:::/" etc/passwd >etc/shadow - -#make prototype for /etc/gshadow -sed -e 's/:[0-9]\+:/::/g; s/:x:/::/' etc/group >etc/gshadow +# This produces ./etc/{passwd,group,shadow,gshadow} +systemd-sysusers --root=./ %SOURCE33 +# Allow the user to copy the file +chmod 0400 ./etc/{shadow,gshadow} %check # Sanity checking selected files.... @@ -70,19 +65,16 @@ bash -n etc/bashrc bash -n etc/profile tcsh -f etc/csh.cshrc tcsh -f etc/csh.login -(cd etc && bash %SOURCE34 ./uidgid) (cd etc && perl %SOURCE35 ./services) %install mkdir -p %{buildroot}/etc cp -ar etc/* %{buildroot}/etc/ -mkdir -p %{buildroot}%{_sysusersdir} -cp sysusers.d/* %{buildroot}%{_sysusersdir}/ +install -D -m0644 %SOURCE33 %{buildroot}%{_sysusersdir}/setup.conf mkdir -p %{buildroot}/var/log touch %{buildroot}/etc/environment -chmod 0400 %{buildroot}/etc/{shadow,gshadow} touch %{buildroot}/etc/fstab echo "#Add any required envvar overrides to this file, it is sourced from /etc/profile" >%{buildroot}/etc/profile.d/sh.local echo "#Add any required envvar overrides to this file, it is sourced from /etc/csh.login" >%{buildroot}/etc/profile.d/csh.local @@ -181,8 +173,7 @@ end %config(noreplace) %verify(not md5 size mtime) /etc/shells %ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/fstab %{_tmpfilesdir}/%{name}.conf -%{_sysusersdir}/20-setup-groups.conf -%{_sysusersdir}/20-setup-users.conf +%{_sysusersdir}/setup.conf /etc/dnf/protected.d/%{name}.conf %dir /usr/share/dnf5 %dir /usr/share/dnf5/libdnf.conf.d diff --git a/setup.sysusers.conf b/setup.sysusers.conf new file mode 100644 index 0000000..6ab9c87 --- /dev/null +++ b/setup.sysusers.conf @@ -0,0 +1,39 @@ +u root 0 "Super User" /root /bin/bash +u bin 1 "bin" /bin - +u daemon 2 "daemon" /sbin - +u adm 3:4 "adm" /var/adm - +u lp 4:7 "lp" /var/spool/lpd - +u sync 5:0 "sync" /sbin /bin/sync +u shutdown 6:0 "shutdown" /sbin /sbin/shutdown +u halt 7:0 "halt" /sbin /sbin/halt +u mail 8:12 "mail" /var/spool/mail - +u operator 11:0 "operator" /root - +u games 12:100 "games" /usr/games - +u ftp 14:50 "FTP User" /var/ftp - +u nobody 65534 "Kernel Overflow User" - - +g sys 3 +g adm 4 +g tty 5 +g disk 6 +g lp 7 +g mem 8 +g kmem 9 +g wheel 10 +g cdrom 11 +g mail 12 +g man 15 +g dialout 18 +g floppy 19 +g games 20 +g utmp 22 +g tape 33 +g kvm 36 +g video 39 +g ftp 50 +g lock 54 +g audio 63 +g users 100 +g clock 103 +g input 104 +g render 105 +g sgx 106 diff --git a/uidgidlint b/uidgidlint deleted file mode 100755 index 902f55e..0000000 --- a/uidgidlint +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# We need a file to look at. -if [ -z "$*" ] ; then - echo Usage: `basename $0` uidgid - exit 1 -fi -error=0 -# The format of the file is (currently) -for infile in "$@" ; do - uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu` - gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu` - for uid in $uidlist ; do - if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then - echo Duplicate UID: $uid - error=1 - fi - done - for gid in $gidlist ; do - if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then - echo Duplicate GID: $gid - error=1 - fi - done -done -exit $error From d7e5faeee119529999589fd1e87375bb213b8ba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 13:54:16 +0100 Subject: [PATCH 09/19] uidgid: adjust comments "can be freed" is strange, because apart from the comment, the ID is not reserved in any way. --- uidgid | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/uidgid b/uidgid index 7791df5..baa773f 100644 --- a/uidgid +++ b/uidgid @@ -34,7 +34,7 @@ squid 23 23 /var/spool/squid /dev/null squid pvm 24 24 /usr/share/pvm3 /bin/bash pvm named 25 25 /var/named /bin/false bind postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server -# Dynamic on new systems, removed Mar2025, can be freed if necessary later +# Dynamic on new systems, removed Mar2025, can be reused if necessary later #mysql 27 27 /var/lib/mysql /bin/bash mysql nscd 28 28 / /bin/false nscd rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils @@ -87,7 +87,7 @@ sshd 74 74 /var/empty/sshd /usr/sbin/nologin openssh-server radvd 75 75 / /bin/false radvd cyrus 76 (12) /var/imap /bin/bash cyrus-imapd saslauth - 76 - - cyrus-sasl, cyrus-imap -# Dynamic on new systems, removed Dec2023, can be freed if necessary later +# Dynamic on new systems, removed Dec2023, can be reused if necessary later #arpwatch 77 77 /var/lib/arpwatch /usr/sbin/nologin arpwatch fax 78 78 /var/spool/fax /usr/sbin/nologin mgetty nocpulse 79 79 /etc/sysconfig/nocpulse /bin/bash nocpulse @@ -157,7 +157,7 @@ myproxy 178 178 /var/lib/myproxy /usr/sbin/nologin myproxy-server sanlock 179 179 /var/run/sanlock /usr/sbin/nologin sanlock aeolus 180 180 /var/aeolus /usr/sbin/nologin aeolus-configure wallaby 181 181 /var/lib/wallaby /usr/sbin/nologin wallaby -# Not used anymore, removed Jun2021, can be freed if necessary later +# Not used anymore, removed Jun2021, can be reused if necessary later #katello 182 182 /usr/share/katello /usr/sbin/nologin katello-common elasticsearch 183 183 /usr/share/java/elasticsearch /usr/sbin/nologin elasticsearch mongodb 184 184 /var/lib/mongodb /usr/sbin/nologin mongodb @@ -170,7 +170,7 @@ haproxy 188 188 /var/lib/haproxy /usr/sbin/nologin haproxy haclient - 189 - - pacemaker hacluster 189 (189) / /usr/sbin/nologin pacemaker systemd-journal - 190 - - systemd -# Dynamic on new systems, removed Dec2014, can be freed if necessary later +# Dynamic on new systems, removed Dec2014, can be reused if necessary later #systemd-journal-gateway 191 191 / /usr/sbin/nologin systemd systemd-network 192 192 / /usr/sbin/nologin systemd systemd-resolve 193 193 / /usr/sbin/nologin systemd From a7c198fb394d56485ca6096dbbd19dde891e0825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 14:47:21 +0100 Subject: [PATCH 10/19] uidgid: drop various unused users and groups I was trying to figure out what is the actual number of static allocations that we use. I checked various names that didn't seem familiar, and indeed, many of those packages have been long retired. For some names, I couldn't find any reliable references, which means that most likely they stopped being used sometime before the git era. --- uidgid | 91 ++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 60 insertions(+), 31 deletions(-) diff --git a/uidgid b/uidgid index baa773f..27cd146 100644 --- a/uidgid +++ b/uidgid @@ -19,30 +19,36 @@ news 9 13 /var/spool/news /usr/sbin/nologin inn uucp 10 14 /var/spool/uucp /usr/sbin/nologin uucp operator 11 (0) /root /usr/sbin/nologin setup games 12 (100) /usr/games /usr/sbin/nologin setup -# Not created by default anymore. -gopher 13 30 /var/gopher /usr/sbin/nologin - +# Removed in 2013 (#918206, #1667231), can be reused if necessary later +# gopher 13 30 /var/gopher /usr/sbin/nologin - ftp 14 50 /var/ftp /usr/sbin/nologin setup man - 15 - - setup -oprofile 16 16 /var/lib/oprofile /usr/sbin/nologin oprofile -pkiuser 17 17 /usr/share/pki /usr/sbin/nologin pki-ca,rhpki-ca +# Retired in 2018 (https://src.fedoraproject.org/rpms/oprofile/c/80fe828c879b1f67a109998cdd42a1bd8513bc3c) +# oprofile 16 16 /var/lib/oprofile /usr/sbin/nologin oprofile +# Retired sometime between 2011 and 2014 (https://src.fedoraproject.org/rpms/pki-ca/c/4ca1ce11a6e090099b36493653808cfe380911e1) +# pkiuser 17 17 /usr/share/pki /usr/sbin/nologin pki-ca,rhpki-ca dialout - 18 - - setup floppy - 19 - - setup games - 20 - - setup -slocate - 21 - - slocate +# mlocate retired in 2024 (https://src.fedoraproject.org/rpms/mlocate/c/7277dd5f59db126d1046a6aa5c4077a597dddddc) +# slocate - 21 - - slocate utmp - 22 - - initscripts,libutempter squid 23 23 /var/spool/squid /dev/null squid -pvm 24 24 /usr/share/pvm3 /bin/bash pvm +# Retired in 2015 (https://src.fedoraproject.org/rpms/pvm/c/eb6972917befbed00aff622c2c428d18439efe27) +# pvm 24 24 /usr/share/pvm3 /bin/bash pvm named 25 25 /var/named /bin/false bind postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server # Dynamic on new systems, removed Mar2025, can be reused if necessary later #mysql 27 27 /var/lib/mysql /bin/bash mysql nscd 28 28 / /bin/false nscd rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils -console - 31 - - dev +# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008 +# console - 31 - - dev rpc 32 32 /var/lib/rpcbind /usr/sbin/nologin portmap amandabackup 33 (6) /var/lib/amanda /bin/false amanda tape - 33 - - setup -netdump 34 34 /var/crash /bin/bash netdump-client, netdump-server +# Retired in 2021 (https://src.fedoraproject.org/rpms/netdump-server/c/9bbe604e20c113eaa7c897b9b12a705a36afb109) +# netdump 34 34 /var/crash /bin/bash netdump-client, netdump-server utempter - 35 - - libutempter kvm - 36 - - kvm, vdsm, libvirt vdsm 36 (36) / /bin/bash kvm, vdsm @@ -52,35 +58,45 @@ video - 39 - - setup dip - 40 - - ppp mailman 41 41 /usr/lib/mailman /usr/sbin/nologin mailman gdm 42 42 /var/lib/gdm /usr/sbin/nologin gdm -xfs 43 43 /etc/X11/fs /bin/false XFree86-xfs +# Retired in 2022 (https://src.fedoraproject.org/rpms/xorg-x11-xfs/c/3e273d8a939cf5f08bd4eea4f594fedd508dabcf) +# xfs 43 43 /etc/X11/fs /bin/false XFree86-xfs pppusers - 44 - - linuxconf popusers - 45 - - linuxconf slipusers - 46 - - linuxconf mailnull 47 47 /var/spool/mqueue /dev/null sendmail apache 48 48 /usr/share/httpd /bin/false httpd -wnn 49 49 /var/lib/wnn /usr/sbin/nologin FreeWnn +# Retired sometime before 2008 (https://src.fedoraproject.org/rpms/FreeWnn/c/8f9ac4e26531c704a26057be48261fb3d1ebea8e) +# wnn 49 49 /var/lib/wnn /usr/sbin/nologin FreeWnn smmsp 51 51 /var/spool/mqueue /dev/null sendmail puppet 52 52 /var/lib/puppet /usr/sbin/nologin puppet tomcat 53 53 /var/lib/tomcat /usr/sbin/nologin tomcat lock - 54 - - setup ldap 55 55 /var/lib/ldap /bin/false openldap-servers -frontpage 56 56 /var/www /bin/false mod_frontpage +# Last references on the web appear around 2007… +# frontpage 56 56 /var/www /bin/false mod_frontpage nut 57 57 /var/lib/ups /bin/false nut -beagleindex 58 58 /var/cache/beagle /bin/false beagle +# Retired in 2011 (https://src.fedoraproject.org/rpms/beagle/c/5721c9577eebdc7a0f6566f3efd955b3f4427a0e) +# beagleindex 58 58 /var/cache/beagle /bin/false beagle tss 59 59 - /usr/sbin/nologin trousers -piranha 60 60 /etc/sysconfig/ha /dev/null piranha -prelude-manager 61 61 - /usr/sbin/nologin prelude-manager -snortd 62 62 - /usr/sbin/nologin snortd +# Retired in 2012 (https://src.fedoraproject.org/rpms/piranha/c/15262075b63d48e2ee236ffb87d2db0a4aef1c42) +# piranha 60 60 /etc/sysconfig/ha /dev/null piranha +# Retired in 2025 (https://src.fedoraproject.org/rpms/prelude-manager/c/68cce28aa0e1788d857791155812e1f20d35036e) +# prelude-manager 61 61 - /usr/sbin/nologin prelude-manager +# Retired in 2011 (https://src.fedoraproject.org/rpms/snort/c/e2e149974cb3b56b70ed158339a3cb931497dfa2) +# snortd 62 62 - /usr/sbin/nologin snortd audio - 63 - - setup condor 64 64 /var/lib/condor /usr/sbin/nologin condord nslcd 65 (55) / /usr/sbin/nologin nslcd wine - 66 - - wine pegasus 66 65 /var/lib/Pegasus /usr/sbin/nologin tog-pegasus webalizer 67 67 /var/www/usage /usr/sbin/nologin webalizer -haldaemon 68 68 / /usr/sbin/nologin hal -vcsa 69 69 - /usr/sbin/nologin dev,MAKEDEV +# Retired in 2011 (https://src.fedoraproject.org/rpms/hal/c/e6690cd150b5e1c13e7779de1ce32ded0bc22bc1) +# haldaemon 68 68 / /usr/sbin/nologin hal +# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008 +# vcsa 69 69 - /usr/sbin/nologin dev,MAKEDEV avahi 70 70 /var/run/avahi-daemon /usr/sbin/nologin avahi -realtime - 71 - - - +# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008 +# realtime - 71 - - - tcpdump 72 72 / /usr/sbin/nologin tcpdump privoxy 73 73 /etc/privoxy /bin/bash privoxy sshd 74 74 /var/empty/sshd /usr/sbin/nologin openssh-server @@ -90,24 +106,31 @@ saslauth - 76 - - cyrus-sasl, cyrus-imap # Dynamic on new systems, removed Dec2023, can be reused if necessary later #arpwatch 77 77 /var/lib/arpwatch /usr/sbin/nologin arpwatch fax 78 78 /var/spool/fax /usr/sbin/nologin mgetty -nocpulse 79 79 /etc/sysconfig/nocpulse /bin/bash nocpulse +# Retired in 2014 (https://src.fedoraproject.org/rpms/nocpulse-common/c/2ee190601831472ca3ae9857311cfbd31c129c0e) +# nocpulse 79 79 /etc/sysconfig/nocpulse /bin/bash nocpulse desktop 80 80 - /usr/sbin/nologin desktop-file-utils dbus 81 81 / /usr/sbin/nologin dbus -jonas 82 82 /var/lib/jonas /usr/sbin/nologin jonas +# References to JOnAS in FC3 around 2005… +# jonas 82 82 /var/lib/jonas /usr/sbin/nologin jonas clamav 83 83 /tmp /usr/sbin/nologin clamav screen - 84 - - screen -quaggavt - 85 - - quagga -sabayon 86 86 - /usr/sbin/nologin sabayon +# Retired in 2021 (https://src.fedoraproject.org/rpms/quagga/c/42d57331ac98fcc4c7103854cb1ce0ddfc4bbbc2) +# quaggavt - 85 - - quagga +# Retired in 2014 (https://src.fedoraproject.org/rpms/sabayon/c/e1c4c886227e8123e55fd3fad93dc966d512b9b9) +# sabayon 86 86 - /usr/sbin/nologin sabayon polkituser 87 87 / /usr/sbin/nologin PolicyKit wbpriv - 88 - - samba-common postfix 89 89 /var/spool/postfix /bin/true postfix postdrop - 90 - - postfix -majordomo 91 91 /usr/lib/majordomo /bin/bash majordomo -quagga 92 92 / /usr/sbin/nologin quagga +# https://en.wikipedia.org/wiki/Majordomo_(software) says final release was 19 January 2000 +# majordomo 91 91 /usr/lib/majordomo /bin/bash majordomo +# Retired in 2021 (https://src.fedoraproject.org/rpms/quagga/c/42d57331ac98fcc4c7103854cb1ce0ddfc4bbbc2) +# quagga 92 92 / /usr/sbin/nologin quagga exim 93 93 /var/spool/exim /usr/sbin/nologin exim distcache 94 94 / /usr/sbin/nologin distcache radiusd 95 95 / /bin/false freeradius -hsqldb 96 96 /var/lib/hsqldb /usr/sbin/nologin hsqldb +# Retired in 2021 (https://src.fedoraproject.org/rpms/hsqldb/c/54def1d22548601a91ccf6a92c17645a1c5d7cdf) +# hsqldb 96 96 /var/lib/hsqldb /usr/sbin/nologin hsqldb dovecot 97 97 /usr/libexec/dovecot /usr/sbin/nologin dovecot ident 98 98 / /usr/sbin/nologin ident # Note: 99 used to be the old uid for nobody, now moved to 65534, do not reuse @@ -119,7 +142,8 @@ render - 105 - - systemd sgx - 106 - - systemd qemu 107 107 / /usr/sbin/nologin libvirt ovirt 108 108 / /usr/sbin/nologin libvirt -rhevm 109 109 /home/rhevm /usr/sbin/nologin vdsm-reg +# Retired in 2019 (https://src.fedoraproject.org/rpms/vdsm/c/6f1df621f648aa3b65edfcf3389649a6d13df5d4) +# rhevm 109 109 /home/rhevm /usr/sbin/nologin vdsm-reg jetty 110 110 /usr/share/jetty /usr/sbin/nologin jetty saned 111 111 / /usr/sbin/nologin sane-backends vhostmd 112 112 /usr/share/vhostmd /usr/sbin/nologin vhostmd @@ -128,10 +152,13 @@ polkitd 114 114 / /usr/sbin/nologin polkit bacula 133 133 /var/spool/bacula /usr/sbin/nologin bacula cimsrvr 134 134 / /usr/sbin/nologin tog-pegasus-libs mock - 135 / - mock -ricci 140 140 /var/lib/ricci /usr/sbin/nologin ricci -luci 141 141 /var/lib/luci /usr/sbin/nologin luci +# Retired in 2012 (https://src.fedoraproject.org/rpms/ricci/c/02a86812383253577ce309d633a400c9c6353ecd, +# https://fedoraproject.org/wiki/Features/Cluster) +# ricci 140 140 /var/lib/ricci /usr/sbin/nologin ricci +# luci 141 141 /var/lib/luci /usr/sbin/nologin luci activemq 142 142 /usr/share/activemq /usr/sbin/nologin activemq -cassandra 143 143 /var/lib/cassandra /usr/sbin/nologin cassandra +# Retired in 2019 (https://src.fedoraproject.org/rpms/cassandra/c/8fcb780b616a034aa5d787d04d631ac1f815f694) +# cassandra 143 143 /var/lib/cassandra /usr/sbin/nologin cassandra stap-server 155 155 /var/lib/stap-server /usr/sbin/nologin systemtap stapusr - 156 / - systemtap-runtime stapsys - 157 / - systemtap-runtime @@ -155,8 +182,10 @@ ats 176 176 / /usr/sbin/nologin trafficserver dhcpd 177 177 / /usr/sbin/nologin dhcp myproxy 178 178 /var/lib/myproxy /usr/sbin/nologin myproxy-server sanlock 179 179 /var/run/sanlock /usr/sbin/nologin sanlock -aeolus 180 180 /var/aeolus /usr/sbin/nologin aeolus-configure -wallaby 181 181 /var/lib/wallaby /usr/sbin/nologin wallaby +# Retired in 2012 (https://src.fedoraproject.org/rpms/aeolus-all/c/4b303d259fb530130e413be462e032390595714d) +# aeolus 180 180 /var/aeolus /usr/sbin/nologin aeolus-configure +# Retired in 2015 (https://src.fedoraproject.org/rpms/wallaby/c/93d5de780d22a378db988a8b72d3d30ebf628930) +# wallaby 181 181 /var/lib/wallaby /usr/sbin/nologin wallaby # Not used anymore, removed Jun2021, can be reused if necessary later #katello 182 182 /usr/share/katello /usr/sbin/nologin katello-common elasticsearch 183 183 /usr/share/java/elasticsearch /usr/sbin/nologin elasticsearch From 8b6d293ac93a43c145874633c28d7f66492f0d21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 17:57:55 +0100 Subject: [PATCH 11/19] Restore uidgidlint that was dropped by mistake This is a partial revert of 7ced36d60b67c9e74f7951123225200597e3d2fa and a follow-up. I was in the middle of reworking the commit and pushed the not-ready version to the upstream repo by mistake. The passwd and group files that are now generated are dropped. [skip changelog] --- group | 30 ------------------------------ passwd | 13 ------------- setup.spec | 2 ++ uidgidlint | 25 +++++++++++++++++++++++++ 4 files changed, 27 insertions(+), 43 deletions(-) delete mode 100644 group delete mode 100644 passwd create mode 100755 uidgidlint diff --git a/group b/group deleted file mode 100644 index 20b7056..0000000 --- a/group +++ /dev/null @@ -1,30 +0,0 @@ -root:x:0: -bin:x:1: -daemon:x:2: -sys:x:3: -adm:x:4: -tty:x:5: -disk:x:6: -lp:x:7: -mem:x:8: -kmem:x:9: -wheel:x:10: -cdrom:x:11: -mail:x:12: -man:x:15: -dialout:x:18: -floppy:x:19: -games:x:20: -utmp:x:22: -tape:x:33: -kvm:x:36: -video:x:39: -ftp:x:50: -lock:x:54: -audio:x:63: -users:x:100: -clock:x:103: -input:x:104: -render:x:105: -sgx:x:106: -nobody:x:65534: diff --git a/passwd b/passwd deleted file mode 100644 index 14316c5..0000000 --- a/passwd +++ /dev/null @@ -1,13 +0,0 @@ -root:x:0:0:Super User:/root:/bin/bash -bin:x:1:1:bin:/bin:/usr/sbin/nologin -daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin -adm:x:3:4:adm:/var/adm:/usr/sbin/nologin -lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin -operator:x:11:0:operator:/root:/usr/sbin/nologin -games:x:12:100:games:/usr/games:/usr/sbin/nologin -ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin -nobody:x:65534:65534:Kernel Overflow User:/:/usr/sbin/nologin diff --git a/setup.spec b/setup.spec index 83e6d62..9d7688f 100644 --- a/setup.spec +++ b/setup.spec @@ -28,6 +28,7 @@ Source0022: lang.sh Source0031: COPYING Source0032: uidgid Source0033: setup.sysusers.conf +Source0034: uidgidlint Source0035: serviceslint BuildArch: noarch @@ -65,6 +66,7 @@ bash -n etc/bashrc bash -n etc/profile tcsh -f etc/csh.cshrc tcsh -f etc/csh.login +(cd etc && bash %SOURCE34 ./uidgid) (cd etc && perl %SOURCE35 ./services) %install diff --git a/uidgidlint b/uidgidlint new file mode 100755 index 0000000..902f55e --- /dev/null +++ b/uidgidlint @@ -0,0 +1,25 @@ +#!/bin/sh +# We need a file to look at. +if [ -z "$*" ] ; then + echo Usage: `basename $0` uidgid + exit 1 +fi +error=0 +# The format of the file is (currently) +for infile in "$@" ; do + uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu` + gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu` + for uid in $uidlist ; do + if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then + echo Duplicate UID: $uid + error=1 + fi + done + for gid in $gidlist ; do + if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then + echo Duplicate GID: $gid + error=1 + fi + done +done +exit $error From cab8b065bde0083e278d0b066dc77ffc2b4f9e8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 18:37:50 +0100 Subject: [PATCH 12/19] Fix uidgidlint invocation in %check The test failed: + cd etc + bash /builddir/build/SOURCES/uidgidlint ./uidgid grep: ./uidgid: No such file or directory grep: ./uidgid: No such file or directory but because pipefail wasn't set, the script iterated over empty input and didn't actually test anything. Set -o eu,pipefail to catch similar errors in the future and fix the invocation so that the test passes. [skip changelog] --- setup.spec | 2 +- uidgidlint | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/setup.spec b/setup.spec index 9d7688f..ceee55e 100644 --- a/setup.spec +++ b/setup.spec @@ -66,7 +66,7 @@ bash -n etc/bashrc bash -n etc/profile tcsh -f etc/csh.cshrc tcsh -f etc/csh.login -(cd etc && bash %SOURCE34 ./uidgid) +bash %SOURCE34 docs/uidgid (cd etc && perl %SOURCE35 ./services) %install diff --git a/uidgidlint b/uidgidlint index 902f55e..c45beb3 100755 --- a/uidgidlint +++ b/uidgidlint @@ -1,4 +1,7 @@ -#!/bin/sh +#!/bin/bash +set -eu +set -o pipefail + # We need a file to look at. if [ -z "$*" ] ; then echo Usage: `basename $0` uidgid From b760dd5ee7dd8721541d178784ed77a8209a2d2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 14 Mar 2025 18:41:17 +0100 Subject: [PATCH 13/19] uidgidlint: make the script shellcheck-clean [skip changelog] --- uidgidlint | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/uidgidlint b/uidgidlint index c45beb3..997cc43 100755 --- a/uidgidlint +++ b/uidgidlint @@ -4,23 +4,23 @@ set -o pipefail # We need a file to look at. if [ -z "$*" ] ; then - echo Usage: `basename $0` uidgid + echo "Usage: $0 uidgid" exit 1 fi error=0 # The format of the file is (currently) for infile in "$@" ; do - uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu` - gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu` - for uid in $uidlist ; do - if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then - echo Duplicate UID: $uid + uidlist=$(grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu) + gidlist=$(grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu) + for uid in $uidlist; do + if test "$(grep -v '^#' "$infile" | awk '{print $2}' | grep -c '^'"$uid"'$')" -ne 1 ; then + echo "Duplicate UID: $uid" error=1 fi done - for gid in $gidlist ; do - if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then - echo Duplicate GID: $gid + for gid in $gidlist; do + if test "$(grep -v '^#' "$infile" | awk '{print $3}' | grep -c '^'"$gid"'$')" -ne 1 ; then + echo "Duplicate GID: $gid" error=1 fi done From 955d69eeb7b0833fc95eff8ebfa853809ad5a365 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Mar 2025 11:55:12 +0100 Subject: [PATCH 14/19] Add root and nobody groups These were added to systemd's basic.conf in 4ced52595f3e0367a0f2823be8b7acf6d7b7c2be, 49bb7fe5f88fc35b8529d7d8dfcd4c151a9aaf1a and 9361a712f85860ead532dba1468dbd3deef00e34. Let's add them to the setup package as well to ensure we match with systemd's expected user/group layout. --- setup.sysusers.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup.sysusers.conf b/setup.sysusers.conf index 6ab9c87..ee75bdc 100644 --- a/setup.sysusers.conf +++ b/setup.sysusers.conf @@ -11,6 +11,7 @@ u operator 11:0 "operator" /root - u games 12:100 "games" /usr/games - u ftp 14:50 "FTP User" /var/ftp - u nobody 65534 "Kernel Overflow User" - - +g root 0 g sys 3 g adm 4 g tty 5 @@ -37,3 +38,4 @@ g clock 103 g input 104 g render 105 g sgx 106 +g nobody 65534 From e342621812686a5102f822a5873473203874236c Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Mar 2025 12:02:09 +0100 Subject: [PATCH 15/19] Insist that the root and nobody groups have the expected GIDs This mirrors the same change from 49bb7fe5f88fc35b8529d7d8dfcd4c151a9aaf1a and 4ced52595f3e0367a0f2823be8b7acf6d7b7c2be in systemd. Instead of potentially allocating random GIDs for the root and nobody groups, let's insist that these have the expected GIDs. --- setup.sysusers.conf | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/setup.sysusers.conf b/setup.sysusers.conf index ee75bdc..82be285 100644 --- a/setup.sysusers.conf +++ b/setup.sysusers.conf @@ -1,16 +1,16 @@ -u root 0 "Super User" /root /bin/bash -u bin 1 "bin" /bin - -u daemon 2 "daemon" /sbin - -u adm 3:4 "adm" /var/adm - -u lp 4:7 "lp" /var/spool/lpd - -u sync 5:0 "sync" /sbin /bin/sync -u shutdown 6:0 "shutdown" /sbin /sbin/shutdown -u halt 7:0 "halt" /sbin /sbin/halt -u mail 8:12 "mail" /var/spool/mail - -u operator 11:0 "operator" /root - -u games 12:100 "games" /usr/games - -u ftp 14:50 "FTP User" /var/ftp - -u nobody 65534 "Kernel Overflow User" - - +u root 0:0 "Super User" /root /bin/bash +u bin 1 "bin" /bin - +u daemon 2 "daemon" /sbin - +u adm 3:4 "adm" /var/adm - +u lp 4:7 "lp" /var/spool/lpd - +u sync 5:0 "sync" /sbin /bin/sync +u shutdown 6:0 "shutdown" /sbin /sbin/shutdown +u halt 7:0 "halt" /sbin /sbin/halt +u mail 8:12 "mail" /var/spool/mail - +u operator 11:0 "operator" /root - +u games 12:100 "games" /usr/games - +u ftp 14:50 "FTP User" /var/ftp - +u nobody 65534:65534 "Kernel Overflow User" - - g root 0 g sys 3 g adm 4 From 1b24ffc03311ee08d45566bc69af331cec5511c3 Mon Sep 17 00:00:00 2001 From: Mattias Ellert Date: Mon, 12 May 2025 12:03:16 +0200 Subject: [PATCH 16/19] Reserve 194:194 for xrootd (xrootd-server) https://pagure.io/packaging-committee/issue/1444 --- uidgid | 1 + 1 file changed, 1 insertion(+) diff --git a/uidgid b/uidgid index 27cd146..52b4a0b 100644 --- a/uidgid +++ b/uidgid @@ -203,6 +203,7 @@ systemd-journal - 190 - - systemd #systemd-journal-gateway 191 191 / /usr/sbin/nologin systemd systemd-network 192 192 / /usr/sbin/nologin systemd systemd-resolve 193 193 / /usr/sbin/nologin systemd +xrootd 194 194 /var/spool/xrootd - xrootd-server #gnats ? ? ? ? gnats, gnats-db #listar ? ? ? ? listar nobody 65534 65534 / /usr/sbin/nologin setup From 94f4f1acd8043ebf19727f66a0b91e6a530e4d7b Mon Sep 17 00:00:00 2001 From: Martin Osvald Date: Wed, 14 May 2025 17:17:56 +0200 Subject: [PATCH 17/19] protocols: update to latest IANA Resolves: rhbz#2366217 --- protocols | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/protocols b/protocols index f5b950f..75e88ba 100644 --- a/protocols +++ b/protocols @@ -1,12 +1,12 @@ # /etc/protocols: -# $Id: protocols,v 1.12 2016/07/08 12:27 ovasik Exp $ +# $Id: protocols,v 1.13 2025/05/14 15:30 mosvald Exp $ # # Internet (IP) protocols # # from: @(#)protocols 5.1 (Berkeley) 4/17/89 # # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992). -# Last IANA update included dated 2011-05-03 +# Last IANA update included dated 2025-01-08 # # See also http://www.iana.org/assignments/protocol-numbers @@ -66,7 +66,7 @@ ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 (not in official list) ah 51 AH # Authentication Header ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 (not in official list) i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA -swipe 53 SWIPE # IP with Encryption +swipe 53 SWIPE # IP with Encryption (deprecated) narp 54 NARP # NBMA Address Resolution Protocol mobile 55 MOBILE # IP Mobility tlsp 56 TLSP # Transport Layer Security Protocol @@ -108,7 +108,7 @@ larp 91 LARP # Locus Address Resolution Protocol mtp 92 MTP # Multicast Transport Protocol ax.25 93 AX.25 # AX.25 Frames ipip 94 IPIP # Yet Another IP encapsulation -micp 95 MICP # Mobile Internetworking Control Pro. +micp 95 MICP # Mobile Internetworking Control Pro. (deprecated) scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro. etherip 97 ETHERIP # Ethernet-within-IP Encapsulation encap 98 ENCAP # Yet Another IP encapsulation @@ -156,7 +156,12 @@ hip 139 HIP # Host Identity Protocol shim6 140 Shim6 # Shim6 Protocol wesp 141 WESP # Wrapped Encapsulating Security Payload rohc 142 ROHC # Robust Header Compression -# 143-252 Unassigned [IANA] +ethernet 143 Ethernet # Ethernet encapsulation for SRv6 +aggfrag 144 AGGFRAG # AGGFRAG encapsulation payload for ESP +nsh 145 NSH # Network Service Header +homa 146 Homa # Homa +bit-emu 147 BIT-EMU # Bit-stream Emulation +# 148-252 Unassigned [IANA] # 253 Use for experimentation and testing [RFC3692] # 254 Use for experimentation and testing [RFC3692] # 255 Reserved [IANA] From d7927e797559f3cd051fd4b5a359090f139bd5ee Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:11:02 +0000 Subject: [PATCH 18/19] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From f2d2aec19325d0200557c13e607d983e71154aec Mon Sep 17 00:00:00 2001 From: Lukas Javorsky Date: Mon, 27 Oct 2025 13:45:19 +0000 Subject: [PATCH 19/19] Revert "Removed uidgid pair 27:27 for MySQL/MariaDB" This reverts commit df5ba729d6563460b72c6f17462e5a727aeaccc0. Reason: The MariaDB and MySQL sysusers.d files has to use soft static allocation in order to correctly handle the MariaDB PAM v2 plugin which utilizes setuid-to-root binary "/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool". Related: RHEL-119790 RHEL-119789 --- uidgid | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/uidgid b/uidgid index 52b4a0b..a1759fd 100644 --- a/uidgid +++ b/uidgid @@ -38,8 +38,7 @@ squid 23 23 /var/spool/squid /dev/null squid # pvm 24 24 /usr/share/pvm3 /bin/bash pvm named 25 25 /var/named /bin/false bind postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server -# Dynamic on new systems, removed Mar2025, can be reused if necessary later -#mysql 27 27 /var/lib/mysql /bin/bash mysql +mysql 27 27 /var/lib/mysql /usr/sbin/nologin mysql nscd 28 28 / /bin/false nscd rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils # Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008