From: Hugo Villeneuve Date: Sun, 7 Dec 2014 17:39:34 +0000 (-0500) Subject: Clean system group IDs X-Git-Url: http://gitweb.hugovil.com/?a=commitdiff_plain;h=ac5da19615d2c5774889fe779184f904d594bae1;p=hvlinux.git Clean system group IDs Remove unused function hv_groupadd. Remove hardcoded numerical group IDs when creating some system users. --- diff --git a/functions/main b/functions/main index 7c167e5..038b99d 100644 --- a/functions/main +++ b/functions/main @@ -555,23 +555,6 @@ var_add_shadow() sed -i "s!\(^${VARIABLE}.*\)!\1:${VALUE}!" ${FILE} } -# Adding a new group, checking if it already exist before. -# Arguments: same arguments as for standard groupadd command. -hv_groupadd() -{ - arguments=${*} - - # The last argument is the group name - while [ $# -ne 0 ]; do - groupname=${*} - shift - done - - if ! cat /etc/group | egrep -q "^${groupname}:"; then - groupadd ${arguments} - fi -} - # Adding a new user, checking if it already exist before # Arguments: same arguments as for standard useradd command. hv_useradd() diff --git a/stage1/create-groups b/stage1/create-groups index 88d3015..6db93f4 100755 --- a/stage1/create-groups +++ b/stage1/create-groups @@ -4,6 +4,8 @@ source ../functions/main # In order for root to be able to login and for the name "root" to be # recognized, there need to be relevant entries in the /etc/group file. +# +# Group 'mail' is used by MTAs (Mail Transport Agents) cat > ${LFS}/etc/group << "EOF" root:x:0: bin:x:1: @@ -12,22 +14,19 @@ kmem:x:3: tty:x:4: tape:x:5: daemon:x:6: -floppy:x:7: -disk:x:8: -lp:x:9: -dialout:x:10: -audio:x:11: -video:x:12: -utmp:x:13: -usb:x:14: -cdrom:x:15: -# Used by MTAs (Mail Transport Agents) -mail:x:30:mail -shutdown:x:999: -# The default GID used by shadow for new users +disk:x:7: +lp:x:8: +dialout:x:9: +audio:x:10: +video:x:11: +utmp:x:12: +usb:x:13: +cdrom:x:14: +mail:x:15:mail +shutdown:x:17: +plugdev:x:98: +nogroup:x:99: users:x:1000: -# Default group used by some programs that do not require a group. -nogroup:x:65533: EOF exit $? diff --git a/stage2/misc/udev/10-media-automount.rules b/stage2/misc/udev/10-media-automount.rules index af79563..4e015d2 100644 --- a/stage2/misc/udev/10-media-automount.rules +++ b/stage2/misc/udev/10-media-automount.rules @@ -14,8 +14,8 @@ ACTION=="add", RUN+="/bin/mkdir -p '/media/%E{dir_name}'" # global mount options ACTION=="add", ENV{mount_options}="relatime" -# filesystem-specific mount options (777/666 dir/file perms for ntfs/vfat) -ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},gid=100,dmask=000,fmask=111,utf8" +# filesystem-specific mount options (777/666 dir/file perms for ntfs/vfat) +ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},gid=98,dmask=000,fmask=111,utf8" # automount ntfs filesystems using ntfs-3g driver ACTION=="add", ENV{ID_FS_TYPE}=="ntfs", RUN+="/bin/mount -t ntfs-3g -o %E{mount_options} /dev/%k '/media/%E{dir_name}'" diff --git a/stage2/misc/udev/11-sd-card-automount.rules b/stage2/misc/udev/11-sd-card-automount.rules index de62336..9112993 100644 --- a/stage2/misc/udev/11-sd-card-automount.rules +++ b/stage2/misc/udev/11-sd-card-automount.rules @@ -16,7 +16,7 @@ ACTION=="add", RUN+="/bin/mkdir -p '/media/%E{dir_name}'" ACTION=="add", ENV{mount_options}="relatime" # Filesystem specific options ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N" -ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},utf8,gid=100,umask=002" +ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},utf8,gid=98,umask=002" # automount all other filesystems ACTION=="add", ENV{ID_FS_TYPE}!="ntfs", RUN+="/bin/mount -t auto -o %E{mount_options} /dev/%k '/media/%E{dir_name}'" diff --git a/stage2/pkg/eudev b/stage2/pkg/eudev index 990f95f..816d573 100644 --- a/stage2/pkg/eudev +++ b/stage2/pkg/eudev @@ -30,6 +30,9 @@ hvbuild_post() sed -i -e "s/\(SYMLINK+=\"cdrom\)\"/\1 dvd\"/" \ /lib/udev/rules.d/60-cdrom_id.rules + # Remove obsolete rule + sed -i -e "/floppy/d" /lib/udev/rules.d/50-udev-default.rules + install -dv /lib/{firmware,udev/devices/{pts,shm}} install -v -m740 ${SCRDIR}/bootscripts/udev /etc/rc.d/init.d diff --git a/stage2/pkg/shadow b/stage2/pkg/shadow index a8314a9..11d9ba9 100644 --- a/stage2/pkg/shadow +++ b/stage2/pkg/shadow @@ -11,10 +11,11 @@ hvconfig_pre() sed -i 's/groups$(EXEEXT) //' src/Makefile.in find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; - # Instead of using the default crypt method, use the more secure SHA-512 method - # of password encryption, which also allows passwords longer than 8 characters. - # It is also necessary to change the obsolete /var/spool/mail location for user - # mailboxes that Shadow uses by default to the /var/mail location used currently: + # Instead of using the default crypt method, use the more secure SHA-512 + # method of password encryption, which also allows passwords longer than 8 + #characters. It is also necessary to change the obsolete /var/spool/mail + # location for user mailboxes that Shadow uses by default to the /var/mail + # location used currently: sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ -e 's@/var/spool/mail@/var/mail@' etc/login.defs } @@ -35,4 +36,13 @@ hvbuild_post() # To enable shadowed group passwords: grpconv + + # Set system group ID range from 1 to 90: + # 0 is reserved for group 'root' + # 99 is reserved for group 'nogroup' + sed -e "s/\(SYS_UID_MIN\s\+\)[0-9]\+/\1 1/" \ + -e "s/\(SYS_UID_MAX\s\+\)[0-9]\+/\1 90/" \ + -e "s/\(SYS_GID_MIN\s\+\)[0-9]\+/\1 1/" \ + -e "s/\(SYS_GID_MAX\s\+\)[0-9]\+/\1 90/" \ + -i /etc/login.defs } diff --git a/stage3/pkg/bind b/stage3/pkg/bind index 74d498a..bed0509 100644 --- a/stage3/pkg/bind +++ b/stage3/pkg/bind @@ -2,8 +2,8 @@ hvconfig_pre() { - groupadd -f named - hv_useradd -c BindOwner -g named -s /bin/false named + groupadd --system -f named + hv_useradd --system -c BindOwner -g named -s /bin/false named install -d -m770 -o named -g named /srv/named } diff --git a/stage3/pkg/fcron b/stage3/pkg/fcron index 745420b..ca3fa88 100644 --- a/stage3/pkg/fcron +++ b/stage3/pkg/fcron @@ -2,8 +2,8 @@ hvconfig_pre() { - groupadd -f fcron - hv_useradd -c fcron -g fcron fcron + groupadd --system -f fcron + hv_useradd --system -c fcron -g fcron fcron # Create a dummy sendmail executable to fool fcron DUMMY_SM_PATH=/usr/sbin/sendmail diff --git a/stage3/pkg/mysql b/stage3/pkg/mysql index 73570b1..75d4a7e 100644 --- a/stage3/pkg/mysql +++ b/stage3/pkg/mysql @@ -2,8 +2,8 @@ hvconfig_pre() { - groupadd -f mysql - hv_useradd -c mysql -d /dev/null -g mysql -s /bin/false mysql + groupadd --system -f mysql + hv_useradd --system -c mysql -d /dev/null -g mysql -s /bin/false mysql } hvconfig() diff --git a/stage3/pkg/openssh b/stage3/pkg/openssh index cc1854e..23f1738 100644 --- a/stage3/pkg/openssh +++ b/stage3/pkg/openssh @@ -5,8 +5,9 @@ hvconfig_pre() install -v -m700 -d /var/lib/sshd chown -v root:sys /var/lib/sshd - groupadd -f sshd - hv_useradd -c sshd-privsep -d /var/lib/sshd -g sshd -s /bin/false sshd + groupadd --system -f sshd + hv_useradd --system -c sshd-privsep -d /var/lib/sshd -g sshd \ + -s /bin/false sshd CONFIGURE_OPTS="\ ${CONFIGURE_OPTS} \ diff --git a/stage3/pkg/sendmail b/stage3/pkg/sendmail index 808be79..12fb7f9 100644 --- a/stage3/pkg/sendmail +++ b/stage3/pkg/sendmail @@ -2,9 +2,9 @@ hvbuild() { - groupadd -f smmsp - groupadd -f mail - hv_useradd -g smmsp -G mail smmsp + groupadd --system -f smmsp + groupadd --system -f mail + hv_useradd --system -g smmsp -G mail smmsp chmod 1777 /var/mail mkdir -p /var/spool/mqueue mkdir -p /etc/mail diff --git a/stage3/pkg/shadow b/stage3/pkg/shadow index 63850f0..a73e8a0 100644 --- a/stage3/pkg/shadow +++ b/stage3/pkg/shadow @@ -13,10 +13,11 @@ hvconfig_pre() sed -i 's/groups$(EXEEXT) //' src/Makefile.in find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; - # Instead of using the default crypt method, use the more secure SHA-512 method - # of password encryption, which also allows passwords longer than 8 characters. - # It is also necessary to change the obsolete /var/spool/mail location for user - # mailboxes that Shadow uses by default to the /var/mail location used currently: + # Instead of using the default crypt method, use the more secure SHA-512 + # method of password encryption, which also allows passwords longer than 8 + # characters. It is also necessary to change the obsolete /var/spool/mail + # location for user mailboxes that Shadow uses by default to the /var/mail + # location used currently: sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ -e 's@/var/spool/mail@/var/mail@' /etc/login.defs } @@ -75,4 +76,13 @@ hvbuild_post() # resources, Linux-PAM uses the pam_limits.so module along with the # /etc/security/limits.conf file. Rename the /etc/limits file: [ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE} + + # Set system group ID range from 1 to 90: + # 0 is reserved for group 'root' + # 99 is reserved for group 'nogroup' + sed -e "s/\(SYS_UID_MIN\s\+\)[0-9]\+/\1 1/" \ + -e "s/\(SYS_UID_MAX\s\+\)[0-9]\+/\1 90/" \ + -e "s/\(SYS_GID_MIN\s\+\)[0-9]\+/\1 1/" \ + -e "s/\(SYS_GID_MAX\s\+\)[0-9]\+/\1 90/" \ + -i /etc/login.defs } diff --git a/stage4/pkg/dbus b/stage4/pkg/dbus index 823ca80..58f7e56 100644 --- a/stage4/pkg/dbus +++ b/stage4/pkg/dbus @@ -2,9 +2,9 @@ hvconfig_pre() { - hv_groupadd -g 18 messagebus - hv_useradd -c D-BUS-Message-Daemon-User -d /dev/null \ - -u 18 -g messagebus -s /bin/false messagebus + groupadd --system -f messagebus + hv_useradd --system -c D-BUS-Message-Daemon-User -d /dev/null \ + -g messagebus -s /bin/false messagebus CONFIGURE_OPTS="\ ${CONFIGURE_OPTS} \ diff --git a/stage5/pkg/apache b/stage5/pkg/apache index 8b6e66a..4e8c1dc 100644 --- a/stage5/pkg/apache +++ b/stage5/pkg/apache @@ -32,9 +32,9 @@ hvconfig_pre() EOF - groupadd -f ${HTTPD_USER} - hv_useradd -c WebServer -d /dev/null -g ${HTTPD_USER} -s /bin/false \ - ${HTTPD_USER} + groupadd --system -f ${HTTPD_USER} + hv_useradd --system -c WebServer -d /dev/null -g ${HTTPD_USER} \ + -s /bin/false ${HTTPD_USER} CONFIGURE_OPTS=" \ --enable-layout=FHS \ diff --git a/stage5/pkg/clamav b/stage5/pkg/clamav index 35d988a..be12b2d 100644 --- a/stage5/pkg/clamav +++ b/stage5/pkg/clamav @@ -2,8 +2,8 @@ hvconfig_pre() { - groupadd -f clamav - hv_useradd -g clamav -s /bin/false -c Clam-AntiVirus clamav + groupadd --system -f clamav + hv_useradd --system -g clamav -s /bin/false -c Clam-AntiVirus clamav # Is this really necessary? export SENDMAIL="/usr/sbin/sendmail" diff --git a/stage5/pkg/cups b/stage5/pkg/cups index fc5c0d6..a13f539 100644 --- a/stage5/pkg/cups +++ b/stage5/pkg/cups @@ -2,7 +2,8 @@ hvconfig_pre() { - hv_useradd -c "Print_Service_User" -d /dev/null -g lp -s /bin/false -u 9 lp + hv_useradd --system -c "Print_Service_User" -d /dev/null -g lp \ + -s /bin/false lp CONFIGURE_OPTS="--libdir=/usr/lib --enable-pdftops" } diff --git a/stage5/pkg/lighttpd b/stage5/pkg/lighttpd index d5ded9f..33ab3c7 100644 --- a/stage5/pkg/lighttpd +++ b/stage5/pkg/lighttpd @@ -2,9 +2,9 @@ hvconfig_pre() { - groupadd -f ${HTTPD_USER} - hv_useradd -c WebServer -d /dev/null -g ${HTTPD_USER} -s /bin/false \ - ${HTTPD_USER} + groupadd --system -f ${HTTPD_USER} + hv_useradd --system -c WebServer -d /dev/null -g ${HTTPD_USER} \ + -s /bin/false ${HTTPD_USER} } hvbuild_post() diff --git a/stage5/pkg/qemu b/stage5/pkg/qemu index 296e35b..51167b3 100644 --- a/stage5/pkg/qemu +++ b/stage5/pkg/qemu @@ -4,7 +4,7 @@ hvbuild_post() { [ -e /usr/lib/libcacard.so ] && chmod -v 755 /usr/lib/libcacard.so - hv_groupadd kvm + groupadd --system -f kvm # Add a Udev rule so that the KVM device gets correct permissions: install -v -m644 ${SCRDIR}/misc/kvm-udev.rules \ diff --git a/stage5/pkg/sane-backends b/stage5/pkg/sane-backends index 260dc6b..689970b 100644 --- a/stage5/pkg/sane-backends +++ b/stage5/pkg/sane-backends @@ -11,10 +11,10 @@ hvconfig_pre() fi # Add group for UDEV rules - hv_groupadd scanner + groupadd --system -f scanner - hv_groupadd saned - hv_useradd -c saned -d /dev/null -g saned -s /bin/false saned + groupadd --system -f saned + hv_useradd --system -c saned -d /dev/null -g saned -s /bin/false saned # Fixes an obsolete udev parameter: sed -i 's/SYSFS/ATTRS/g' ${LFS_TMP}/${PACKAGE}/tools/sane-desc.c diff --git a/stage5/pkg/subversion b/stage5/pkg/subversion index e3a0bbe..5aef25a 100644 --- a/stage5/pkg/subversion +++ b/stage5/pkg/subversion @@ -4,8 +4,9 @@ SVN_USER=svn hvconfig_pre() { - groupadd -f ${SVN_USER} - hv_useradd -c SvnServer -d /dev/null -g ${SVN_USER} -s /bin/false ${SVN_USER} + groupadd --system -f ${SVN_USER} + hv_useradd --system -c SvnServer -d /dev/null -g ${SVN_USER} \ + -s /bin/false ${SVN_USER} } hvbuild_post()