diff --git a/meson.build b/meson.build index 0b136529e3..3634ce0a3c 100644 --- a/meson.build +++ b/meson.build @@ -793,12 +793,37 @@ endif conf.set_quoted('NOBODY_USER_NAME', nobody_user) conf.set_quoted('NOBODY_GROUP_NAME', nobody_group) -tty_gid = get_option('tty-gid') -conf.set('TTY_GID', tty_gid) +static_ugids = [] +foreach option : ['adm-gid', + 'audio-gid', + 'cdrom-gid', + 'dialout-gid', + 'disk-gid', + 'input-gid', + 'kmem-gid', + 'kvm-gid', + 'lp-gid', + 'render-gid', + 'sgx-gid', + 'tape-gid', + 'tty-gid', + 'users-gid', + 'utmp-gid', + 'video-gid', + 'wheel-gid', + 'systemd-journal-gid', + 'systemd-network-uid', + 'systemd-resolve-uid', + 'systemd-timesync-uid'] + name = option.underscorify().to_upper() + val = get_option(option) -# Ensure provided GID argument is numeric, otherwise fall back to default assignment -users_gid = get_option('users-gid') -conf.set('USERS_GID', users_gid < 0 ? '-' : users_gid) + # Ensure provided GID argument is numeric, otherwise fall back to default assignment + conf.set(name, val >= 0 ? val : '-') + if val >= 0 + static_ugids += '@0@:@1@'.format(option, val) + endif +endforeach conf.set10('ENABLE_ADM_GROUP', get_option('adm-group')) conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group')) @@ -3713,14 +3738,13 @@ status = [ 'extra start script: @0@'.format(get_option('rc-local')), 'debug shell: @0@ @ @1@'.format(get_option('debug-shell'), get_option('debug-tty')), - 'TTY GID: @0@'.format(tty_gid), - 'users GID: @0@'.format(conf.get('USERS_GID')), 'system UIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_UID_MAX'), conf.get('SYSTEM_ALLOC_UID_MIN')), 'system GIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_GID_MAX'), conf.get('SYSTEM_ALLOC_GID_MIN')), 'dynamic UIDs: @0@…@1@'.format(dynamic_uid_min, dynamic_uid_max), 'container UID bases: @0@…@1@'.format(container_uid_base_min, container_uid_base_max), + 'static UID/GID allocations: @0@'.format(' '.join(static_ugids)), '/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')), 'render group access mode: @0@'.format(get_option('group-render-mode')), 'certificate root directory: @0@'.format(get_option('certificate-root')), diff --git a/meson_options.txt b/meson_options.txt index fc58e888d9..5048de755d 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -204,6 +204,7 @@ option('status-unit-format-default', type : 'combo', description : 'use unit name or description in messages by default') option('time-epoch', type : 'integer', value : '-1', description : 'time epoch for time clients') + option('system-alloc-uid-min', type : 'integer', value : '-1', description : 'minimum system UID used when allocating') option('system-alloc-gid-min', type : 'integer', value : '-1', @@ -220,10 +221,6 @@ option('container-uid-base-min', type : 'integer', value : 0x00080000, description : 'minimum container UID base') option('container-uid-base-max', type : 'integer', value : 0x6FFF0000, description : 'maximum container UID base') -option('tty-gid', type : 'integer', value : 5, - description : 'the numeric GID of the "tty" group') -option('users-gid', type : 'integer', value : '-1', - description : 'the numeric GID of the "users" group') option('adm-group', type : 'boolean', description : 'the ACL for adm group should be added') option('wheel-group', type : 'boolean', @@ -234,6 +231,49 @@ option('nobody-user', type : 'string', option('nobody-group', type : 'string', description : 'The name of the nobody group (the one with GID 65534)', value : 'nobody') +option('adm-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "adm" group') +option('audio-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "audio" group') +option('cdrom-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "cdrom" group') +option('dialout-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "dialout" group') +option('disk-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "disk" group') +option('input-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "input" group') +option('kmem-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "kmem" group') +option('kvm-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "kvm" group') +option('lp-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "lp" group') +option('render-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "render" group') +option('sgx-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "sgx" group') +option('tape-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "tape" group') +option('tty-gid', type : 'integer', value : 5, + description : 'the numeric GID of the "tty" group') +option('users-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "users" group') +option('utmp-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "utmp" group') +option('video-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "video" group') +option('wheel-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the "wheel" group') +option('systemd-journal-gid', type : 'integer', value : '-1', + description : 'soft-static allocation for the systemd-journal group') +option('systemd-network-uid', type : 'integer', value : '-1', + description : 'soft-static allocation for the systemd-network user') +option('systemd-resolve-uid', type : 'integer', value : '-1', + description : 'soft-static allocation for the systemd-resolve user') +option('systemd-timesync-uid', type : 'integer', value : '-1', + description : 'soft-static allocation for the systemd-timesync user') + option('dev-kvm-mode', type : 'string', value : '0666', description : '/dev/kvm access mode') option('group-render-mode', type : 'string', value : '0666', diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in index 9da0251421..8cc1a7cad2 100644 --- a/sysusers.d/basic.conf.in +++ b/sysusers.d/basic.conf.in @@ -12,28 +12,28 @@ u root 0 "Super User" /root u {{NOBODY_USER_NAME}} 65534 "Nobody" - # Administrator group: can *see* more than normal users -g adm - - - +g adm {{ADM_GID }} - - # Administrator group: can *do* more than normal users -g wheel - - - +g wheel {{WHEEL_GID }} - - -# Access to certain kernel and userspace facilities -g kmem - - - -g tty {{TTY_GID}} - - -g utmp - - - +# Access to shared database of users on the system +g utmp {{UTMP_GID }} - - -# Hardware access groups -g audio - - - -g cdrom - - - -g dialout - - - -g disk - - - -g input - - - -g kvm - - - -g lp - - - -g render - - - -g sgx - - - -g tape - - - -g video - - - +# Physical and virtual hardware access groups +g audio {{AUDIO_GID }} - - +g cdrom {{CDROM_GID }} - - +g dialout {{DIALOUT_GID}} - - +g disk {{DISK_GID }} - - +g input {{INPUT_GID }} - - +g kmem {{KMEM_GID }} - - +g kvm {{KVM_GID }} - - +g lp {{LP_GID }} - - +g render {{RENDER_GID }} - - +g sgx {{SGX_GID }} - - +g tape {{TAPE_GID }} - - +g tty {{TTY_GID }} - - +g video {{VIDEO_GID }} - - # Default group for normal users -g users {{USERS_GID}} - - +g users {{USERS_GID }} - - diff --git a/sysusers.d/systemd.conf.in b/sysusers.d/systemd.conf.in index 9905eb596c..9941ef8ef4 100644 --- a/sysusers.d/systemd.conf.in +++ b/sysusers.d/systemd.conf.in @@ -5,18 +5,18 @@ # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. -g systemd-journal - - +g systemd-journal {{SYSTEMD_JOURNAL_GID}} - {% if ENABLE_NETWORKD %} -u systemd-network - "systemd Network Management" +u systemd-network {{SYSTEMD_NETWORK_UID}} "systemd Network Management" {% endif %} {% if ENABLE_OOMD %} u systemd-oom - "systemd Userspace OOM Killer" {% endif %} {% if ENABLE_RESOLVE %} -u systemd-resolve - "systemd Resolver" +u systemd-resolve {{SYSTEMD_RESOLVE_UID}} "systemd Resolver" {% endif %} {% if ENABLE_TIMESYNCD %} -u systemd-timesync - "systemd Time Synchronization" +u systemd-timesync {{SYSTEMD_TIMESYNC_UID}} "systemd Time Synchronization" {% endif %} {% if ENABLE_COREDUMP %} u systemd-coredump - "systemd Core Dumper"