PATCH 4: Use a dedicated user for the Systemd service

Related: #1982642

galera.spec

@@ -18,6 +18,7 @@ Source2:        garbd-wrapper
 Patch0:         cmake_paths.patch
 
 BuildRequires:  boost-devel check-devel openssl-devel cmake systemd gcc-c++ asio-devel
+Requires(pre):  /usr/sbin/useradd
 Requires:       nmap-ncat
 
 %{?systemd_requires}
@@ -78,6 +79,33 @@ sed -i 's;/usr/bin/garb-systemd;/usr/sbin/garb-systemd;g' %{buildroot}/usr/lib/s
 #     In the wrapper script:
 sed -i 's;/usr/bin/garbd;/usr/sbin/garbd;g' %{buildroot}/usr/sbin/garb-systemd
 
+# PATCH 4:
+#  Use a dedicated user for the Systemd service
+#  To fix an security issue reported by Systemd:
+#
+## systemd[1]: /usr/lib/systemd/system/garb.service:14: Special user nobody configured, this is not safe!
+##   Subject: Special user nobody configured, this is not safe!
+##   Defined-By: systemd
+##   Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
+##   Documentation: https://systemd.io/UIDS-GIDS
+##
+##   The unit garb.service is configured to use User=nobody.
+##
+##   This is not safe. The nobody user's main purpose on Linux-based
+##   operating systems is to be the owner of files that otherwise cannot be mapped
+##   to any local user. It's used by the NFS client and Linux user namespacing,
+##   among others. By running a unit's processes under the identity of this user
+##   they might possibly get read and even write access to such files that cannot
+##   otherwise be mapped.
+##
+##   It is strongly recommended to avoid running services under this user identity,
+##   in particular on systems using NFS or running containers. Allocate a user ID
+##   specific to this service, either statically via systemd-sysusers or dynamically
+##   via the DynamicUser= service setting.
+sed -i 's/User=nobody/User=garb/g' %{buildroot}/usr/lib/systemd/system/garbd.service
+
+%pre
+/usr/sbin/useradd -M -r -d /dev/null -s /sbin/nologin -c "Galera Arbitrator Daemon" garb >/dev/null 2>&1 || :
 
 %post
 /sbin/ldconfig