openssh: move users/groups creation logic to sysusers.d fragments

See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
2022-09-02 14:38:56 +00:00 · 2022-09-02 14:38:56 +00:00 · 26c275d66e
commit 26c275d66e
parent 42b22d9ad2
3 changed files with 16 additions and 10 deletions
--- a/openssh-server-systemd-sysusers.conf
+++ b/openssh-server-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name ID  GECOS                     Home directory        Shell
 u     sshd 74  "Privilege-separated SSH" /usr/share/empty.sshd -
--- a/openssh-systemd-sysusers.conf
+++ b/openssh-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name     ID
 g     ssh_keys 101
--- a/openssh.spec
+++ b/openssh.spec
@ -7,10 +7,6 @@
 %global _hardened_build 1
 # OpenSSH privilege separation requires a user & group ID
 %global sshd_uid    74
 %global sshd_gid    74
 # Do we want to disable building of gnome-askpass? (1=yes 0=no)
 %global no_gnome_askpass 0
@ -51,7 +47,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 3
+%global openssh_rel 4
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 7
@ -76,6 +72,8 @@ Source12: sshd-keygen@.service
 Source13: sshd-keygen
 Source15: sshd-keygen.target
 Source16: ssh-agent.service
 Source17: openssh-systemd-sysusers.conf
 Source18: openssh-server-systemd-sysusers.conf
 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
 Patch100: openssh-6.7p1-coverity.patch
@ -583,6 +581,8 @@ install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
 install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/openssh.conf
 install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh-server.conf
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@ -608,13 +608,10 @@ popd
 %endif
 %pre
-getent group ssh_keys >/dev/null || groupadd -r -g 101 ssh_keys || :
+%sysusers_create_compat %{SOURCE17}
 %pre server
-getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
+%sysusers_create_compat %{SOURCE18}
 getent passwd sshd >/dev/null || \
  useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
 %post server
 %systemd_post sshd.service sshd.socket
@ -652,6 +649,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 %attr(0644,root,root) %{_sysusersdir}/openssh.conf
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@ -697,6 +695,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
 %attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
 %files keycat
 %doc HOWTO.ssh-keycat
@ -718,6 +717,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Fri Sep 02 2022 Luca BRUNO <lucab@lucabruno.net> - 9.0p1-4
 - Move users/groups creation logic to sysusers.d fragments
 * Wed Aug 24 2022 Alexander Sosedkin <asosedkin@redhat.com> - 9.0p1-3
 - State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies
		`@ -0,0 +1,2 @@`
							`#Type Name ID GECOS Home directory Shell`
							`u sshd 74 "Privilege-separated SSH" /usr/share/empty.sshd -`