From nobody Mon Sep 8 21:35:45 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 173825054101039.861884588269504; Thu, 30 Jan 2025 07:22:21 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 763E21C58; Thu, 30 Jan 2025 10:22:20 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 488F51C27; Thu, 30 Jan 2025 10:21:43 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id F325C1B2C; Thu, 30 Jan 2025 10:21:37 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 79DF21B23 for ; Thu, 30 Jan 2025 10:21:37 -0500 (EST) Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-218-bp3cSXu0N5us4BsPL5E19A-1; Thu, 30 Jan 2025 10:21:35 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0CDF319560BA for ; Thu, 30 Jan 2025 15:21:35 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.184]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0D702180035E; Thu, 30 Jan 2025 15:21:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738250497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8eTsNyTobsF8j0jIeTwOcPXWRHcGoQjIazie94ZOoTU=; b=YrpeND8XQisM2Fa2ft5S9/pTVhV17XAJb0r7RdbPX5L/uTWJPPsQ59BR2iV/el/STNxmic Nw4bOQPgowuQm3RTYvGDOhGnZlEwmMWx/XePBzj7Aq+A5qetSbrdDGgukvq024jb+A3WnR kJQp05bVEhtDwCunQtcAaDVmeTjjuQQ= X-MC-Unique: bp3cSXu0N5us4BsPL5E19A-1 X-Mimecast-MFC-AGG-ID: bp3cSXu0N5us4BsPL5E19A From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 1/2] tools: add sysusers file to create 'virtlogin' group Date: Thu, 30 Jan 2025 15:21:30 +0000 Message-ID: <20250130152131.1633072-2-berrange@redhat.com> In-Reply-To: <20250130152131.1633072-1-berrange@redhat.com> References: <20250130152131.1633072-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: cHd8t1reB7zBKw5jshVSQ2zuXXklNlGYJYzCbZZqGoY_1738250495 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: WKS4C465MWZHCFBUK6SCOTX342AN4HKT X-Message-ID-Hash: WKS4C465MWZHCFBUK6SCOTX342AN4HKT X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1738250541660019000 Content-Type: text/plain; charset="utf-8" We previously added a sysusers file, but missed the 'virtlogin' group. This group is used to make the virt-login-shell binary setgid, so we shoudl be registering that too. It must be done in a separate sysusers file, however, since it is packaged separately from the daemons. Fixes: a2c3e390f7bedf36f4ddc544d09fe3b8772c5c6f Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Jiri Denemark --- libvirt.spec.in | 3 +++ tools/libvirt-login-shell.sysusers.conf | 1 + tools/meson.build | 7 +++++++ 3 files changed, 11 insertions(+) create mode 100644 tools/libvirt-login-shell.sysusers.conf diff --git a/libvirt.spec.in b/libvirt.spec.in index 5c5d36966d..5825de7cf1 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1095,6 +1095,8 @@ Wireshark dissector plugin for better analysis of lib= virt RPC traffic. %package login-shell Summary: Login shell for connecting users to an LXC container Requires: libvirt-libs =3D %{version}-%{release} +# For uid creation during pre +Requires(pre): shadow-utils =20 %description login-shell Provides the set-uid virt-login-shell binary that is used to @@ -2533,6 +2535,7 @@ exit 0 %attr(4750, root, virtlogin) %{_bindir}/virt-login-shell %{_libexecdir}/virt-login-shell-helper %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf +%{_sysusersdir}/libvirt-login-shell.conf %{_mandir}/man1/virt-login-shell.1* %endif =20 diff --git a/tools/libvirt-login-shell.sysusers.conf b/tools/libvirt-login-= shell.sysusers.conf new file mode 100644 index 0000000000..5459fd99ce --- /dev/null +++ b/tools/libvirt-login-shell.sysusers.conf @@ -0,0 +1 @@ +g virtlogin - diff --git a/tools/meson.build b/tools/meson.build index 3f4e2a3c4b..4d5c9e4bba 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -123,6 +123,13 @@ if conf.has('WITH_LOGIN_SHELL') ) =20 install_data('virt-login-shell.conf', install_dir: sysconfdir / 'libvirt= ') + + # Install the sysuser config for the setgid binary + install_data( + 'libvirt-login-shell.sysusers.conf', + install_dir: sysusersdir, + rename: [ 'libvirt-login-shell.conf' ], + ) endif =20 if host_machine.system() =3D=3D 'windows' --=20 2.47.1 From nobody Mon Sep 8 21:35:45 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1738250563687932.7109536547339; Thu, 30 Jan 2025 07:22:43 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 852CF1BE5; Thu, 30 Jan 2025 10:22:43 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4C33B1C20; Thu, 30 Jan 2025 10:21:45 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id B567E1B24; Thu, 30 Jan 2025 10:21:39 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2D00B1B24 for ; Thu, 30 Jan 2025 10:21:39 -0500 (EST) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-645-OAqs6hELPou24q4mFI05MA-1; Thu, 30 Jan 2025 10:21:37 -0500 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 915F319560B9 for ; Thu, 30 Jan 2025 15:21:36 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.184]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8720918008C0; Thu, 30 Jan 2025 15:21:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738250498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xTnSKSz/k/hmAmi6NIwFsGLn5SsNfTtdr9L/rY0G0KI=; b=c7995tP1js51Ni05+c+FwXme1RCnQjVLBD4F558civj1w6oHdtKU7nmd9BfUG+IlJQrG8W g4k86kqYS5sXZLu+1sbOnQPbI5KJqcqHnwfjkAKQikitGyPRTlQfv71aRgOhJS5KApRgX+ WsI9lhpQvN0Y9KhgnaADCjpDpx+Qg5Y= X-MC-Unique: OAqs6hELPou24q4mFI05MA-1 X-Mimecast-MFC-AGG-ID: OAqs6hELPou24q4mFI05MA From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 2/2] rpm: disable account creation for Fedora >= 42 Date: Thu, 30 Jan 2025 15:21:31 +0000 Message-ID: <20250130152131.1633072-3-berrange@redhat.com> In-Reply-To: <20250130152131.1633072-1-berrange@redhat.com> References: <20250130152131.1633072-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: g64gRgmrs8hXdkaMhUBHc3D7tT9V98nxHyiHrVP_M9c_1738250496 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5Z7VY6S65NUT2OITXWKSWSOFRWHEUYVS X-Message-ID-Hash: 5Z7VY6S65NUT2OITXWKSWSOFRWHEUYVS X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1738250565519019000 Content-Type: text/plain; charset="utf-8" In Fedora >=3D 42, support for user/group account creation based on sysusers files has been enabled in RPM. Manually running useradd/ groupadd is thus obsolete. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Jiri Denemark --- libvirt.spec.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index 5825de7cf1..be91fa6bb4 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -44,6 +44,12 @@ %define with_qemu_kvm 0 %endif =20 +%if 0%{?fedora} >=3D 42 + %define with_account_add 0 +%else + %define with_account_add 1 +%endif + %define with_qemu_tcg %{with_qemu} =20 # RHEL disables TCG on all architectures @@ -535,8 +541,10 @@ Requires(posttrans): /usr/bin/systemctl Requires(preun): /usr/bin/systemctl # libvirtd depends on 'messagebus' service Requires: dbus +%if %{with_account_add} # For uid creation during pre Requires(pre): shadow-utils +%endif # Needed by /usr/libexec/libvirt-guests.sh script. %if 0%{?fedora} Requires: gettext-runtime @@ -1095,8 +1103,10 @@ Wireshark dissector plugin for better analysis of li= bvirt RPC traffic. %package login-shell Summary: Login shell for connecting users to an LXC container Requires: libvirt-libs =3D %{version}-%{release} +%if %{with_account_add} # For uid creation during pre Requires(pre): shadow-utils +%endif =20 %description login-shell Provides the set-uid virt-login-shell binary that is used to @@ -1796,10 +1806,12 @@ export VIR_TEST_DEBUG=3D1 %pre daemon-common %libvirt_sysconfig_pre libvirt-guests %libvirt_systemd_oneshot_pre libvirt-guests +%if %{with_account_add} # 'libvirt' group is just to allow password-less polkit access to libvirt # daemons. The uid number is irrelevant, so we use dynamic allocation. getent group libvirt >/dev/null || groupadd -r libvirt exit 0 +%endif =20 %posttrans daemon-common %libvirt_sysconfig_posttrans libvirt-guests @@ -1922,6 +1934,7 @@ exit 0 %libvirt_sysconfig_pre virtqemud %libvirt_systemd_unix_pre virtqemud =20 +%if %{with_account_add} # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name. # See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGr= oups/ @@ -1937,6 +1950,7 @@ if ! getent passwd 'qemu' >/dev/null; then fi fi exit 0 +%endif =20 %posttrans daemon-driver-qemu %libvirt_sysconfig_posttrans virtqemud @@ -2063,8 +2077,10 @@ done =20 %if %{with_lxc} %pre login-shell +%if %{with_account_add} getent group virtlogin >/dev/null || groupadd -r virtlogin exit 0 +%endif %endif %endif =20 --=20 2.47.1