feat: Optional non-root daemon user

Two new build options, 'user' and 'group' can be used to configure a
non-root user account to run the system yggdrasil service. The value
of both of these options default to 'yggdrasil'. This value is used
to customize the D-Bus policy, systemd unit User= and Group=
directive values, and a systemd-sysuser template.

Signed-off-by: Link Dupont <[email protected]>

data/dbus/meson.build

@@ -6,6 +6,10 @@ configure_file(
   install_dir: dbus.get_variable(pkgconfig: 'system_bus_services_dir')
 )
 
-install_data('yggd.conf',
+configure_file(
+  configuration: config_data,
+  input: 'yggd.conf.in',
+  output: '@BASENAME@',
+  install: true,
   install_dir: join_paths(dbus.get_variable(pkgconfig: 'datadir'), 'dbus-1', 'system.d')
 )

data/dbus/yggd.conf.in

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "https://dbus.freedesktop.org/doc/busconfig.dtd">
+<busconfig>
+  <policy user="@user@">
+    <!-- Only @user@ can own the Yggdrasil1 destination name. -->
+    <allow own="com.redhat.Yggdrasil1" />
+
+    <!-- Only @user@ can own the Dispatcher1 destination name. -->
+    <allow own="com.redhat.Yggdrasil1.Dispatcher1" />
+  </policy>
+
+  <policy group="@worker_user@">
+    <!-- Only members of the @worker_user@ group can send messages to
+    Dispatcher1 destination. -->
+    <allow send_destination="com.redhat.Yggdrasil1.Dispatcher1" />
+  </policy>
+
+  <policy context="default">
+    <!-- Anyone can send messages to the Yggdrasil1 destination. -->
+    <allow send_destination="com.redhat.Yggdrasil1" />
+  </policy>
+</busconfig>

data/meson.build

@@ -2,3 +2,13 @@ subdir('completion')
 subdir('dbus')
 subdir('systemd')
 subdir('yggdrasil')
+
+pkg = import('pkgconfig')
+pkg.generate(
+  name: meson.project_name(),
+  description: 'Remote data transmission and processing client',
+  variables: [
+    'user='+get_option('user'),
+    'worker_user='+get_option('worker_user'),
+  ],
+)

data/systemd/meson.build

@@ -1,2 +1,12 @@
 subdir('system')
 subdir('user')
+
+systemd_sysusers_dir = systemd.get_variable(pkgconfig: 'sysusersdir')
+
+configure_file(
+  configuration: config_data,
+  input: 'yggdrasil-sysuser.conf.in',
+  output: 'yggdrasil.conf',
+  install: true,
+  install_dir: systemd_sysusers_dir,
+)

data/systemd/system/yggdrasil-bus@.service → data/systemd/system/yggdrasil-bus@.service.in

@@ -5,6 +5,7 @@ Requires=yggdrasil-bus@%i.socket
 
 [Service]
 Type=notify
+User=@user@
 Environment=DBUS_SESSION_BUS_ADDRESS=unix:abstract=yggd_%i
 ExecStart=/usr/bin/dbus-broker-launch --scope user
 ExecReload=/usr/bin/busctl --address=unix:abstract=yggd_%i call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig

data/systemd/system/yggdrasil.service.in

@@ -6,6 +6,7 @@ Requires=network-online.target
 
 [Service]
 Type=dbus
+User=@user@
 BusName=com.redhat.Yggdrasil1
 NotifyAccess=main
 WatchdogSec=300

data/systemd/system/yggdrasil@.service.in

@@ -6,6 +6,7 @@ Requires=network-online.target yggdrasil-bus@%i.service
 
 [Service]
 Type=notify
+User=@user@
 NotifyAccess=main
 WatchdogSec=300
 Environment=DBUS_SESSION_BUS_ADDRESS=unix:abstract=yggd_%i

data/systemd/yggdrasil-sysuser.conf.in

@@ -0,0 +1,4 @@
+#Type Name            ID   GECOS                   Home directory             Shell
+u     @user@          -    "yggdrasil system user" @sharedstatedir@/yggdrasil -
+u     @worker_user@   -    "yggdrasil worker user" -                          -
+m     @user@          @worker_user@

dist/srpm/yggdrasil.spec.in

@@ -66,6 +66,14 @@ BuildRequires:  golang >= 1.18
 
 %description %{common_description}
 
+%package devel
+Summary:        %{name} development files
+
+%description devel
+%{common_description}
+
+Contains files needed for yggdrasil worker development.
+
 %if %{has_go_rpm_macros}
 %gopkg
 %endif
@@ -113,6 +121,7 @@ export %gomodulesmode
 %config(noreplace) %{_sysconfdir}/%{name}
 %{_unitdir}/*
 %{_userunitdir}/*
+%{_sysusersdir}/*
 %{_datadir}/bash-completion/completions/*
 %{_datadir}/dbus-1/{interfaces,system-services,system.d}/*
 %{_datadir}/doc/%{name}/*
@@ -121,3 +130,6 @@ export %gomodulesmode
 %if %{has_go_rpm_macros}
 %gopkgfiles
 %endif
+
+%files devel
+%{_libdir}/pkgconfig/*.pc

meson.build

@@ -29,7 +29,11 @@ config_data = configuration_data({
   'bindir': join_paths(get_option('prefix'), get_option('bindir')),
   'sbindir': join_paths(get_option('prefix'), get_option('sbindir')),
   'configdir': join_paths(get_option('sysconfdir'), meson.project_name()),
-  'libexecdir': join_paths(get_option('prefix'), get_option('libexecdir'))
+  'libexecdir': join_paths(get_option('prefix'), get_option('libexecdir')),
+  'localstatedir': join_paths(get_option('prefix'), get_option('localstatedir')),
+  'sharedstatedir': join_paths(get_option('prefix'), get_option('sharedstatedir')),
+  'user': get_option('user'),
+  'worker_user': get_option('worker_user'),
 })
 
 subdir('cmd/yggctl')
@@ -49,7 +53,9 @@ summary(
     'default_data_host': get_option('default_data_host'),
     'default_path_prefix': get_option('default_path_prefix'),
     'vendor': get_option('vendor'),
-    'examples': get_option('examples')
+    'examples': get_option('examples'),
+    'user': get_option('user'),
+    'worker_user': get_option('worker_user'),
   },
   section: 'Options'
 )

meson_options.txt

@@ -5,3 +5,5 @@ option('examples', type: 'boolean', value: false, description: 'Build and instal
 option('gobuildflags', type: 'array', value: ['-buildmode', 'pie'], description: 'Additional build flags to be passed to the Go compiler')
 option('goldflags', type: 'string', value: '', description: 'Additional linker flags to be passed to the Go compiler')
 option('build_srpm', type: 'boolean', value: false, description: 'Enable SRPM builds')
+option('user', type: 'string', value: 'yggdrasil', description: 'yggd system user name')
+option('worker_user', type: 'string', value: 'yggdrasil-worker', description: 'worker user name')

worker/echo/dbus/com.redhat.Yggdrasil1.Worker1.echo.conf.in

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "https://dbus.freedesktop.org/doc/busconfig.dtd">
+<busconfig>
+    <policy user="@worker_user@">
+        <!-- Only @worker_user@ can own the Worker1.echo name. -->
+        <allow own="com.redhat.Yggdrasil1.Worker1.echo" />
+
+        <!-- Only @worker_user@ can send messages to the Worker1 interface. -->
+        <allow send_destination="com.redhat.Yggdrasil1.Worker1.echo"
+            send_interface="com.redhat.Yggdrasil1.Worker1" />
+
+        <!-- Only @worker_user@ can send messages to the Properties interface. -->
+        <allow send_destination="com.redhat.Yggdrasil1.Worker1.echo"
+            send_interface="org.freedesktop.DBus.Properties" />
+
+        <!-- Only @worker_user@ can send messages to the Introspectable interface. -->
+        <allow send_destination="com.redhat.Yggdrasil1.Worker1.echo"
+            send_interface="org.freedesktop.DBus.Introspectable" />
+
+        <!-- Only @worker_user@ can send messages to the Peer interface. -->
+        <allow send_destination="com.redhat.Yggdrasil1.Worker1.echo"
+            send_interface="org.freedesktop.DBus.Peer" />
+    </policy>
+</busconfig>

worker/echo/com.redhat.Yggdrasil1.Worker1.echo.service.in → worker/echo/dbus/com.redhat.Yggdrasil1.Worker1.echo.service.in

@@ -1,4 +1,3 @@
 [D-BUS Service]
 Name=com.redhat.Yggdrasil1.Worker1.echo
-User=root
 Exec=@libexecdir@/yggdrasil/echo

worker/echo/dbus/meson.build

@@ -0,0 +1,15 @@
+configure_file(
+  configuration: config_data,
+  input: 'com.redhat.Yggdrasil1.Worker1.echo.service.in',
+  output: '@BASENAME@',
+  install: true,
+  install_dir: dbus.get_variable(pkgconfig: 'system_bus_services_dir')
+)
+
+configure_file(
+  configuration: config_data,
+  input: 'com.redhat.Yggdrasil1.Worker1.echo.conf.in',
+  output: '@BASENAME@',
+  install: true,
+  install_dir: join_paths(dbus.get_variable(pkgconfig: 'datadir'), 'dbus-1', 'system.d')
+)

worker/echo/meson.build

@@ -6,14 +6,5 @@ custom_target('echo',
   install_dir: join_paths(get_option('libexecdir'), meson.project_name())
 )
 
-configure_file(
-  configuration: config_data,
-  input: 'com.redhat.Yggdrasil1.Worker1.echo.service.in',
-  output: 'com.redhat.Yggdrasil1.Worker1.echo.service',
-  install: true,
-  install_dir: dbus.get_variable(pkgconfig: 'system_bus_services_dir')
-)
-
-install_data('com.redhat.Yggdrasil1.Worker1.echo.conf',
-  install_dir: join_paths(dbus.get_variable(pkgconfig: 'datadir'), 'dbus-1', 'system.d')
-)
+subdir('dbus')
+subdir('systemd')

worker/echo/systemd/com.redhat.Yggdrasil1.Worker1.echo.service.in

@@ -0,0 +1,13 @@
+[Unit]
+Description=yggdrasil echo worker service
+Documentation=https://github.com/RedHatInsights/yggdrasil
+
+[Service]
+Type=dbus
+User=@worker_user@
+Group=@worker_user@
+ExecStart=@libexecdir@/yggdrasil/echo
+BusName=com.redhat.Yggdrasil1.Worker1.echo
+
+[Install]
+WantedBy=multi-user.target

worker/echo/systemd/meson.build

@@ -0,0 +1,9 @@
+systemd_system_unit_dir = systemd.get_variable(pkgconfig: 'systemdsystemunitdir')
+
+configure_file(
+  configuration: config_data,
+  input: 'com.redhat.Yggdrasil1.Worker1.echo.service.in',
+  output: '@BASENAME@',
+  install: true,
+  install_dir: systemd_system_unit_dir,
+)